Schema Attributes

This section describes the different schema attributes. This connector currently supports the following types of objects:

• Account: Account objects are used when building identities Link objects.

• Group: The group schema is used when building Account-Group objects that are used to hold entitlements shared across identities.

• Service Principal: The Service Principal schema is used to represent Azure Service Principal which are identities created for use with applications, hosted services, and automated tools to access Azure resources.

• Service Plan: The Service Plan schema is used to represent Azure Service Plan (License Plans).

• Management Group: The Management group schema is used to represent Azure Management Groups which are created to allow Azure customers to organize their subscriptions and apply governance controls such as Role Based Access Control and Policies.

• Subscription: The Subscription schema is used to represent Azure Subscription objects which represent a signed agreement between a supplier and customer that the customer would receive and provide payment for regular products or services.

• Resource Group: The Resource group schema is used to represent Azure Resource Groups which are container objects that hold related resources for an Azure solution.

• Azure Role Assignment: The Azure Role Assignment schema is used to represent custom group objects that consist of the following elements:

  • Security Principle (user, groups, service principle, managed identity)

  • Role Definition

  • Access Scope

Using Multiple Group Entitlements with Pre-existing Connectors

For the pre-existing Azure Active Directory connectors, perform the following steps to start using Multiple Group Entitlements with your current connector.

1. Use createSchema API to create new group schema for your connector. Refer to the following respective sections for examples of API body content for adding to existing connector:

   • servicePlan

   • Service Principal

2. Update Account Schema with the following steps:

   1. Get account schema using getSchema API.

   2. Copy the schema to a file and search for attribute corresponding to the group schema that is added in step 1.

   3. Add/update below two properties for the attribute found in previous step (2.b.)

      "isGroup": true,    
      "schema": {"type": "CONNECTOR_SCHEMA","id": "<Schema_ID_From_Step1>","name": "<Name_Of_Schema_Created_In_Step1>"} 

   4. Add the schema modified in step 2.c. to the payload to update account schema in the connector using the replaceSchema API.