Freshservice
This connectivity package provides support for managing requesters and departments in Freshservice.
Supported objects and operations
| System objects | Omada Identity Data Model | Operations |
|---|---|---|
| Requester | Account | Create, read, update, delete |
| Department | Resource | Read |
| Department memberships (requesters) | Resource Assignment | Create, read, update, delete |
Minimum required permissions – API Key Authentication
When using an API key, all API calls are made under the context of the agent who owns the key. The agent’s role permissions in Freshservice determine which resources can be read or modified through the API.
| Resource | Minimum Permission | Purpose |
|---|---|---|
| Requesters | View requesters/contacts | Allows reading requester details (GET /api/v2/requesters) |
| Requesters | Create/edit requesters | Required for creating or updating requesters (POST /api/v2/requesters) |
| Requesters | Delete requesters | Required for deleting requesters (DELETE /api/v2/requesters/{id}) |
| Departments | View departments | Allows reading department data (GET /api/v2/departments) |
Permissions are inherited directly from the agent role assigned to the API key owner. If the role has limited workspace visibility, only data from accessible workspaces will be returned.
API responses respect all permission constraints – if an agent cannot view or modify data in the UI, the same restrictions apply via API.
See the Authentication and How do Roles and Permissions work in Single and Multiple workspace setups? in Freshservice documentation for details.
Implementation notes
The connectivity package creates accounts as requesters in FreshService. It currently does not support creating agents. Freshservice allows converting them into agents once they are created.
Network requirements
N/A
Prerequisites
Authorization
FreshService uses both API key and basic access authorization. You can use your personal API key to authenticate the request. If you use the API key, you don't need to use a password. For basic access, use the same username and password that you use when you log into your helpdesk.
Creating an extension attribute
To provision multiple departments in an array, create an attribute that is resolved by the RoPE Attribute Value Resolver extension:
-
Open the RoPE configuration file:
- On-prem:
\Omada Identity Suite\Role and Policy Engine\Service\ConfigFiles - Cloud: In the Cloud Management Portal, navigate to Environments. In the environment row, from the drop-down menu, select Configure. Choose the RoPE configuration tab.
- On-prem:
-
Add a new attribute under the AttributeValueResolver:
<add key="setting7" name="Fresh Service Account:C_FRESHSERVICEDEPARTMENTID" value="/#ASSIGNMENTS_PER_RESOURCETYPE/Department:[ROLEID]" extraInfo="Type:ReferencePath;MultiValue:True" />
Deleting accounts
Fresh supports two methods of performing the DELETE operation: disable an account and forget an account. Omada Identity uses the forget method.
To reactivate an account, Fresh calls for a separate PUT call that reactivates a user. Since we already have a PUT call that is modifying a user, the call that reactivates accounts is currently not supported in this package.
Requesting or assigning access
The identity must be assigned both the FreshService account and minimum one FreshService department resource. The above configuration of resource-driven attributes will copy the ID of the department onto the account when provisioned. This is required as the department is just an attribute on the user object in FreshService. Departments are referred to as a company in FreshService.
Reconciliation
By having the department as a separate object and creating a resource assignment for it, you can import the actual state of both the account and the assigned role.