Shadow data objects
A shadow data object is used to drive the execution of event definitions for object types other than actual data objects. This kind of objects is only used in the event definitions and not anywhere else in the system. There are three categories of shadow data objects:
Event definitions can be created, and event actions can be executed when shadow objects are created or updated. Timer events can, as well, be created for calculated assignments. There are dedicated data object types forming the instances of shadow objects. The types are maintained automatically by the system, and they cannot be extended. Such data object types are visible only when defining an event definition (and related filters and actions). See Data Object Lifecycle Management - Shadow data objects to learn more.
Calculated resource assignment
A calculated assignment shadow object is created in the Role and Policy Engine by the ShadowObjectEventExecutorExtension. The system automatically generates a data object type for each configured resource type. The attribute set of the resource type defines the properties available on the shadow object type along with a set of built-in properties.
Built-in properties on calculated assignment object types
| Name | Type | Data type | System name |
|---|---|---|---|
| Assignment key | Value property | Text | RSASOT_ASSIGNMENTKEY |
| Identity | Reference property | RSASOT_IDENTITY | |
| Resource | Reference property | RSASOT_RESOURCE | |
| System | Reference property | RSASOT_SYSTEM | |
| Account name | Value property | Text | RSASOT_ACCOUNTNAME |
| Account type | Reference property | RSASOT_ACCOUNTTYPE | |
| Assignment type | Set property | RTASOT_ASSNTYPE | |
| Disabled | Value property | Bool | RTASOT_DISABLED |
| Valid from | Value property | DateTime | RTASOT_VALIDFROM |
| Valid to | Value property | DateTime | RTASOT_VALIDTO |
| Provisioning status | Value property | Text | PROVISSTATUS |
| Violation status | Value property | Text | VIOLATIONSTATUS |
| Compliance status | Value property | Text | COMPLIANCESTATUS |
Default properties of a sample Active Directory account resource type
| Name | Type | Data type | System name |
|---|---|---|---|
| Identity ID | Value property | Integer | IDENTITYID |
| First name | Value property | Integer | FIRSTNAME |
| Last name | Value property | Integer | LASTNAME |
| Job title | Value property | Boolean | JOBTITLE |
| Initial password | Value property | Text | INITIALPASSWORD |
| ADOU | Value property | Text | ADOU |
| ADDOMAIN | Value property | Text | ADDOMAIN |
Account notifications
A shadow object event for an account resource can be used to send a notification to the beneficiary that the account is provisioned. Such event definitions and notifications are configured automatically when a resource type is created or updated.
These event definitions (created automatically by the system) are disabled by default and must be enabled manually on the event definition detail screen. If the customer setting EnableAccountCreationNotification is set to true, newly created event definitions are enabled by default.
The following event filters (among other things) by provisioning status changing to OK.
The mail action sends a mail to the user’s manager with the content configured in the mail template.
Survey object
A survey shadow object is created in the survey runtime of the Enterprise Server (when a survey object is created, the create event action is triggered). When a survey is routed, a survey task is completed, or when the whole survey is completed, an update event is triggered. There is a dedicated property Event type on the shadow object specifying the type of survey event that triggered the event. Similar to regular data objects, it is also possible to configure a timer event iterating over each object in the survey.
The system generates a shadow data object type with each of the properties specified in the Survey object section of the survey template as well as a set of built-in properties.
Built-in properties on the survey shadow data object type
| Name | Type | Data type | System name |
|---|---|---|---|
| Survey instance | Reference property | SSOT_SURVINSTANCE | |
| Survey template | Reference property | SSOT_SURVTEMPLATE | |
| Survey object key | Value property | Text | SSOT_SURVOBJKEY |
| Previous workflow step | Value property | Text | SSOT_PREVWFSTEP |
| Current workflow step | Value property | Text | SSOT_CURRWFSTEP |
| Event type | Set property | SSOT_EVENTTYPE | |
| Actor in step 1 | Reference property | [User] | SSOT_ACTORSTEP1 |
| Actor in step 2 | Reference property | [User] | SSOT_ACTORSTEP2 |
| Actor in step 3 | Reference property | [User] | SSOT_ACTORSTEP3 |
| Actor in step 4 | Reference property | [User] | SSOT_ACTORSTEP4 |
| Actor in step 5 | Reference property | [User] | SSOT_ACTORSTEP5 |
| Actor in step 6 | Reference property | [User] | SSOT_ACTORSTEP6 |
| Actor in step 7 | Reference property | [User] | SSOT_ACTORSTEP7 |
| Actor in step 8 | Reference property | [User] | SSOT_ACTORSTEP8 |
| Actor in step 9 | Reference property | [User] | SSOT_ACTORSTEP9 |
| Route time | Value property | Datetime | SSOT_ROUTETIME |
| Current step abs duration | Value property | Timespan | SSOT_CURRSTEPABSDUR |
| Current step duration | Value property | Timespan | SSOT_CURRSTEPDURATION EXAMPLE |
Default properties on the shadow object type for the resource assignment approval survey
| Name | Type | Data type | System name |
|---|---|---|---|
| Resource assignment | Reference property | RESASSIGNMENT | |
| Identity | Reference property | IDENTITYREF | |
| Resource | Reference property | ROLEREF | |
| Valid from | Value property | Datetime | VALIDFROM |
| Valid to | Value property | Datetime | VALIDTO |
| Origin | Reference property | ORIGINREF | |
| Description | Value property | Text | DESCRIPTION |
| Account name | Value property | Text | ACCOUNTNAME |
| Context | Reference property | RA_CONTEXT | |
| Attributes | Value property | Text | ATTRIBVALSINFO |
| Required approval levels | Value property | Text | REQAPVLLEVELS |
For more information on the survey shadow object events, refer to the Surveys guide.
Security alert event
A security alert object is created when receiving a security alert from the Azure Identity Protection via the notification network endpoint of the enterprise server.
The object type for security alert events is created with a set of built-in properties and cannot be updated.
Properties on the security alert event data object type
| Name | Type | Data type | System name |
|---|---|---|---|
| Status | Value property | Text | ALERT_STATUS |
| Description | Value property | Text | ALERT_DESCRIPTION |
| Created | Value property | Datetime | ALERT_CREATED |
| Confidence | Value property | Integer | ALERT_CONFIDENCE |
| Severity | Value property | Text | ALERT_SEVERITY |
| Category | Value property | Text | ALERT_CATEGORY |
| Title | Value property | Text | ALERT_TITLE |
| Alert id | Value property | Text | ALERT_REMOTEID |
| Identity | Reference property | IDENTITYREF | |
| User principal name | Value property | Text | ALERT_UPN |
For more information on the security alert event and sample event definitions, refer to the Identity Risk Subscription with Microsoft Entra ID Identity Protection document.