1. Integrating Enterprise Data Quality with External Systems
  2. Using the EDQ System Administration API

8 Using the EDQ System Administration API

EDQ provides a set of REST-based interfaces for EDQ system report generation, package import and export, security and encryption configuration, web push notifications, Launchpad application configuration, and users and user group configuration.

To open the System Administration API, select the System Administration Rest API Specification from the Web Services dropdown menu in the Launchpad; the service loads automatically once selected. In this chapter, the EDQ service is assumed to be installed at:

http://edqserver:8001/edq

This chapter provides a detailed description of these interfaces and the operations that can be performed using these interfaces. It includes the following topics:

8.1 Using REST APIs to Generate System Reports

The EDQ sysreport is a support tool that you can use to retrieve configuration and runtime information from a running system. EDQ provides a REST API to generate the sysreport as a JSON object. You can use the output file for diagnostics and analysis.

In this section, the EDQ service is assumed to be installed at:

http://edqserver:8001/edq

To run this REST API you need to have system administration permission. Use the following interface the generate the sysreport:

GET http://server:port/edq/admin/sysreport[?hideenv=true]

The top level attributes in the output JSON are:
Attribute Description

configdb

The type and version information for the configuration schema database.

configpath

The configuration path as array of strings.

configproperties

The EDQ configuration properties.

environment

The environment variable. This attribute is omitted if ?hideenv=true is used on the URL.

licencepacks

The selected licence packs as array of strings.

memory

The basic memory usage information.

memorypools

The Java memory pool information.

os

The OS and CPU information.

resultsdb

The type and version information for the results schema database.

securityrealms

The name and label for each configured security realm.

server

The server information.

starttime

The server start date and time.

systemproperties

The Java system properties.

version

The EDQ version string.

vm

The Java VM information.

webroot

The path to web root.

You can use this REST API to request for a subset of the full report.

Use the following interface:

http://server:port/edq/admin/sysreport/subpath[?hideenv=true]

The subpath in the URL is used to select a subset within the full report. Each element in the path corresponds to an attribute in the JSON object.

For example,

To retrieve just the information on the configuration schema database, use the following:

http://server:port/edq/admin/sysreport/configdb

To retrieve just the database type, use the following:

http://server:port/edq/admin/sysreport/configdb/dbtype

To return the Java version, use the following:

http://server:port/edq/admin/sysreport/systemproperties/java.version

8.2 Using REST APIs for Importing and Exporting Configuration Objects

EDQ provides a set of REST-based interfaces to automate transfer of configuration between EDQ environments. You can use these REST APIs to package, export, and import the following configuration objects:

  • Projects
  • Global Reference Data
  • Global Data Stores
  • Global Published Processors
  • Stored Credentials
  • Case Sources
  • Case Workflows
  • Case Permissions
  • Global case filters

The package file that is written and read by the APIs is in ZIP format. You can encrypt the configuration objects and stored credentials using a password supplied in the request payload. You can add an "import" Autorun task to import package files at system startup. See Using the Autorun Chores for more information about the import chore.

This chapter provides a detailed description of these interfaces and the operations that can be performed using these interfaces. It includes the following topics:

8.2.1 REST Interface for Packaging Configuration

The REST interface for working with EDQ packaging, exporting, and importing configuration is

http://edqserver:port/edq/package

This interface allows you to perform the following tasks:

  • Exporting configuration

    You must have the Package functional permission to package and export configuration objects. If case management objects are included in the export, you must have access to the Case Management Administration application.

    To package and export configuration objects, use the following interface:

    POST http://edqserver:port/edq/package/export

  • Importing configuration

    You must have create and delete function permissions for all the objects that are being imported. If case management objects are included in the import, you must have access to the Case Management Administration application.

    To import configuration objects, use the following interface:

    POST http://edqserver:port/edq/package/import

  • Getting packaging task status

    Export and import calls return immediately and the packaging task runs asynchronously. The result of package calls is a JSON object containing an "id" attribute, which is the "execution ID" for the task. For example:

    {"id":"58636dd0-22b6-4d7d-be16-74908d30404f"}

    To get status information on a packaging task, use the following interface:

    GET http://edqserver:port/edq/package/status/executionid

    Packaging status is retained in the system for one hour after the task has completed. If you do not specify the execution ID in the get status call, the status for all retained packaging tasks is returned.

    For example:

    GET http://server/edq/package/status/58636dd0-22b6-4d7d-be16-74908d30404f

    returns status information specific to this execution ID.

    GET http://server/edq/package/status

    returns status information for all retained packaging tasks. See Packaging Task Status Result Format for more details.

8.2.2 JSON Payload Format

The REST APIs use a JSON payload to define the configuration objects for the packaging, export, and import.

The following table lists the attributes of the JSON payload:

Attribute Description

casemanagement

Defines the case management objects to export/import. See casemanagement attributes.

destination

Required. Destination definition. See destination attributes.

password

Encryption password. If present, configuration objects and stored credentials are encrypted in the package file.

preserve

If true, existing object are not overwritten. Applies to import only.

label

Label describing packaging task. This information is shown in log messages and included in status reports.

datastores

Selector for global data stores to export/import.

publishedprocessors

Selector for global published processors to export/import.

referencedata

Selector for global reference data to export/import.

projects

Selector for projects to export/import.

storedcredentials

Selector for stored credentials to export/import.

casemanagement attributes

The casemanagement value is an object with these attributes:

Attribute Description

sources

Selector for case sources to export/import.

workflows

Selector for case workflows to export/import.

permissions

Selector for case permissions to export/import. Case permissions are matched using the unique internal permission keys, which can be examined in the Case Management Administration application.

filters

Selector for global case filters to export/import. Applies to EDQ 14.1.2 and later versions.

destination attributes

The payload destination value is an object containing these attributes:

Attribute Description

location

Required. File name or URL for the package file. If a non-absolute file name is specified, the location is relative to the "local home" configuration directory.

credentials

Name of stored credentials used to authenticate a request to a URL location. Ignored if the location is a file. If the URL requires simple username/password authentication, use "basic" stored credentials.

platformcredentials

If true, uses platform credentials for the file upload/download. Supported on Oracle Cloud Infrastructure (OCI) Object Storage, Amazon Web Services (AWS), and Google Cloud Platform (GCP).

method

HTTP method used for uploads. Ignored if the location is a file. The default is PUT.

Examples:

Use a file in the EDQ landing area:

{ ...
  "destination": {
    "location": "landingarea/pkg/package2.zip"
  },
  ...
}

Use OCI object storage, with stored credentials:

{ ...
  "destination": {
    "location": "https://objectstorage.us-phoenix-1.oraclecloud.com/n/mytenancy/b/bucket1/o/package.zip",
    "credentials": "OCI 1"
  },
  ...
}

Use AWS S3, with stored credentials:

{ ...
  "destination": {
    "location": "https://mystorage.s3.us-east-2.amazonaws.com/package.zip",
    "credentials": "aws1"
  },
  ...
}

Use GCP, with stored credentials:

{ ...
  "destination": {
    "location": "https://storage.googleapis.com/upload/storage/v1/b/edqstorage/o?name=package.zip",
    "method": "POST",
    "credentials": "GCP 1"
  },
  ...
}

Output Selectors

The selector object used to specify objects to export/import has these attributes:

Attribute Description

include

Array of "glob-style" patterns used to select objects to include. Use an asterix (*) to match any characters and a question mark (?) to match a single character.

exclude

Array of "glob-style" patterns used to select objects to exclude. Use an asterix (*) to match any characters and a question mark (?) to match a single character.

renames

Object specifying the old to new object renames. On export the rename controls the item written to the package. On import the rename applies to objects in the package and controls the name imported into the system.

In an export task the include and exclude patterns are matched against items in the database. In an import task the patterns are matched against the items in the package file.

Examples:

To include all projects except "Temp1" and those starting with "Test", and to include all non-standard reference data:

{ ...
  "projects": {
    "include": ["*"],
    "exclude": ["Temp1", "Test*"]
  },
  "referencedata": {
    "include": ["*"],
    "exclude": ["\\**"]
  },
  ...
}

Note the use of the escape character backslash (\) to prevent the first asterix (*) from being treated as a wild card. To conform to JSON syntax, you need to use two backslash (\) characters.

To include everything:

{ ...

  "projects": {
    "include": ["*"]
  },

  "referencedata": {
    "include": ["*"]
  },

  "datastores": {
    "include": ["*"]
  },

  "publishedprocessors": {
    "include": ["*"]
  },

  "storedcredentials": {
    "include": ["*"]
  },

  "casemanagement": {

    "sources": {
      "include": ["*"]
    },

    "workflows": {
      "include": ["*"]
    },

    "permissions": {
      "include": ["*"]
    },
	"filters": {
	  "include": ["*"]
    }
  }
}

8.2.3 Packaging Task Status Result Format

The result of the GET status call is an object in which the attributes are the currently retained execution IDs. The value of each attribute is a status object with these attributes:

Attribute Description

label

The label copied from the packaging request payload.

type

Whether "import" or "export".

complete

Set to true when the packaging process has completed.

failed

Set to true if the packaging process failed with an errors.

start

Packaging process start timestamp.

end

Packaging process end timestamp. Set when the process is complete.

status

Current status of packaging process. Cleared when process is compete.

error

Error message if failed is true.

manifest

Manifest object defining contents of the export package or the items imported. Set on successful completion.

The manifest for an export task is stored as the first entry in the package ZIP file. The manifest object contains these attributes:

Attribute Description

version

Manifest object version. Always 1 in this version.

appversion

Application version, such as "12.2.1.4.4" or "14.1.2.0.0".

encrypted

Set to true if the package was generated with a password.

projects

Array of names of projects included in the export or matched during import.

referencedata

Array of names of global reference data included in the export or matched during import.

datastores

Array of names of global data stores included in the export or matched during import.

publishedprocessors

Array of names of global published processors included in the export or matched during import.

storedcredentials

Array of names of stored credentials included in the export or matched during import.

casemanagement

Case management items included in the export or matched during import.

sources - Case source names

workflows - Case workflow names

permissions - Case permission keys

Example status result

An export that is run with this payload:

{ ...

{ "label": "Export task1",
 
  "password": "medusa",
 
  "destination": {
    "location": "https://objectstorage.us-phoenix-1.oraclecloud.com/n/devbigdata/b/rde.bucket1/o/example.zip",
    "credentials": "OCI 1"
  },
 
  "projects": {
    "include": ["adb", "cases", "s*"],
    "exclude": ["snowflake"],
    "renames": {
      "adb": "Oracle ADB"
    }
  },
 
  "referencedata": {
    "include": ["*Country*"]
  },
 
  "storedcredentials": {
    "include": ["OCI*", "aws*"],
    "exclude": ["aws?"]
  },
 
  "casemanagement": {
 
    "sources": {
      "include": ["CS2", "Issue Remediation"]
    },
 
    "workflows": {
      "include": ["Issue Remediation*"]
    },
 
    "permissions": {
      "include": ["Permission?"]
    }
  }
}

would return this status after completion:

{ "d154aee7-9af4-46ab-af89-84ed6b12109a": {
    "start": "2023-07-13T16:44:17.809Z",
    "label": "Export task1",
    "type": "export",
    "end": "2023-07-13T16:44:26.871Z",
    "manifest": {
      "appversion": "14.1.2.0.0",
      "encrypted": true,
      "projects": [
        "Oracle ADB",
        "cases",
        "scannerbug",
        "scripts",
        "services",
        "sqlserver",
        "srvr"
      ],
      "referencedata": [
        "Country from City",
        "Nationality to Standard Country",
        "Standardize Country Names"
      ],
      "datastores": [],
      "publishedprocessors": [],
      "storedcredentials": [
        "OCI 1",
        "OCI edqtest",
        "OCI edqtest2",
        "aws - oracle",
        "aws rde",
        "aws s3"
      ],
      "casemanagement": {
        "permissions": [
          "Permission1",
          "Permission2"
        ],
        "workflows": [
          "Issue Remediation Alerts",
          "Issue Remediation Cases"
        ],
        "sources": [
          "CS2",
          "Issue Remediation"
        ]
      },
      "version": 1
    },
    "complete": true
  }
}
8.2.3.1 Packaging REST API Triggers

The packaging APIs run triggers with these paths:

  • /package/export/start
  • /package/export/end
  • /package/import/start
  • /package/import/end

The arguments to each trigger call are the task label (from the export/import payload) and the packaging status JSON as a string. The status is passed as a string so that it can be sent easily to a logging or streaming framework without additional parsing.

The following is an example that notifies administrators using a web push when an export is complete:

addLibrary("webpush")
 
function getPath() {
  return "/package/export/end"
}
 
function run(path, id, env, label, status) {
  if (path.endsWith("/end")) {
    var push = WebPush.create("Export " + label + " complete")
 
    push.title      = "Export notification"
    push.icon       = "images/logo.png"
 
    push.groupnames = ["Administrators"]
    push.push()
  }
}

8.3 REST API for Security and Encryption

Certain information stored in the EDQ configuration is encrypted for additional security. The encryption and decryption are handled by a pluggable security module. If the security module is replaced or reconfigured in an existing system and there is existing encrypted data, you can define the new security module using the following REST API interfaces:

POST to /etc/admin/security/rotateencryption

POST to /edq/admin/security/migrateencryption

For more information, see Configuring EDQ Encryption.

8.4 REST API for Web Push Notifications

Administrators can use the following REST API to notify users of important events such as an impending shutdown:

POST http://server/edq/admin/web/push

For more information, see REST API for Web Push Notifications.

8.5 REST Interface for Launchpad Applications

Calls in this category are used to list and update the applications that are shown on the launchpad for all users. The calling user must have the Access Server Administration and Set User Application Access permissions for both calls.

You can perform the following tasks:

  • Get applications

    To return the current list of published applications, and a list of all applications known to the system, use the following interface:

    GET http://server:port/edq/admin/web/launchpad/applications

    The result object contains these attributes:

    Attribute Type Description

    published

    Array of strings

    List of applications that are currently shown on the launchpad, in display order.

    allapplications

    Array of application objects

    List of all the applications which are known to the system. Each object contains the following values:

    • label - Display string for application
    • identifier - Internal identifier

    Note that the allapplications list includes applications that are permission controlled by group membership (such as Case Management) and also applications that are links to simple content, such as Watchlist Screening Help.

  • Update launchpad applications

    To update launchpad applications, use the following interface:

    POST http://server:port/edq/admin/web/launchpad/applications

    The payload is an array of strings listing the identifiers of the applications that should appear on the launchpad, in order.

    For example:

    [ "opsui", 
  "director", 
  "casemanager", 
  "casemanageradmin"
]

The result for all POST calls is an object containing these attributes:

Attribute Description

ok

Success flag. Possible values are true or false.

message

Error message, present if ok is false.

8.6 Using REST APIs for User Group Management

EDQ includes a set of REST-based interfaces to manage user groups and external group mappings.

The result for all POST and DELETE calls is an object containing these attributes:

Attribute Description

ok

Success flag. Possible values are true or false.

message

Error message, present if ok is false.

This chapter includes the following topics:

8.6.1 REST Interface for External Group Mappings

Groups in external realms (LDAP etc) are mapped to EDQ internal group so that the permissions and applications available to a user can be determined on login. Calls in this category return the currently defined mappings and update mappings.

Each mapping is represented by an object with these attributes:

Attribute Description

realm

The realm name as defined in login.properties. In an update call this attribute may be omitted if exactly one external realm is defined.

externalgroup

The name of group in the external realm. Always required.

internalgroups

Array of EDQ internal group names. In an update call, existing mappings are removed if this attribute is omitted or empty.

You can perform the following tasks:

  • Get current mappings

    To retrieve information about the current external group mappings, use the following interface:

    GET http://server:port/edq/useradmin/externalgroups

    The result is an array of mapping objects.

  • Update mappings

    To update information about the current external group mappings, use the following interface:

    POST http://server:port/edq/useradmin/externalgroups

    The payload is an array of mapping objects. The calling user must have the Modify External Group Permissions functional permission.

    Example:

    [ 
  { "realm": "EXAMPLE.COM",
    "externalgroup": "edqgroup1",
    "internalgroups": ["Data Analysts"]
  },
  { "realm": "EXAMPLE.COM",
    "externalgroup": "edqgroup2",
    "internalgroups": ["Match Reviewers", "Executives"]
  }
]

8.6.2 REST Interface for Creating and Updating Groups

The calling user must have the Access User Administration functional permission for all user administration calls.

The group object used in requests and responses has these attributes:
Attribute Type Description

name

String

The name of the group. Always required.

permissions

Array of strings

Functional permissions associated with group. Values are the internal identifiers representing permissions.

In create or update requests, all the permissions in a category can be selected using prefix:. For example ops:* or user_admin:*.

applications

Array of strings

Applications available to the group. Values are the internal identifiers for launchpad applications.

You can perform the following tasks:

  • Get all groups

    To return an array of group objects, use the following interface:

    GET http://server:port/edq/useradmin/groups

  • Get named group

    To get information on a single named group, use the following interface:

    GET http://server:port/edq/useradmin/group/name

    The result is a group object. If the group does not exist, a 404 response is returned.

  • Create or update single group

    To create or update a single group, use the following interface:

    POST http://server:port/edq/useradmin/group

    The payload is a single group object. If the permissions or applications attributes are not specified, the corresponding values in the group are not changed on update. If the group does not exist, the calling user must have the Add Group permission, otherwise the user must have the Modify Group permission.

  • Create or update multiple groups

    To create or update multiple groups, use the following interface:

    POST http://server:port/edq/useradmin/groups

    The payload is an array of group objects.

  • Delete named group

    To delete a named group, use the following interface:

    DELETE http://server:port/edq/useradmin/group/name

    The user must have the Delete Group permission.

  • Update group

    To update a group, use the following interface:

    POST http://server:port/edq/useradmin/updategroup

    This request can be used to add or remove permissions or applications from an existing group. The payload is a JSON object with these attributes:

    Attribute Description

    name

    The name of the group. Always required.

    permissions

    Permission additions and removals.

    applications

    Application additions and removals.

    The permissions and applications attributes are object with these attributes:

    Attribute Description

    add

    Array of values to add to the group.

    remove

    Array of values to remove from the group.

    Example:

    { "name": "Test Group",
  "permissions": {
    "add": [ "user_admin:*", "ops:dnviewallevents"],
    "remove": [ "server_admin:accessserveradmin"]
   },
   "applications": {
     "add": ["opsui" ]
   }
}
  • Get lists of supported applications and functional permissions

    Use the following interface:

    GET http://server:port/edq/useradmin/permissionsinfo

    Group objects list applications and functional permissions using internal identifiers. The call returns lists of all supported applications and permissions including both the display strings used in the administration web UI and the associated identifiers. Permissions are grouped by the categories shown in the group administration web UI.

    The result object contains these attributes:

    Attribute Description

    applications

    List of supported applications.

    functionalpermissions
    List of permission categories. Each element contains these attributes:
    • categorylabel - Display string for the category. For example "CM.Static" or "Director".
    • prefix - Prefix associated with the category. For example "data:" or "user_admin:".
    • permissions - List of permissions in the category.

    Individual application and permission objects contain these attributes:

    Attribute Description

    label

    Display string for application or permission.

    identifier

    Internal identifier.

    Display strings are returned in the language implied by the web request.

8.7 REST Interface for Creating and Updating Users

The user object used in requests and responses has these attributes:
Attribute Type Description

username

String

The name of the user. Always required.

password

String

The user password. Required when creating a new user.

blocked

Boolean

Set to true if the user has been blocked permanently.

fullname

String

The full name of user. Required when creating a new user.

email

String

The e-mail address of user.

organization

String

The name of the user's organization.

telephone

String

The user's telephone number.

forcepasswordchange

Boolean

If true forces the user to change their password on the next login.

passwordpolicy

Integer
User password expiration policy. Possible values are:
  • 0 - Password expiry defined by system configuration
  • 1 - Password never expires
  • 2 - Password expires after system defined period

lockoutpolicy

Integer

User lockout policy after bad logins. Possible values are:

  • 0 - Policy defined by system configuration
  • 1 - No action
  • 2 - Lockout for 2 minutes
  • 3 - Lockout for 5 minutes
  • 4 - Lockout for 15 minutes
  • 5 - Lockout for 30 minutes
  • 6 - Lockout for 1 hour
  • 7 - Lockout for 24 hours
  • 8 - Lockout permanently

groups

Array of strings

Groups to associate with the user.

The passwordpolicy and lockoutpolicy attributes correspond to the Password Policy and Invalid Attempts fields in the user definition web UI:

You can perform the following tasks:

  • Get all users

    To return an array of user objects, use the following interface:

    GET http://server:port/edq/useradmin/users

  • Get named user

    To get information on a single named user, use the following interface:

    GET http://server:port/edq/useradmin/user/username

    The result is a user object. If the user does not exist a 404 response is returned.

  • Create or update single user

    To create or update a single user, use the following interface:

    POST http://server:port/edq/useradmin/user

    The payload is a single user object. On update, attributes that are not included in the payload object are not modified in the target user. An attribute which is set to null in the payload is cleared in the target user object.

    For example to update a user and clear the e-mail address, use this payload:

    { "username": "user23",
  "email":    null
}

    To update the password for a user, but force a change on next logon, use the following: 

    { "username": "user153",
  "password": "newtemppassword",
  "forcepasswordchange" : true
}

    To create a new user, the caller must have the Add User permission. To modify a user, the required permissions depend on the detailed changes. The following table lists the permissions you need corresponding to the information you want to update:

    Action Required Permission

    Change password

    Change/Reset User Passwords

    Block user permanently

    Block User

    Unblock user

    Unblock User

    Change full name, e-mail address, organization name or telephone number

    Modify User Details

    Change password policy, lockout policy or force change option

    Modify Account Security Options

    Change group membership

    Modify User Group Permissions
  • Create or update multiple users

    To create or update multiple users, use the following interface:

    POST http://server:port/edq/useradmin/users

    The payload is an array of user objects. To modify users, the required permissions depend on the detailed changes as listed in the table above.

  • Delete named user

    To delete a user, the user must have the Delete User permission. Use the following interface:

    DELETE http://server:port/edq/useradmin/user/username

The result for all POST and DELETE calls is an object containing these attributes:

Attribute Description

ok

Success flag. Possible values are true or false.

message

Error message, present if ok is false.