
RSA Archer
IT Service Management- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
The RSA Archer Connector integrates with the RSA Archer Integrated Risk Management (IRM) platform to synchronize and manage application records.
It connects to the RSA Archer REST APIs using session-based authentication and retrieves metadata and content records from Archer applications.
The connector dynamically discovers Archer Applications and Field Definitions, automatically generating schema and attributes based on the Archer configuration (cached for one hour per instance).
It supports reading, creating, and updating records through the Archer Content API and supports incremental synchronization using a timestamp filter.
Key capabilities:
- Connects securely to the Archer REST API using session-based authentication.
- Dynamically discovers Archer applications and fields to generate the connector schema (cached for one hour per instance).
- Reads records from the Archer Content API with pagination (fixed 1000-record page size) and retry logic.
- Supports incremental synchronization by filtering on the
Last_Updatedcontent field. - Supports record creation and update via the Platform Content API.
- Resolves and normalizes value lists, cross references, external links, users/groups, and subform fields.
- Supports a per-operation content endpoint override.
- Validates configuration before initialization.
Data retrieved from RSA Archer
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Record | Yes | Not mapped (dynamic) |
Model relationships
For detailed steps on how to view the data retrieved from RSA Archer in the Brinqa Platform, see How to view your data.
Connection settings
When setting up a data integration, select RSA Archer from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| Server URL | Yes | https://<archer-server>/RSAarcher | RSA Archer server base URL |
| Instance name | Yes | Default - (user input, Required) | RSA Archer instance name |
| User name | Yes | Default - (user input, Required) | RSA Archer user name |
| Password | Yes | Default - (user input, Required) | RSA Archer user password |
| Session timeout | No | 300 | Security authentication session timeout in seconds, default is 300 seconds (5 minutes) |
| SSL / TLS | No | false | Skip certificate verification |
Authentication
The connector uses session-based authentication. On the first request (or after the session expires) it calls the Archer security login endpoint to obtain a session token, then sends that token on every subsequent request.
Endpoint
| Method | URL |
|---|---|
POST | /platformapi/core/security/login |
Request Headers
| Header | Value |
|---|---|
Content-Type | application/json |
Request Body
{
"InstanceName": "your-instance-name",
"username": "your-username",
"password": "your-password",
"UserDomain": ""
}
Sample Response
{
"Links": [],
"RequestedObject": {
"SessionToken": "0123456789ABCDEF0123456789ABCDEF",
"InstanceName": "your-instance-name",
"UserId": 12345
},
"IsSuccessful": true,
"ValidationMessages": []
}
Response Fields
| Field | Description |
|---|---|
RequestedObject.SessionToken | Session token used to authenticate subsequent requests. |
RequestedObject.InstanceName | The Archer instance the session belongs to. |
RequestedObject.UserId | Numeric identifier of the authenticated user. |
IsSuccessful | Indicates whether the login request succeeded. |
Usage
The session token is read from RequestedObject.SessionToken and applied to every subsequent request via these headers:
Authorization: Archer session-id=<session-token>
Accept: application/json
The token is treated as valid for the duration of the sessionTimeout configuration value (seconds); it is refreshed automatically when expired. When the connector is finished it issues a POST /platformapi/core/security/logout to invalidate the session.
How to obtain RSA Archer credentials
Create an RSA Archer API user
For the RSA Archer connector to access the Archer REST API, you must have a user account with the appropriate permissions. To create a new RSA Archer user or verify existing credentials, follow these steps:
-
Log in to your RSA Archer instance as an administrator.
-
Navigate to Administration > Access Control > Users.
-
Create a new user or select an existing user account.
-
Ensure the user has read access to the Archer applications and fields you want to synchronize with Brinqa.
-
Take note of the username, password, and instance name and provide them in the corresponding fields in the integration configuration.
Note: If you do not have the permissions to create or manage users, contact your RSA Archer administrator. For additional information, see RSA Archer documentation.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
Record
| Source Field Name | SDM Attribute |
|---|---|
| :------------------------------------------------------------------------------------------------- | :-------------------------------------- |
| Behavior | Archer Field Type |
Expanded into flattened Parent__Subfield attributes (value-list and date children normalized). | Subform |
Field.api_name content value | <Field API name> |
Long, or Double when the field defines decimal places. | Numeric / Tracking ID |
Multi-valued. | Cross Reference |
Parsed to an Instant timestamp. | Date / First Published / Last Updated |
Resolved to the value's display name; multi-valued when the field's max selection > 1. | Values List |
Resolved to user/group display names on write; not published as a read attribute. | Users / Groups List |
String value. | Text |
| Subform child field content | <Parent__Subfield> |
| Sync execution timestamp | LAST_CAPTURED |
| Tracking ID field value | UID |
| Tracking ID field value | NAME |
| Tracking ID field value | Sys_ID |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
Record
Operation options
| Option | Type | Default | Description |
|---|---|---|---|
override_endpoint | String | Overrides the auto-resolved Content API endpoint name for the application during a sync. |
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint · Endpoint:
GET /contentapi/{endpoint} - Default filters:
$filter=Last_Updated gt <since>(applied only when a sync token is supplied)
Changelog
The RSA Archer connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.0.2 | Improvements - LAST_CAPTURED attribute: Added mandatory LAST_CAPTURED timestamp to all synced records, recording the exact time each record was captured by the connector - Attribute construction modernization: Migrated single-valued attribute construction from new AttributeInfoBuilder(name) to AttributeInfos.newAttribute(name) for Brinqa 3.x compliance - Users/Groups List fields (Type 8): Enabled synchronization and write-back for Users/Groups List fields — removed FIELD_TYPE_USERS_GROUPS_LIST from UNSUPPORTED_TYPES, allowing user and group assignment data to flow into Brinqa - Date and DateTime fields: Date ( Type 3), First Published Date (Type 21), and Last Updated (Type 22) fields are now synchronized as proper Instant timestamp values instead of numeric epoch Long values - Date write-back: Write-back for date fields now reads values as Instant objects (via getSingleValue) instead of Long epoch millis, correctly matching the updated sync data type - API endpoint centralization: Consolidated all hardcoded API path strings into ArcherModel constants (ENDPOINT_LOGIN, ENDPOINT_LOGOUT, ENDPOINT_APPLICATION, ENDPOINT_CONTENT, ENDPOINT_FIELD_DEFINITION, ENDPOINT_USER, ENDPOINT_GROUP, ENDPOINT_VALUES_LIST, ENDPOINT_CONTENT_API, ENDPOINT_FIELD_CONTENT) - Visibility tightening: Changed RESERVED_ATTRIBUTES_NAMES, NO_RETRIES, and LOG fields to protected static final / private with proper access modifiers; made DATE_TIME_FORMATTER and CONTENT_DATE_TIME_FORMATTER constants private - RESERVED_ATTRIBUTES_NAMES immutability: Replaced mutable Lists.newArrayList() with ImmutableList.of() for the reserved attributes name list - Unified schema attributes: Introduced UNIFIED_ATTRIBUTE_INFOS collection (UID, LAST_CAPTURED) to consistently add mandatory attributes to all object class schemas, replacing the previous inline UID-only logic - Value list matching: Added trim() to ValueListValue.nameEquals() for whitespace-tolerant value list name comparison - Write-back attribute resolution: Removed the Source_ / SOURCE_ / source_ prefix-stripping step during create/update — attributes are now matched to Archer fields by their api_name directly, eliminating a fragile string-replacement step - Diagnostic logging: Added structured debug logging for schema field mappings ( Field mapping: attributeName=…; fieldId=…; fieldName=…; fieldType=…) and field value resolution during write-back operations (Added field value: attribute_name=…; fieldId=…; fieldName=…) - UserAgent fix: Corrected a trailing parenthesis typo in the getUserAgent() format string (BrinqaArcherConnector/%s) → BrinqaArcherConnector/%s) - API response sample Javadocs: Added JSON sample Javadocs to AuthSession, RequestedObject, and UserGroup DTOs Infrastructure - Parent POM: Upgraded http-connectors-parent from 2.1.11 to 2.1.12 - Model version: Upgraded connectors-model from 1.6.12 to 1.6.19 - MockWebServer: Added com.squareup.okhttp3:mockwebserver:4.12.0 test dependency - Integration tests: Added ArcherConnectorIntegrationTests with full MockWebServer-based test suite covering connection (testConnection), schema validation (testSchema, testSchemaMeta), and Findings record sync verification (syncRecords) with assertion of UID, NAME, LAST_CAPTURED, and dynamic attributes - Unit tests: Removed hardcoded credentials from ArcherConnectorTests — configuration now reads from System.getProperty(); class annotated with @Ignore (requires live server); added testSchema, testSchemaMeta, and syncFindings test methods; updated testBadConnection to expect NonRetryableException and re-initialize connector before testing Bug Fixes - Fixed an issue where the record identifier (UID) could resolve to the wrong field when multiple Tracking ID-type fields existed in an application — the idFieldName() method now filters specifically for the field named "Tracking ID" rather than any field of type FIELD_TYPE_TRACKING_ID - Fixed date field formatting so that date values are correctly interpreted as ISO-8601 timestamps ( Instant) rather than raw numeric values (Long), resolving data mapping errors between Brinqa and Archer - Fixed an issue where attributes prefixed with Source_ (reserved-name collision prefix) were being pushed verbatim during create/update operations instead of being resolved back to the original Archer field name | • All Archer Application Records: The Tracking ID resolution logic has changed — records may now use a different field as their unique identifier. Action: purge and re-sync all Archer applications to ensure consistent record mapping. • All Archer Application Records: Date and DateTime field types have changed from Long to Instant. Action: purge and re-sync to apply the corrected data types. --- |
| 3.0.1 | Improvements - Multi-application schema support: Replaced single-application schema discovery with a schemaAll() method that iterates all active Archer applications and registers each as a separate object class — the connector now exposes every configured application instead of only the first one found - loadSchema multi-class registration: Updated loadSchema to iterate the full list of ObjectClassInfo returned by schemaAll() and register each one with the SchemaBuilder - listValues null-safety: Changed listValues() in ArcherModel to return an empty list instead of null when the map value is not a List, preventing potential NullPointerException during attribute extraction - Spotless code formatting: Applied Spotless auto-formatter across the entire codebase for consistent code style (import ordering, line wrapping, brace placement) Infrastructure - Parent POM: Upgraded http-connectors-parent from 2.1.9 to 2.1.11 - Model version: Upgraded connectors-model from 1.6.11 to 1.6.12 Tests - testSchema method: Added testSchema test that iterates all discovered object class types and asserts each resolves to a non-null ObjectClassInfo | N/A |
| 3.0.0 | Overview The RSA Archer connector integrates with the RSA Archer Integrated Risk Management (IRM) platform to synchronize application records, making Archer-managed risk and governance data available for analysis. Category: IT Service Management Models | N/A |