Versions Compared

Version Old Version 1 New Version 2
Changes made by

Keith Uber

Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Panel
titlePurpose

The purpose of this module is to show you how to delegate mandates to other users so they can perform selected functions you choose



Panel
titleRequirements
  • CustomerID installed


Overview of this lab

We will use CustomerID administrative interface to configure delegated role management using mandates. In a nutshell, these are the four main steps:

Image RemovedImage Added


Part 1: Create Users

Image RemovedImage Added

 In order to create users:

  1. Log in as Scott Long (SmartPlan Admin). This user was created during Lab 1.1    

  2. Enable adduser workflow. In order to do that, edit the following on eidm2.properties file:

    Code Block
    languagetext
    titleeidm2.properties
    createuser.workflows = adduser

registration.1 = adduser
registration.1.enabled = false
registration.1.tupas.disabled = true
registration.1.approval = false
registration.1.methods = [ { "name" : "password.2", "mandatory" : "true", "visible" : "false", "default" : "true" } ]
registration.1.userinfo.fields = firstname, surname, email, password
registration.1.organizations = { "path" : "Users"}
registration.1.summary.fields = firstname, surname, email


  3. Restart Wildfly
  4. Log in as Scott Long and open "Users" tab
  5. Now the button "Add User" should be visible. Click on it:
    Image RemovedImage Added
  6. Create Jeremy Mills user and give him contact person role for City Group Inc as shown on the following images. The password must contain both numbers and letters.
    Image RemovedImage Added
  7. In order to continue, on the next step I must select a role. Type the company name in the Search box.
    Image RemovedImage Added
  8. Now log in as Jeremy Mills to verify the user has been created.

 

Part 2: Create Service

The goal of this section is creating a new organization using the following values:

Technical Name 

mysmartplan
Display NameMy SmartPlan
Organization Typesite
Servicetrue


Warning
titleDo not use spaces in technical name.



  1. Log in to CustomerID as an administrator. From the "front page" you will see the button to create a new organization.
    Image Removed
    Image Added
  2. Once you select "Create new organization," the next screen will be:
    Image Removed
    Image Added



Part 3: Define Mandate

Ubisecure Identity Server uses roles and mandates. This is how roles look in the administration interface for My SmartPlan:

Image RemovedImage Added


Exercise. You can customize text description for Visitor, member, owner on custom/roles.properties files

Code Block
titlecustom/roles.properties
# English

en.friendlyName.visitor = Visitor
en.description.visitor  = Visitor can view public information. 

en.friendlyName.member = Member
en.description.member  = Member can read private information. 

en.friendlyName.owner = Owner
en.description.owner  = Owner can write information and manage user rights.


This is how the interface looks after the changes (observe "Description" column):

Image RemovedImage Added


Now it's time to understand how mandates work in real:

Info
titleWhat is the difference between a role and a mandate?


Role

  • Can be assigned only to a person
  • Can not be delegated to others

Examples:

  • Member role for Online Service
  • Owner role for Online Service
  • To remove access rights, the roles must be removed from each user individually

Mandate

  • A mandate can consist of one or more roles
  • A mandate received by an organization can be delegated to other persons
  • Shows source of authorization
  • Corresponds to a contract in the CRM system

Examples:

  • A mandate typically refers to a contract in a CRM system
  • Access rights can be removed from all users and organizations by removing the mandate.
  • Mandate templates are currently created and managed via the REST API


As you can see in the picture below, an organization mandate will allow delegation of service roles to customer organizations. The City Group administrator, Jeremy Mills, can then decide who within his own organization will have access to the Online Service.

Image RemovedImage Added

Mandates can be configured to require approval by a organization administrator. We will disable this for today.

Allowed roles must be defined in the custom\eidm2.properties configuration file.

Code Block
titlecustom\eidm2.properties
general.admin.organization.users.includerolemembers = true

mandate.roles.allowed = owner,member,visitor

mandate.receiver.approval = false


Exercise. Create organization mandate

Create a mandate including the Online Service Member role

  1. Open Online Service and Mandates tab
  2. Set City Group Inc. as receiver of  the mandate. Company ID: 2184053-5
  3. Choose role Member to be included in the mandate

Exercise. Delegation

As a Contact Person for City Group, delegate the service roles to the organization users
  1. Log in as Jeremy Mills
  2. Open City Group Mandates tab

Image RemovedImage Added

  1. Even Jeremy must receive the role through delegation in order to use it
  2. •All roles contained in the mandate are given
Image RemovedImage Added


Customer Data Integration with REST API


Query users

Code Block
https://login.smartplan.com:7443/customerid-rest/services/2.1/users/?username=restuser&password=restpass

shows all users

e.g.

Code Block
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Users xmlns="http://schema.ubisecure.com/customerid/api" inResponseTo="/2.1/users/" method="GET">
<Id>6225612a-02c4-4f5c-b875-bbb23379a6f2</Id>
<Id>1f216754-e009-4153-9e58-f6dd1ccdfefb</Id>
<Id>980a4aa3-8dac-4365-af75-58028d2353eb</Id>
<Id>d6cb9cea-b807-49a6-9746-99608591d89e</Id>
<Id>d69ce890-76a2-40be-8677-3ec951954b25</Id>
<Id>9bfba31b-5047-4baf-941c-e88ce15707e3</Id>
</Users>


Query user info

Pick one user ID from the output, such as 6225612a-02c4-4f5c-b875-bbb23379a6f2, and use it in the query user command below:

Code Block
https://login.smartplan.com:7443/customerid-rest/services/2.1/users/6225612a-02c4-4f5c-b875-bbb23379a6f2?username=restuser&password=restpass

The individual user information will be shown:

e.g.

Code Block
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<User xmlns="http://schema.ubisecure.com/customerid/api" inResponseTo="/2.1/users/6225612a-02c4-4f5c-b875-bbb23379a6f2" method="GET" type="user">
<Attribute name="id">
    <Value>6225612a-02c4-4f5c-b875-bbb23379a6f2</Value>
</Attribute>
<Attribute name="firstname">
    <Value>Leena</Value>
</Attribute>
<Attribute name="surname">
    <Value>Laine</Value>
</Attribute>
<Attribute name="cn">
    <Value>cd4b6658-b4c5-4e39-82e9-aa19e73bb42f</Value>
</Attribute>
<Attribute name="login">
    <Value>leena.laine</Value>
</Attribute>
<Attribute name="email">
    <Value>leena.laine@example.com</Value>
</Attribute>
<Attribute name="organization">
    <Value>Users</Value>
</Attribute>
<Attribute name="status">
    <Value>Enabled</Value>
</Attribute>
</User>