Versions Compared

Version Old Version 5 New Version 6
Changes made by

Former user

Keith Uber

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Panel
titlePurpose

The purpose of this module is to show you how to delegate mandates to other users so they can perform selected functions you choose



Panel
titleRequirements
  • CustomerID installed


Overview of this lab

We will use CustomerID administrative interface to configure delegated role management using mandates. In a nutshell, these are the four main steps:



Part 1: Create Users

 In order to create users:

  1. Log in as Scott Long (SmartPlan Admin). This user was created during Lab 1.1    

  2. Enable adduser workflow. In order to do that, edit the following on eidm2.properties file:

    Code Block
    languagetext
    titleeidm2.properties
    createuser.workflows = adduser

registration.1 = adduser
registration.1.enabled = false
registration.1.tupas.disabled = true
registration.1.approval = false
registration.1.methods = [ { "name" : "password.2", "mandatory" : "true", "visible" : "false", "default" : "true" } ]
registration.1.userinfo.fields = firstname, surname, email, password
registration.1.organizations = { "path" : "Users"}
registration.1.summary.fields = firstname, surname, email


  3. Restart Wildfly
  4. Log in as Scott Long and open "Users" tab
  5. Now the button "Add User" should be visible. Click on it:
  6. Create Jeremy Mills user and give him contact person role for City Group Inc as shown on the following images. The password must contain both numbers and letters.
  7. In order to continue, on the next step I must select a role. Type the company name in the Search box.

  8. Now log in as Jeremy Mills to verify the user has been created.

 

Part 2: Create Service

The goal of this section is creating a new organization using the following values:

Technical Name 

mysmartplan
Display NameMy SmartPlan
Organization Typesite
Servicetrue


Warning
titleDo not use spaces in technical name.



  1. Log in to CustomerID as an administrator. From the "front page" you will see the button to create a new organization.

  2. Once you select "Create new organization," the next screen will be:



Part 3: Define Mandate

Ubisecure Identity Server uses roles and mandates. This is how roles look in the administration interface for My SmartPlan:


Step 1: Configure text description for roles

Customize text description for Visitor, member, owner by editing  C:\Program Files\Ubisecure\customerid\application\custom\roles.properties file

Code Block
titlecustom/roles.properties
# English

en.friendlyName.visitor = Visitor
en.description.visitor  = Visitor can view public information. 

en.friendlyName.member = Member
en.description.member  = Member can read private information. 

en.friendlyName.owner = Owner
en.description.owner  = Owner can write information and manage user rights.


This is how the interface looks after the changes (observe "Description" column):


Now it's time to understand how mandates work in real:

Info
titleWhat is the difference between a role and a mandate?


Role

  • Can be assigned only to a person
  • Can not be delegated to others

Examples:

  • Member role for Online Service
  • Owner role for Online Service
  • To remove access rights, the roles must be removed from each user individually

Mandate

  • A mandate can consist of one or more roles
  • A mandate received by an organization can be delegated to other persons
  • Shows source of authorization
  • Corresponds to a contract in the CRM system

Examples:

  • A mandate typically refers to a contract in a CRM system
  • Access rights can be removed from all users and organizations by removing the mandate.
  • Mandate templates are currently created and managed via the REST API


As you can see in the picture below, an organization mandate will allow delegation of service roles to customer organizations. The City Group administrator, Jeremy Mills, can then decide who within his own organization will have access to the Online Service.

Mandates can be configured to require approval by a organization administrator. We will disable this for today.

Allowed roles must be defined in the custom\eidm2.properties configuration file.

Code Block
titlecustom\eidm2.properties
general.admin.organization.users.includerolemembers = true

mandate.roles.allowed = owner,member,visitor

mandate.receiver.approval = false


Step 2: Create organization mandate

Create a mandate including the Online Service Member role.

  1. In the Administration interface, open "My SmartPlan" service.
  2. Click on "Mandates" tab.
  3. Select "New organization mandate"
  4. Set City Group Inc. as receiver of  the mandate. Company ID: 2184053-5
  5. Choose role "Member" to be included in the mandate
  6. In the second step you will be able to customize the message
  7. Then a confirmation
  8. Finally you will see "Mandate invitation sent" at the top.

Step 3: Delegation

As a Contact Person for City Group, delegate the service roles to the organization users
  1. Log in to My SmartPlan as Jeremy Mills
  2. Open City Group Mandates tab

  3. Even Jeremy must receive the role through delegation in order to use it
  4. All roles contained in the mandate are given

Customer Data Integration with REST API

Query users

Code Block
https://login.smartplan.com:7443/customerid-rest/services/2.1/users/?username=restuser&password=restpass

shows all users

e.g.

Code Block
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Users xmlns="http://schema.ubisecure.com/customerid/api" inResponseTo="/2.1/users/" method="GET">
<Id>6225612a-02c4-4f5c-b875-bbb23379a6f2</Id>
<Id>1f216754-e009-4153-9e58-f6dd1ccdfefb</Id>
<Id>980a4aa3-8dac-4365-af75-58028d2353eb</Id>
<Id>d6cb9cea-b807-49a6-9746-99608591d89e</Id>
<Id>d69ce890-76a2-40be-8677-3ec951954b25</Id>
<Id>9bfba31b-5047-4baf-941c-e88ce15707e3</Id>
</Users>

Query user info

Pick one user ID from the output, such as 6225612a-02c4-4f5c-b875-bbb23379a6f2, and use it in the query user command below:

Code Block
https://login.smartplan.com:7443/customerid-rest/services/2.1/users/6225612a-02c4-4f5c-b875-bbb23379a6f2?username=restuser&password=restpass

The individual user information will be shown:

e.g.

Code Block
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<User xmlns="http://schema.ubisecure.com/customerid/api" inResponseTo="/2.1/users/6225612a-02c4-4f5c-b875-bbb23379a6f2" method="GET" type="user">
<Attribute name="id">
    <Value>6225612a-02c4-4f5c-b875-bbb23379a6f2</Value>
</Attribute>
<Attribute name="firstname">
    <Value>Leena</Value>
</Attribute>
<Attribute name="surname">
    <Value>Laine</Value>
</Attribute>
<Attribute name="cn">
    <Value>cd4b6658-b4c5-4e39-82e9-aa19e73bb42f</Value>
</Attribute>
<Attribute name="login">
    <Value>leena.laine</Value>
</Attribute>
<Attribute name="email">
    <Value>leena.laine@example.com</Value>
</Attribute>
<Attribute name="organization">
    <Value>Users</Value>
</Attribute>
<Attribute name="status">
    <Value>Enabled</Value>
</Attribute>
</User>