Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.



Panel
titlePurpose

The purpose of this module is to show you how to delegate mandates to other users so they can perform selected functions you choose



Panel
titleRequirements
  • CustomerID installed


Overview of this lab

We will use CustomerID administrative interface to configure delegated role management using mandates. In a nutshell, these are the four main steps:




Instructions

Part 1: Create Users

In order to create users:

  1. Log in as Scott Long (SmartPlan Admin). This user was created during Lab 1.1    

  2. Enable adduser workflow. In order to do that, edit the following on eidm2.properties file:

    Code Block
    languagetext
    titleeidm2.properties
    createuser.workflows = adduser
    
    registration.1 = adduser
    registration.1.enabled = false
    registration.1.tupas.disabled = true
    registration.1.approval = false
    registration.1.methods = [ { "name" : "password.2", "mandatory" : "true", "visible" : "false", "default" : "true" } ]
    registration.1.userinfo.fields = firstname, surname, email, password
    registration.1.organizations = { "path" : "Users"}
    registration.1.summary.fields = firstname, surname, email
    
    

    Further explanation of configuration parameters is on page Create user workflow configuration - CustomerID

  3. Restart the Wildfly service.
  4. Log in as Scott Long and open "Users" tab
  5. Now the button "Add User" should be visible. Click on it:

  6. Create Jeremy Mills user and give him contact person role for City Group Inc as shown on the following images. The password must contain both numbers and letters.
    Image Removed
    Image Added
  7. In order to continue, on the next step you must select a role. Type the company name in the Search box.

    Image RemovedImage Added

  8. Now log in as Jeremy Mills to verify the user has been created.
 


Part 2: Create Service

The goal of this section is creating a new organisation using the following values:

Technical Name 

smartplanapplication
Display NameSmartPlan Application
Organization Typesite
Servicetrue


Warning
titleDo not use spaces in technical name.



  1. Log in to CustomerID as an administrator Scott Long. From the "front page" you will see the button to create a new organisation.

    Image Modified

  2. Once you select "Create new organisation," the next screen will be:
    Image Removed
    Image Added



Part 3: Define Mandate

Ubisecure Identity Server uses roles and mandates. This is how roles look in the My SmartPlan administration interface for My SmartPlan Application service. Observe "Description" column:

Image Removed


Image Added

Step 1: Mandates basic configuration

Now it's time to understand how mandates work in real:

Info
titleWhat is the difference between a role and a mandate?


Role

  • Can be assigned only to a person
  • Can not be delegated to others

Examples:

  • Member role for Online Service
  • Owner role for Online Service
  • To remove access rights, the roles must be removed from each user individually

Mandate

  • A mandate can consist of one or more roles
  • A mandate received by an organization can be delegated to other persons
  • Shows source of authorization
  • Corresponds to a contract in the CRM system

Examples:

  • A mandate typically refers to a contract in a CRM system
  • Access rights can be removed from all users and organizations by removing the mandate.
  • Mandate templates are currently created and managed via the REST API


As you can see in the picture below, an organisation mandate will allow delegation of service roles to customer organisations. The City Group administrator, Jeremy Mills, can then decide who within his own organisation will have access to the Online Service.

Mandates can be configured to require approval by an organisation administrator. We will disable this for today.

Allowed roles must be defined in the custom\eidm2.properties configuration file.

Code Block
titlecustom\eidm2.properties
general.admin.organization.users.includerolemembers = true

mandate.roles.allowed = owner,member,visitor

mandate.receiver.approval = false

Restart the Wildfly service.



Warning

Permissions control who can create, assign, read and delete mandates.

Before you create mandates, do the following instructions

In our environment, we have added a custom role called mainuser (display name: Contact Person). Rights must be given to the mainuser role for accessing mandates.

Create a file C:\Program Files\Ubisecure\customerid\application\custom\permissions.properties.Add the following lines to the permissions.properties:

Code Block
titlepermissions.properties
# *************************************************************************************************
# **********  Mandate Permissions                                                        **********
# *************************************************************************************************
 
# Mandate read permission
# - This permission defines those users who are allowed to read mandate information concerning
#   received mandates in the admin service.
mandate.read = inh:OrganizationMainUser, inh:mainuser
 
# Mandate approval permission
# - This permission defines those users who are allowed to approve received mandates in the admin
#   service.
mandate.approve = inh:OrganizationMainUser, inh:mainuser
 
# Mandate removal permission
# - This permission defines those users who are allowed to remove either mandate actuators or the
#   received mandate in the admin service.
mandate.remove = inh:OrganizationMainUser, inh:mainuser
 
# Mandate creation permission
# - This permission defines those users who are allowed to create new mandates in the admin
#   service.
mandate.create = inh:OrganizationMainUser, inh:mainuser
 
# User mandate information read permission
# - This permission defines those users who are allowed to read the mandate information concerning
#   organization users in the admin service.
user.read.mandates = inh:OrganizationMainUser, inh:mainuser
 
# User mandate information removal permission
# - This permission defines those users who are allowed to remove mandates from organization users
#   in the admin service.
user.mandates.remove = inh:OrganizationMainUser, inh:mainuser

# Admin access permission
# - This permission defines those users who are allowed to access the admin service.
access.admin = any:OrganizationMainUser, abs:eIDM/eIDMMainUser, any:mainuser

# Admin access permission for organizations tab (main tab / frontpage tab)
# - This permission defines the users who are allowed to access the organization list tab in the
#   admin service interface front page.
access.admin.organizations = any:OrganizationMainUser, abs:eIDM/eIDMMainUser, any:mainuser
 
# Admin access permission for users tab
# - This permission defines the users who are allowed to access the user search / list tab in the
#   admin service interface front page.
access.admin.users = any:OrganizationMainUser, abs:eIDM/eIDMMainUser, any:mainuser
 
# Admin access permission for approvals tab
# - This permission defines the users who are allowed to access the approval tab in the admin
#   service interface front page.
access.admin.approvals = any:OrganizationMainUser, abs:eIDM/eIDMMainUser, any:mainuser

# Organization read permission
# - This permission defines those users who are allowed to read organization information in the
#   admin service.
# - You may also define field specific read permissions by adding the field name after
#   organization.read.
# - Field specific permissions override the general permission.
organization.read = inh:OrganizationMainUser, inh:Superuser, inh:owner, inh:mainuser


Restart the Wildfly service for the changes to take effect.


Obs: Further explanation of configuration parameters is on page Internal access control (permissions) - CustomerID

Step 2: Create organisation mandate

Create a mandate including the Online Service Member role.

  1. In the Administration interface, open "My SmartPlan Application" service.
  2. Click on "Mandates" tab.
    Image Removed
    Image Added

  3. Select "New organization mandate"
  4. Set City Group Inc. as receiver of  the mandate. Company ID: 2184053-5
  5. Choose role "Member" to be included in the mandate
    Image Removed
    Image Added

  6. In the second step you will be able to customise the message
    Image Removed
    Image Added

  7. Then a confirmation
    Image Removed
    Image Added

  8. Finally you will see "Mandate invitation sent" at the top.



Step 3: Delegation

As a Contact Person for City Group, delegate the service roles to the organisation users
  1. Log in to My SmartPlan as Jeremy Mills, make sure you are in the administrative interface
  2. In the Customer Organisations choose the City Group Inc.

    Image Added

  3. Open City Group Mandates tab.
    Image Removed

  4. Even Jeremy must receive the role through delegation in order to use it. Click Delegate.

  5. Choose the user(s) who will receive the mandate. If the mandate contains more than one role, all roles contained in the mandate are given.
    Image Removed
    Image Added

  6. Jeremy can also see his personally received mandates in the self service interface. Mandates can be searched and filtered easily.
    Image Removed
    Image Added

  7. As a service owner, also Scott can see who has been given access to the My SmartPlan applicationApplication service. Log in as Scott Long, choose the Administration view, choose My SmartPlan Application Users tab, and see that now Jeremy Mills is listed as a user for the service.
    Image Removed
    Image Added