Purpose

The purpose of this module is to show you how to delegate mandates to other users so they can perform selected functions you choose

Requirements

CustomerID installed

Overview of this lab

We will use CustomerID administrative interface to configure delegated role management using mandates. In a nutshell, these are the four main steps:

Part 1: Create Users

In order to create users:

Log in as Scott Long (SmartPlan Admin). This user was created during Lab 1.1

Enable adduser workflow. In order to do that, edit the following on eidm2.properties file:

eidm2.properties

createuser.workflows = adduser

registration.1 = adduser
registration.1.enabled = false
registration.1.tupas.disabled = true
registration.1.approval = false
registration.1.methods = [ { "name" : "password.2", "mandatory" : "true", "visible" : "false", "default" : "true" } ]
registration.1.userinfo.fields = firstname, surname, email, password
registration.1.organizations = { "path" : "Users"}
registration.1.summary.fields = firstname, surname, email

Restart Wildfly
Log in as Scott Long and open "Users" tab
Now the button "Add User" should be visible. Click on it:
Create Jeremy Mills user and give him contact person role for City Group Inc as shown on the following images. The password must contain both numbers and letters.
In order to continue, on the next step I must select a role. Type the company name in the Search box.
Now log in as Jeremy Mills to verify the user has been created.

Part 2: Create Service

The goal of this section is creating a new organization using the following values:

Technical Name	mysmartplan
Display Name	My SmartPlan
Organization Type	site
Service	true

Do not use spaces in technical name.

Log in to CustomerID as an administrator. From the "front page" you will see the button to create a new organization.
Once you select "Create new organization," the next screen will be:

Part 3: Define Mandate

Ubisecure Identity Server uses roles and mandates. This is how roles look in the administration interface for My SmartPlan:

Step 1: Configure text description for roles

Customize text description for Visitor, member, owner by editing C:\Program Files\Ubisecure\customerid\application\custom\roles.properties file

custom/roles.properties

# English

en.friendlyName.visitor = Visitor
en.description.visitor  = Visitor can view public information. 

en.friendlyName.member = Member
en.description.member  = Member can read private information. 

en.friendlyName.owner = Owner
en.description.owner  = Owner can write information and manage user rights.

This is how the interface looks after the changes (observe "Description" column):

Now it's time to understand how mandates work in real:

What is the difference between a role and a mandate?

Role

Can be assigned only to a person
Can not be delegated to others

Examples:

Member role for Online Service
Owner role for Online Service
To remove access rights, the roles must be removed from each user individually

Mandate

A mandate can consist of one or more roles
A mandate received by an organization can be delegated to other persons
Shows source of authorization
Corresponds to a contract in the CRM system

Examples:

A mandate typically refers to a contract in a CRM system
Access rights can be removed from all users and organizations by removing the mandate.
Mandate templates are currently created and managed via the REST API

As you can see in the picture below, an organization mandate will allow delegation of service roles to customer organizations. The City Group administrator, Jeremy Mills, can then decide who within his own organization will have access to the Online Service.

Mandates can be configured to require approval by a organization administrator. We will disable this for today.

Allowed roles must be defined in the custom\eidm2.properties configuration file.

custom\eidm2.properties

general.admin.organization.users.includerolemembers = true

mandate.roles.allowed = owner,member,visitor

mandate.receiver.approval = false

Exercise. Create organization mandate

Create a mandate including the Online Service Member role

Open Online Service and Mandates tab
Set City Group Inc. as receiver of the mandate. Company ID: 2184053-5
Choose role Member to be included in the mandate

Exercise. Delegation

As a Contact Person for City Group, delegate the service roles to the organization users

Log in as Jeremy Mills
Open City Group Mandates tab

Even Jeremy must receive the role through delegation in order to use it
•All roles contained in the mandate are given

Customer Data Integration with REST API

Query users

https://login.smartplan.com:7443/customerid-rest/services/2.1/users/?username=restuser&password=restpass

shows all users

e.g.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Users xmlns="http://schema.ubisecure.com/customerid/api" inResponseTo="/2.1/users/" method="GET">
<Id>6225612a-02c4-4f5c-b875-bbb23379a6f2</Id>
<Id>1f216754-e009-4153-9e58-f6dd1ccdfefb</Id>
<Id>980a4aa3-8dac-4365-af75-58028d2353eb</Id>
<Id>d6cb9cea-b807-49a6-9746-99608591d89e</Id>
<Id>d69ce890-76a2-40be-8677-3ec951954b25</Id>
<Id>9bfba31b-5047-4baf-941c-e88ce15707e3</Id>
</Users>

Query user info

Pick one user ID from the output, such as 6225612a-02c4-4f5c-b875-bbb23379a6f2, and use it in the query user command below:

https://login.smartplan.com:7443/customerid-rest/services/2.1/users/6225612a-02c4-4f5c-b875-bbb23379a6f2?username=restuser&password=restpass

The individual user information will be shown: