Internal access control (permissions) - CustomerID
Permissions
Ubisecure CustomerID uses permissions for internal authorization and for customizing the user interfaces. For example, the self-service interface may be customized for different kind of user accounts.The self-service interface can be configured to permit certain user groups to manage their own authentication method credentials and whether methods are enabled for them, while precluding this from other user groups. The administration interface scope can also be heavily customized based on the user's permissions.
The permissions are not directly assigned to users, but through internal roles. Each internal role may contain multiple permissions and a user may have multiple internal roles for multiple different organizations. For example, the user may have two internal roles in organization A and one internal role in organization B. The total permissions in organization A is a sum of the two roles the user has in organization A and permissions for organization B are the ones assigned to the role the user has in that organization. The permissions can also be recursive, that is, the permissions are valid on the organization where the role(s) reside(s) and in all suborganizations it has.
The mapping between permissions and roles is made in the permissions.properties property file. In the default Windows installation, it is located at:
C:\Program Files\Ubisecure\customerid\application\custom\permissions.properties
The following example provides information about the permission to role mapping:
# permissions.properties user.list = rel:OrganizationUser, inh:OrganizationMainUser user.read.personal = rel:OrganizationUser, inh:OrganizationMainUser user.read.roles = rel:OrganizationUser, inh:OrganizationMainUser user.read.mandates = rel:OrganizationUser, inh:OrganizationMainUser user.edit = inh:OrganizationMainUser user.create = inh:OrganizationMainUser user.delete = inh:OrganizationMainUser user.approval.read = rel:OrganizationUser, inh:OrganizationMainUser user.approval.edit = rel:OrganizationUser, inh:OrganizationMainUser user.approval.approve = rel:OrganizationUser, inh:OrganizationMainUser
In the example configuration, the OrganizationMainUser
 role includes all user related permissions in the organization where the role resides and in all of its suborganizations (recursive). The
OrganizationUser
 role includes permissions to read and review user information and to approve pending user applications in the organization where the role resides and nowhere else.
The keywords for the permissions.properties
 file are described in the following table.
KEYWORD | DESCRIPTION |
---|---|
| The absolute path to the target role in the |
| Permissions are only valid in the organization where the role resides. |
| The permissions are valid in the organization where the role resides and in all of its suborganizations. |
| The permissions are valid in the organization where the role resides and in all of its suborganizations, but the role must have been directly given to the user. If the user has received the role via another role then this permission is not valid. |
| The permission is granted if the user has the specified role in the parent of the organization in question. If the organization in question is on the top level then the role can be from that organization as it has no parent. |
| The permissions are for a certain group in the |
| The permissions are for users with the selected role in any organization. For example, |
| This suffix is used with other keywords, the first role and another additional role. It is for permissions that are valid only if there are not users with direct role in the current organization. Note that super user permissions can not be overridden with ":unless:" definitions. For example, In this example the eIDM/eIDMMainUser has the permission unless there is a user with direct role OrganizationMainUser in the current organization. |
Table 1. Keywords for the permission.properties file
Configuration
The following table describes all supported permissions available in permissions.properties
 file.
PERMISSION | DESCRIPTION |
---|---|
| This permission defines the users who have all possible permissions in the system. |
| This permission defines the users who are allowed to list organizations' users in the admin service. |
| This permission defines the users who are allowed to read the users' personal information in the admin service. You may also define field specific read permissions by adding the field name after user.read.personal. Example: |
| This permission defines the users who are allowed to read the users' role information in the admin service. |
| This permission defines the users who are allowed to read the users' mandate information in the admin service. |
| This permission defines those users who are allowed to remove mandates from organization users in the admin service. |
| This permission defines the users who are allowed to edit the users' information in the admin service. You may also define field specific edit permissions by adding the field name after user.edit. Example: This example means that nobody can edit the user's social security number in the admin service. Also authentication methods are handled similarly to user information fields. So you can also use the following permission definitions: user.edit.password = These permissions define the users who are allowed to manage other users authentication data or account state in the admin service. |
| This permission defines the users who are allowed to create new users in the admin service. |
| This permission defines the users who are allowed to delete other organization users in the admin service. |
| This permission defines the users who are allowed to move other organization users in the admin service |
| This permission defines the users who are allowed to read user approvals in the admin service. You may also define field specific read permissions by adding the field name after user.approval.read. Example: This example means that only someone in the Field specific permissions override the general permission. |
| This permission defines the users who are allowed to edit user approvals in the admin service. You may also define field specific edit permissions by adding the field name after user.approval.edit. Example: user.approval.edit.ssn = This example means that nobody can edit the user's social security number in the approval view. Field specific permissions override the general permission. |
| This permission defines the users who are allowed to approve other organization users in the admin service. |
| This permission defines the users who are allowed to read organization information in the admin service. You may also define field specific read permissions by adding the field name after organization.read. Example: This example means that only someone in the Field specific permissions override the general permission. |
| This permission defines the users who are allowed to edit organization information in the admin service. You may also define field specific edit permissions by adding the field name after organization.edit. Example: organization.edit.class = This example means that nobody can edit the organization's type (was previously called "class") in the admin service. Field specific permissions override the general permission. |
| This permission defines the users who are allowed to create organizations in the admin service. |
| This permission defines the users who are allowed to delete organizations in the admin service. |
| This permission defines the users who are allowed to read role assignment information in the admin service. |
| This permission defines the users who are allowed to assign roles to users in the admin service. Role-specific permissions are allowed in For other organization types If role-specific permission is not defined |
| This permission defines those users who are allowed to invite users to roles in the admin service. Role-specific permissions are allowed in |
| This permission defines the users who are allowed to remove roles from users in the admin service. Role-specific permissions are allowed in role.deassign. For example, this property defines users that are allowed to remove OrganizationUser-role from users. (Use role's entity name) Organization type (was previously called "class") specific permissions can be used with role.deassign. For example, this property defines users that are allowed to remove the OrganizationUser-role from users in organizations with type test. Role and organization type are separated with .class. -keyword. For other organization types If role-specific permission is not defined |
| This permission defines the users who are allowed to list and view role assignment requests in the admin service. |
| This permission defines the users who are allowed to approve role assignments in the admin service. |
| This permission defines those users who are allowed to delete roles in the admin service. |
| This permission defines those users who are allowed to create roles in the admin service. |
| This permission defines those users who are allowed to edit roles in the admin service. |
| This permission defines those users who are allowed to list users in selected role. |
| This permission defines the users who are allowed to read mandate information concerning received mandates in the admin service. |
| This permission defines the users who are allowed to approve received mandates in the admin service. |
| This permission defines the users who are allowed to remove either mandate actuators or the received mandate in the admin service. |
| This permission defines the users who are allowed to create new mandates in the admin service. |
| This permission defines the users who are allowed to read their own personal information in the self-service interface. You may also define field specific read permissions by adding the field name after self.read. Example: self.read.custom1 = any:OrganizationMainUser This example means that only someone who has the Also authentication methods are handled similarly to user information fields. So you can also use the following permission definitions: self.read.password = These permissions define the users who are allowed to read their authentication data in the self-service interface. Field specific permissions override the general permission. |
| This permission defines the users who are allowed to edit their own personal information in the self-service interface. You may also define field specific edit permissions by adding the field name after self.edit. Example: This example means that nobody can edit their own social security number in the self-service interface. Also authentication methods are handled similarly to user information fields. So you can also use the following permission definitions: self.edit.password = These permissions define the users who are allowed to manage their authentication data in the self-service interface. Field specific permissions override the general permission. |
| This permission defines the users who are allowed to read their role information in the self-service interface. |
| This permission defines the users who are allowed to change their mobile number without the need to confirm the new number. |
| This permission defines the users who are allowed to change their email address without the need to confirm the new address. |
| This permission defines the users who are allowed to manage organization information in the self-service interface. |
| This permission defines the users who are allowed to request roles in the self-service interface. These users should also have the |
| This permission defines those users who are allowed to request predefined roles in the self-service interface. These users should also have the |
| This permission defines those users who are allowed to read mandate information in the self-service interface. |
| This permission defines those users who are allowed to approve mandates in the self-service interface. |
| This permission defines those users who are allowed to remove mandates in the self-service interface. |
| This permission defines those users who are allowed to create new mandates in the self-service interface. |
| This permission defines the users who are allowed to access the admin service interface. |
| This permission defines the users who are allowed to access the organization list tab in the admin service interface front page. |
| This permission defines the users who are allowed to access the user search / list tab in the admin service interface front page. |
| This permission defines the users who are allowed to access the approval tab in the admin service interface front page. |
| This permission defines the users who are allowed to access the personal tab in the self-service interface. |
| This permission defines the users who are allowed to access the roles tab in the self-service interface. |
| This permission defines the users who are allowed to access the mandates tab in the self-service interface. |
Denying operations
CustomerID permissions will fall back to default values in case a given permission is omitted from permissions.properties. In case there is a need to disable a functionality for all users, it is therefore necessary to define the permission entry key, but leave the actual definition empty.
In the example below, the self.read duplicates the default behavior, but self.edit removes all permissions for self.edit, effectively user will see all personal information in self-service, but will not be able to edit it.
# permissions.properties self.read = grp:eIDMUser self.edit =
Equivalent example, note that self.read is commented out, which falls back to default values, effectively user will see all personal information in self-service, but will not be able to edit it.
# permissions.properties #self.read = grp:eIDMUser self.edit =
Opposing example, note that self.read and self.edit are commented out, which make both settings fall back to default values, effectively user will see all personal information in self-service and will be able to edit it.
# permissions.properties #self.read = grp:eIDMUser #self.edit = grp:eIDMUser