Lab 2.1: CustomerID permission configuration

Owned by Keith Uber
Last updated: 2022-03-16 by Oscar Santolalla
11 min read


Purpose

The purpose of this module is to show you how to configure what users can and cannot do with the user interface of CustomerID user interface. Permissions are based on user roles.



Role-based permission for access to functions

Let's see how permissions work.

By default, users that are not CustomerID administrators and have very limited access on what they can see (e.g. tabs, menus) and do (e.g. search, create mandates) in the system.

A user with Contact Person role ...
  • Cannot modify organisation data (organization.edit)
  • Cannot create new roles in an organisation (role.create)
  • Cannot create new organisations (organization.create)
  • Cannot issue or remove mandates (mandate.create, mandate.remove)
All users (except Super User) ...
  • Cannot issue or remove mandates (mandate.create, mandate.remove)

As you might remember, on Lab 1.6 we already edited some permissions. We granted the following permissions to Contact Person (Jeremy Mills):

  • Granted users in the Contact Person role (technical name: mainuser) to have access privileges to administrator interface.
  • Gave users in the Contact Person role (technical name: mainuser) a series of permissions in order to use mandates.


A complete example of all possible permissions can be found in the "C:\Program Files\Ubisecure\customerid\tools\examples\custom\permissions.properties" file.

Open this file and examine the format. The file also contains documentation for each of the permissions. Various permissions can be granular down to the field level.

Instructions

Permission Configuration


Let's see what types of permissions Jeremy Mills has.
  1. Log in as Jeremy Mills to Ubisecure CustomerID Administration Interface
  2. Try to search for an organisation or a user.
  3. Verify that Jeremy has read access only to City Group organisation and users.

Permissions to manage roles

  1. Jeremy Mills needs more permissions to manage the organisation.

  2. Edit the permissions configuration file (permissions.properties) in "C:\Program Files\Ubisecure\customerid\application\custom\permissions.properties" and add some more rights to manage roles:

    # *************************************************************************************************
# **********  User Permissions                                                           **********
# *************************************************************************************************

# User listing permission
# - This permission defines those users who are allowed to list organization's users in the admin
#   service.
user.list = inh:OrganizationMainUser, inh:Superuser, inh:owner, inh:mainuser

# User personal information read permission
# - This permission defines those users who are allowed to read the personal information concerning
#   organization users in the admin service.
# - You may also define field specific read permissions by adding the field name after
#   user.read.personal.
# - Field specific permissions override the general permission.
user.read.personal = inh:OrganizationMainUser, any:Superuser, any:owner, any:mainuser


# *************************************************************************************************
# **********  Role Permissions                                                           **********
# *************************************************************************************************

# Role read permission
# - This permission defines those users who are allowed to list organization roles in the
#   admin service.
role.read = inh:OrganizationMainUser, inh:mainuser

# Role assignment permission
# - This permission defines those users who are allowed to assign roles to users in the admin
#   service.
role.assign = inh:OrganizationMainUser, inh:mainuser

# Role invitation permission
# - This permission defines those users who are allowed to invite users to roles in the admin
#   service.
role.invite = inh:OrganizationMainUser, inh:mainuser

# Role deassignment permission
# - This permission defines those users who are allowed to deassign roles from users in the admin
#   service.
role.deassign = inh:OrganizationMainUser, inh:mainuser

# List role approvals
# - This permission defines those users who are allowed to view role approvals in the admin service.
role.list_approvals = inh:OrganizationMainUser, inh:mainuser

# Role approval permission
# - This permission defines those users who are allowed to approve role assignments in the admin
#   service.
role.approve = inh:OrganizationMainUser, inh:mainuser

# Role deletion permission
# - This permission defines those users who are allowed to delete roles in the admin service.
role.delete = inh:OrganizationMainUser, inh:mainuser

# Role list users permission
# - This permission defines those users who are allowed to list users in selected role.
role.listusers = inh:OrganizationMainUser, inh:mainuser
  3. Restart Wildfly.
  4. He should now see the Users and Roles tabs:





Let's look at the default permissions.properties file where all possible permissions are, but DON'T add these lines to your configuration file. If you do it, you will lose the permissions you have added in labs 1.6 and 2.2.


 Click here to expand example permissions.properties file


# *************************************************************************************************
# **********  Superuser Permissions                                                      **********
# *************************************************************************************************

# Superuser permission
# - This permission defines those users who have all possible permissions in the system.
superuser = abs:eIDM/eIDMMainUser

# *************************************************************************************************
# **********  User Permissions                                                           **********
# *************************************************************************************************

# User listing permission
# - This permission defines those users who are allowed to list organization's users in the admin
#   service.
user.list = inh:OrganizationMainUser

# User personal information read permission
# - This permission defines those users who are allowed to read the personal information concerning
#   organization users in the admin service.
# - You may also define field specific read permissions by adding the field name after
#   user.read.personal.
# - Field specific permissions override the general permission.
user.read.personal = inh:OrganizationMainUser

# User role information read permission
# - This permission defines those users who are allowed to read the role information concerning
#   organization users in the admin service.
user.read.roles = inh:OrganizationMainUser

# User mandate information read permission
# - This permission defines those users who are allowed to read the mandate information concerning
#   organization users in the admin service.
user.read.mandates = inh:OrganizationMainUser

# User mandate information removal permission
# - This permission defines those users who are allowed to remove mandates from organization users
#   in the admin service.
user.mandates.remove = inh:OrganizationMainUser

# User editing permission
# - This permission defines those users who are allowed to edit user information concerning
#   organization users in the admin service.
# - You may also define field specific edit permissions by adding the field name after user.edit.
# - Field specific permissions override the general permission.
user.edit = inh:OrganizationMainUser

# User password editing permission
# - This permission defines the users who are allowed to change other users password 
#   in the admin service.
#user.edit.password = inh:OrganizationMainUser

# User otp editing permission
# - This permission defines the users who are allowed to change other users one-time 
#   password printout state to active/disable in the admin service.
#user.edit.otp = inh:OrganizationMainUser

# User sms editing permission
# - This permission defines the users who are allowed to change other users SMS one-time 
#   password state to active/disable in the admin service.
#user.edit.sms = inh:OrganizationMainUser

# User account status editing permission
# - This permission defines the users who are allowed to change other users user account status 
#   state to active/disable in the admin service.
#user.edit.accountstatus = inh:OrganizationMainUser

# User creation permission
# - This permission defines those users who are allowed to create other organization users in the
#   admin service.
user.create = inh:OrganizationMainUser

# User deletion permission
# - This permission defines those users who are allowed to delete other organization users in the
#   admin service.
user.delete = inh:OrganizationMainUser

# User move permission
# - This permission defines those users who are allowed to move other organization users in the
#   admin service.
user.move = inh:OrganizationMainUser

# User approval read permission
# - This permission defines those users who are allowed to read user approvals in the admin service.
# - You may also define field specific read permissions by adding the field name after
#   user.approval.read.
# - Field specific permissions override the general permission.
user.approval.read = inh:OrganizationMainUser

# User approval edit permission
# - This permission defines those users who are allowed to edit user approvals in the admin service.
# - You may also define field specific edit permissions by adding the field name after
#   user.approval.edit.
# - Field specific permissions override the general permission.
user.approval.edit = inh:OrganizationMainUser

# User approval approve permission
# - This permission defines those users who are allowed to approve other organization users in the
#   admin service.
user.approval.approve = inh:OrganizationMainUser

# *************************************************************************************************
# **********  Organization Permissions                                                   **********
# *************************************************************************************************

# Organization read permission
# - This permission defines those users who are allowed to read organization information in the
#   admin service.
# - You may also define field specific read permissions by adding the field name after
#   organization.read.
# - Field specific permissions override the general permission.
organization.read = inh:OrganizationMainUser

# Organization editing permission
# - This permission defines those users who are allowed to edit organization information in the
#   admin service.
# - You may also define field specific edit permissions by adding the field name after
#   organization.edit.
# - Field specific permissions override the general permission.
organization.edit = inh:OrganizationMainUser

# Organization creation permission
# - This permission defines those users who are allowed to create organizations in the admin
#   service.
organization.create = inh:OrganizationMainUser

# Organization deletion permission
# - This permission defines those users who are allowed to delete organizations in the admin
#   service.
organization.delete = inh:OrganizationMainUser

# *************************************************************************************************
# **********  Role Permissions                                                           **********
# *************************************************************************************************

# Role read permission
# - This permission defines those users who are allowed to list organization roles in the
#   admin service.
role.read = inh:OrganizationMainUser

# Role assignment permission
# - This permission defines those users who are allowed to assign roles to users in the admin
#   service.
role.assign = inh:OrganizationMainUser

# Role invitation permission
# - This permission defines those users who are allowed to invite users to roles in the admin
#   service.
role.invite = inh:OrganizationMainUser

# Role deassignment permission
# - This permission defines those users who are allowed to deassign roles from users in the admin
#   service.
role.deassign = inh:OrganizationMainUser

# List role approvals
# - This permission defines those users who are allowed to view role approvals in the admin service.
role.list_approvals = inh:OrganizationMainUser

# Role approval permission
# - This permission defines those users who are allowed to approve role assignments in the admin
#   service.
role.approve = inh:OrganizationMainUser

# Role deletion permission
# - This permission defines those users who are allowed to delete roles in the admin service.
role.delete = inh:OrganizationMainUser

# Role creation permission
# - This permission defines those users who are allowed to create roles in the admin service.
role.create = inh:OrganizationMainUser

# Role edit permission
# - This permission defines those users who are allowed to edit roles in the admin service.
role.edit = inh:OrganizationMainUser

# Role list users permission
# - This permission defines those users who are allowed to list users in selected role.
role.listusers = inh:OrganizationMainUser

# *************************************************************************************************
# **********  Mandate Permissions                                                        **********
# *************************************************************************************************

# Mandate read permission
# - This permission defines those users who are allowed to read mandate information concerning
#   received mandates in the admin service.
mandate.read = inh:OrganizationMainUser

# Mandate approval permission
# - This permission defines those users who are allowed to approve received mandates in the admin
#   service.
mandate.approve = inh:OrganizationMainUser

# Mandate removal permission
# - This permission defines those users who are allowed to remove either mandate actuators or the
#   received mandate in the admin service.
mandate.remove = inh:OrganizationMainUser

# Mandate creation permission
# - This permission defines those users who are allowed to create new mandates in the admin
#   service.
mandate.create = inh:OrganizationMainUser

# *************************************************************************************************
# **********  Self-Service Permissions                                                   **********
# *************************************************************************************************

# Self-Service read permission
# - This permission defines those users who are allowed to read their own personal information.
# - You may also define field specific read permissions by adding the field name after self.read.
# - Field specific permissions override the general permission.
self.read = grp:eIDMUser

# Self-Service editing permission
# - This permission defines those users who are allowed to edit their own personal information in
#   the self-service service.
# - You may also define field specific edit permissions by adding the field name after self.edit.
# - Field specific permissions override the general permission.
self.edit = grp:eIDMUser
self.edit.ssn =

# Self-Service role permission
# - This permission defines those users who are allowed to read their role information in the
#   self-service service.
self.role = grp:eIDMUser

# Self-Service mobile change without confirmation
# - This permission defines those users who are allowed to change their mobile number without the
#   need to confirm the new number.
self.mobilenoconfirm = grp:eIDMUser

# Self-Service email change without confirmation
# - This permission defines those users who are allowed to change their email address without the
#   need to confirm the new address.
self.emailnoconfirm = grp:eIDMUser

# Self-Service organization permission
# - This permission defines those users who are allowed to manage organization information in the
#   self-service service.
self.organization = grp:eIDMUser

# Self-Service role request permission
# - This permission defines those users who are allowed to request roles in the self-service. The
#   same users should have the self.role permission as well. This permission also limits the
#   visibility of the roles to be requested. So you can only request those roles that are in
#   organizations where you have the permission defined here. Note that there are also other
#   properties related to requesting roles.
self.requestroles = grp:eIDMUser

# Self-Service predefined role(s) request permission
# - This permission defines those users who are allowed to request predefined roles in the
#   self-service. The same users should have the self.role permission as well.
self.request.predefined.roles = grp:eIDMUser

# Self-Service mandate read permission
# - This permission defines those users who are allowed to read mandate information in the
#   self-service interface.
self.mandate.read = grp:eIDMUser

# Self-Service mandate approve permission
# - This permission defines those users who are allowed to approve mandates in the
#   self-service interface.
self.mandate.approve = grp:eIDMUser

# Self-Service mandate remove permission
# - This permission defines those users who are allowed to remove mandates in the
#   self-service interface.
self.mandate.remove = grp:eIDMUser

# Self-Service mandate create permission
# - This permission defines those users who are allowed to create new mandates in the
#   self-service interface.
self.mandate.create = grp:eIDMUser

# *************************************************************************************************
# **********  Access Permissions for Admin Service                                       **********
# *************************************************************************************************

# Admin access permission
# - This permission defines those users who are allowed to access the admin service.
access.admin = any:OrganizationMainUser, abs:eIDM/eIDMMainUser

# Admin access permission for organizations tab (main tab / frontpage tab)
# - This permission defines the users who are allowed to access the organization list tab in the
#   admin service interface front page.
access.admin.organizations = any:OrganizationMainUser, abs:eIDM/eIDMMainUser

# Admin access permission for users tab
# - This permission defines the users who are allowed to access the user search / list tab in the
#   admin service interface front page.
access.admin.users = any:OrganizationMainUser, abs:eIDM/eIDMMainUser

# Admin access permission for approvals tab
# - This permission defines the users who are allowed to access the approval tab in the admin
#   service interface front page.
access.admin.approvals = any:OrganizationMainUser, abs:eIDM/eIDMMainUser

# *************************************************************************************************
# **********  Access Permissions for Self-Service                                        **********
# *************************************************************************************************

# Self-Service personal access permission
# - This permission defines those users who are allowed to access the personal tab in the
#   self-service interface.
access.selfservice.personal = grp:eIDMUser

# Self-Service roles access permission
# - This permission defines those users who are allowed to access the roles tab in the self-service
#   interface.
access.selfservice.roles = grp:eIDMUser

# Self-Service mandates access permission
# - This permission defines those users who are allowed to access the mandates tab in the
#   self-service interface.
access.selfservice.mandates = grp:eIDMUser

# *************************************************************************************************



Optional exercise

Hide a button so nobody can delete a user. Hint: login as Scott Long and verify you can't delete users.


Ubisecure Privacy Policy & Cookie Statement