Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 17 Next »

Purpose

The purpose of this module is to show you how to delegate mandates to other users so they can perform selected functions you choose

Requirements
  • CustomerID installed

Overview of this lab

We will use CustomerID administrative interface to configure delegated role management using mandates. In a nutshell, these are the four main steps:


Part 1: Create Users

 In order to create users:

  1. Log in as Scott Long (SmartPlan Admin). This user was created during Lab 1.1    

  2. Enable adduser workflow. In order to do that, edit the following on eidm2.properties file:

    eidm2.properties
    createuser.workflows = adduser
    
    registration.1 = adduser
    registration.1.enabled = false
    registration.1.tupas.disabled = true
    registration.1.approval = false
    registration.1.methods = [ { "name" : "password.2", "mandatory" : "true", "visible" : "false", "default" : "true" } ]
    registration.1.userinfo.fields = firstname, surname, email, password
    registration.1.organizations = { "path" : "Users"}
    registration.1.summary.fields = firstname, surname, email
    
    
  3. Restart Wildfly
  4. Log in as Scott Long and open "Users" tab
  5. Now the button "Add User" should be visible. Click on it:
  6. Create Jeremy Mills user and give him contact person role for City Group Inc as shown on the following images. The password must contain both numbers and letters.
  7. In order to continue, on the next step I must select a role. Type the company name in the Search box.

  8. Now log in as Jeremy Mills to verify the user has been created.

 

Part 2: Create Service

The goal of this section is creating a new organization using the following values:

Technical Name 

mysmartplan
Display NameMy SmartPlan
Organization Typesite
Servicetrue

Do not use spaces in technical name.



  1. Log in to CustomerID as an administrator Scott Long. From the "front page" you will see the button to create a new organization.

  2. Once you select "Create new organization," the next screen will be:



Part 3: Define Mandate

Ubisecure Identity Server uses roles and mandates. This is how roles look in the administration interface for My SmartPlan:


Step 1: Configure text description for roles

Customize text description for Visitor, member, owner by editing  C:\Program Files\Ubisecure\customerid\application\custom\roles.properties file

custom/roles.properties
# English

en.friendlyName.visitor = Visitor
en.description.visitor  = Visitor can view public information. 

en.friendlyName.member = Member
en.description.member  = Member can read private information. 

en.friendlyName.owner = Owner
en.description.owner  = Owner can write information and manage user rights. 

Restart Wildfly.

This is how the interface looks after the changes (observe "Description" column):


Now it's time to understand how mandates work in real:

What is the difference between a role and a mandate?

Role

  • Can be assigned only to a person
  • Can not be delegated to others

Examples:

  • Member role for Online Service
  • Owner role for Online Service
  • To remove access rights, the roles must be removed from each user individually

Mandate

  • A mandate can consist of one or more roles
  • A mandate received by an organization can be delegated to other persons
  • Shows source of authorization
  • Corresponds to a contract in the CRM system

Examples:

  • A mandate typically refers to a contract in a CRM system
  • Access rights can be removed from all users and organizations by removing the mandate.
  • Mandate templates are currently created and managed via the REST API
As you can see in the picture below, an organization mandate will allow delegation of service roles to customer organizations. The City Group administrator, Jeremy Mills, can then decide who within his own organization will have access to the Online Service.

Mandates can be configured to require approval by an organization administrator. We will disable this for today.

Allowed roles must be defined in the custom\eidm2.properties configuration file.

custom\eidm2.properties
general.admin.organization.users.includerolemembers = true

mandate.roles.allowed = owner,member,visitor

mandate.receiver.approval = false

Restart Wildfly.

Permissions control who can create, assign, read and delete mandates.

In our environment, we have added a custom role called mainuser (display name: Contact Person). Rights must be given to the mainuser role for accessing mandates.

Create a file C:\Program Files\Ubisecure\customerid\application\custom\permissions.properties.Add the following lines to the permissions.properties:

permissions.properties
# *************************************************************************************************
# **********  Mandate Permissions                                                        **********
# *************************************************************************************************

# Mandate read permission
# - This permission defines those users who are allowed to read mandate information concerning
#   received mandates in the admin service.
mandate.read = inh:OrganizationMainUser, inh:mainuser

# Mandate approval permission
# - This permission defines those users who are allowed to approve received mandates in the admin
#   service.
mandate.approve = inh:OrganizationMainUser, inh:mainuser

# Mandate removal permission
# - This permission defines those users who are allowed to remove either mandate actuators or the
#   received mandate in the admin service.
mandate.remove = inh:OrganizationMainUser, inh:mainuser

# Mandate creation permission
# - This permission defines those users who are allowed to create new mandates in the admin
#   service.
mandate.create = inh:OrganizationMainUser, inh:mainuser

# User mandate information read permission
# - This permission defines those users who are allowed to read the mandate information concerning
#   organization users in the admin service.
user.read.mandates = inh:OrganizationMainUser, inh:mainuser

# User mandate information removal permission
# - This permission defines those users who are allowed to remove mandates from organization users
#   in the admin service.
user.mandates.remove = inh:OrganizationMainUser, inh:mainuser


Restart the wildfly service for the changes to take effect.

Step 2: Create organization mandate

Create a mandate including the Online Service Member role.

  1. In the Administration interface, open "My SmartPlan" service.
  2. Click on "Mandates" tab.
  3. Select "New organization mandate"
  4. Set City Group Inc. as receiver of  the mandate. Company ID: 2184053-5
  5. Choose role "Member" to be included in the mandate


  6. In the second step you will be able to customize the message
  7. Then a confirmation
  8. Finally you will see "Mandate invitation sent" at the top.

Step 3: Delegation

As a Contact Person for City Group, delegate the service roles to the organization users
  1. Log in to My SmartPlan as Jeremy Mills
  2. Open City Group Mandates tab

  3. Even Jeremy must receive the role through delegation in order to use it. Click Delegate.
  4. Choose the user(s) who will receive the mandate. If the mandate contains more than one role, all roles contained in the mandate are given.
  5. Jeremy can also see his personally received mandates in the self service interface. Mandates can be searched and filtered easily.
  6. As a service owner, also Scott can see who has been given access to the My SmartPlan application. Log in as Scott Long, choose My SmartPlan Users tab, and see that now Jeremy Mills is listed as a user for the service.






  • No labels