Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add BPDM authentication configuration for 24.08. release #155

Merged
merged 4 commits into from
Sep 20, 2024
Merged

feat: add BPDM authentication configuration for 24.08. release #155

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5e58d7d
feat(BPDM): add BPDM Orchestrator authentication configuration
nicoprow Aug 7, 2024
6e6c7a9
feat(BPDM): add separate BPDM technical users for establishing the go…
nicoprow Aug 7, 2024
830487d
fix(BPDM): entries for composite BPDM roles
nicoprow Aug 7, 2024
69d5620
docs(BPDM): adapt rights and roles concept and add newly introduced c…
nicoprow Sep 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions docs/technical documentation/03. Clients.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ During the [import of the realms](/import/realm-config/) at startup, the relevan
| CentralIdP | Public | SSI Credential Issuer | Cl24-CX-SSI-CredentialIssuer |
| CentralIdP | Confidential | BPDM | Cl7-CX-BPDM |
| CentralIdP | Confidential | BPDM Portal Gate | Cl16-CX-BPDMGate |
| CentralIdP | Confidential | BPDM Orchestrator | Cl25-CX-BPDM-Orchestrator |
| CentralIdP | Confidential | Managed Identity Wallet | Cl5-CX-Custodian |
| CentralIdP | Service Account | Portal Backend to call Keycloak | sa-cl1-reg-2 |
| CentralIdP | Service Account | Clearinghouse update application | sa-cl2-01 |
Expand All @@ -49,6 +50,10 @@ During the [import of the realms](/import/realm-config/) at startup, the relevan
| CentralIdP | Service Account | SSI Credential Issuer | sa-cl24-01 |
| CentralIdP | Service Account | SSI Credential Issuer - Portal to SSI Credential Issuer | sa-cl2-04 |
| CentralIdP | Service Account | DIM (Decentral Identity Management) Middle Layer to Portal | sa-cl2-05 |
| CentralIdP | Service Account | BPDM Dummy Cleaning Task Processor | sa-cl25-cx-1 |
| CentralIdP | Service Account | BPDM Pool Task Processor | sa-cl25-cx-2 |
| CentralIdP | Service Account | BPDM Portal Gate Task Creator | sa-cl25-cx-3 |
| CentralIdP | Service Account | BPDM Portal Gate Pool Consumer | sa-cl7-cx-1 |
| SharedIdP | Service Account | in master realm for Portal Backend to call Keycloak | sa-cl1-reg-1 |

## Client Authentication Concept
Expand Down
121 changes: 94 additions & 27 deletions docs/technical documentation/06. Roles & Rights Concept.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -276,25 +276,31 @@ For example:

Managed via Client: **Cl7-CX-BPDM**

| | **CX Admin** | **Technical User*** | **Company Admin** | **Business Admin** | **IT Admin** | **CX User** | **Purchaser** | **App Manager** | **App Developer** | **Sales Manager** | **Service Manager** | **Business Partner Data Manager** |
|-|----------|-----------------|---------------|----------------|----------|---------|-----------|-------------|----------|------|-----------|--------------|
|Business Partner Data Management| | | | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | |
| read_changelog **new** | x | x | x | x | x | x | x | x | x | x | x | x |
| read_changelog_member **new** | x | x | x | x | x | x | x | x | x | x | x | x |
| read_metadata **new** | x | x | | | | | | | | | | x |
| read_partner **new** | x | x | | | | | | | | | | |
| read_partner_member **new** | x | x | x | | | | | | | | | |
| write_metadata **new** | x | x | x | x | x | x | x | x | x | x | x | x |
| write_partner **new** | x | x | | | | | | | | | | |

Technical Users*: BPDM Admin & BPDM Pool Consumer.
|   |  **CX Admin** | **Technical User*** | **Company Admin** | **Business Admin** | **IT Admin** | **CX User** | **Purchaser** | **App Manager** | **App Developer** | **Sales Manager** | **Service Manager** | **Business Partner Data Manager** |
|----------------------------------|---------------|---------------------|-------------------|------------------------------|------------------------------|------------------------------|------------------------------|------------------------------|------------------------------|------------------------------|------------------------------|-----------------------------------|
| Business Partner Data Management |   | | | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | |
| read_changelog | x | x |  x | x | x | x | x | x | x | x | x | x |
| read_changelog_member | x | x |  x | x | x | x | x | x | x | x | x | x |
| read_metadata | x | x | | | | | | | | | | x |
| read_partner | x | x | | | | | | | | | | |
| read_partner_member | x | x | x | | | | | | | | | |
| write_metadata | x | x |  x | x | x | x | x | x | x | x | x | x |
| write_partner | x | x | | | | | | | | | | |

Technical Users*: BPDM Admin, BPDM Pool Consumer & BPDM Pool Sharing Consumer.

Following the permission assignment

- BPDM Pool Consumer
- read_changelog
- read_partner_member
- read_changelog_member
- read_metadata

- BPDM Pool Sharing Consumer
- read_partner
- read_metadata
- read_changelog

- BPDM Pool Admin
- read_partner
- write_partner
Expand All @@ -305,26 +311,24 @@ Following the permission assignment
- write_metadata

>**_NOTE_:**
> BPDM Admin as well as BPDM Pool Consumer is only available for the CX-Operator.
> All technical roles are only available for the CX-Operator.
No other customers can create such technical user roles.

#### 2.5.6 BPDM Gate

Managed via Client: **Cl16-CX-BPDMGate**
As well as on runtime created gates

| | **CX Admin** | **Technical User*** | **Company Admin** | **Business Admin** | **IT Admin** | **CX User** | **Purchaser** | **App Manager** | **App Developer** | **Sales Manager** | **Service Manager** | **Business Partner Data Manager** |
|-|----------|-----------------|---------------|----------------|----------|---------|-----------|-------------|----------|------|-----------|--------------|
|Business Partner Data Management| | | | | | | | | | | | |
| read_input_partner | | x | | | | | | | | | | |
| write_input_partner - exclusively for the platform operator | | x | | | | | | | | | | |
| read_input_changelog | | x | | | | | | | | | | |
| read_output_partner | | x | | | | | | | | | | |
| write_output_partner - exclusively for the platform operator | | x | | | | | | | | | | |
| read_output_changelog | | x | | | | | | | | | | |
| read_sharing_state | | x | | | | | | | | | | |
| write_sharing_state - exclusively for the platform operator | | | | | | | | | | | | |
| read_stats | | x | | | | | | | | | | |
|   |  **CX Admin** | **Technical User*** | **Company Admin** | **Business Admin** | **IT Admin** | **CX User** | **Purchaser** | **App Manager** | **App Developer** | **Sales Manager** | **Service Manager** | **Business Partner Data Manager** |
|-----------------------|---------------|---------------------|-------------------|--------------------|--------------|-------------|---------------|-----------------|-------------------|-------------------|---------------------|-----------------------------------|
| read_input_partner |   | x | | | | | | | | | | x |
| write_input_partner |   | x | | | | | | | | | | x |
| read_input_changelog |   | x | | | | | | | | | | x |
| read_output_partner |   | x | | | | | | | | | | x |
| read_output_changelog |   | x | | | | | | | | | | x |
| read_sharing_state |   | x | | | | | | | | | | x |
| write_sharing_state |   | x | | | | | | | | | | x |
| read_stats |   | x | | | | | | | | | | x |

Technical Users Roles/Profiles:

Expand All @@ -340,7 +344,6 @@ Following the permission assignment
- write_input_partner
- read_input_changelog
- read_output_partner
- write_output_partner
- read_output_changelog
- read_sharing_state
- write_sharing_state
Expand Down Expand Up @@ -394,6 +397,70 @@ Managed via Client: **Cl24-CX-SSI-CredentialIssuer**
| Revoke owned credentials (revoke_credential) | x | | x | x | x | | | | | | | |
| Revoke any credentials (revoke_credential_issuer) | x | | | | | | | | | | | |

#### 2.5.6 BPDM Orchestrator

Managed via Client: **Cl25-CX-BPDM-Orchestrator**

|   |  **CX Admin** | **Technical User*** | **Company Admin** | **Business Admin** | **IT Admin** | **CX User** | **Purchaser** | **App Manager** | **App Developer** | **Sales Manager** | **Service Manager** | **Business Partner Data Manager** |
|---------------------------------|---------------|---------------------|-------------------|--------------------|--------------|-------------|---------------|-----------------|-------------------|-------------------|---------------------|-----------------------------------|
| create_task |   | x | | | | | | | | | | |
| read_task |   | x | | | | | | | | | | |
| create_reservation_clean |   | x | | | | | | | | | | |
| create_result_clean |   | x | | | | | | | | | | |
| create_reservation_cleanAndSync |   | x | | | | | | | | | | |
| create_result_cleanAndSync |   | x | | | | | | | | | | |
| create_reservation_poolSync |   | x | | | | | | | | | | |
| create_result_poolSync |   | x | | | | | | | | | | |


Technical Users Roles/Profiles:
- BPDM Orchestrator Admin
- BPDM Orchestrator Task Creator
- BPDM Orchestrator Processor Clean
- BPDM Orchestrator Processor CleanAndSync
- BPDM Orchestrator Processor PoolSync

Following the permission assignment

- BPDM Orchestrator Admin:
- create_task
- read_task
- create_reservation_clean
- create_result_clean
- create_reservation_cleanAndSync
- create_result_cleanAndSync
- create_reservation_poolSync
- create_result_poolSync

- BPDM Orchestrator Task Creator
- create_task
- read_task

- BPDM Orchestrator Processor Clean
- create_reservation_clean
- create_result_clean

- BPDM Orchestrator Processor CleanAndSync
- create_reservation_cleanAndSync
- create_result_cleanAndSync

- BPDM Orchestrator Processor PoolSync
- create_reservation_poolSync
- create_result_poolSync

>**_NOTE:_**
>All technical roles are only available for the Operator.
No other customers can create such technical user roles.


Following Tech User Roles are available for the Operator via the Self-Service:

- BPDM Orchestrator Admin
- BPDM Orchestrator Task Creator
- BPDM Orchestrator Processor Clean
- BPDM Orchestrator Processor CleanAndSync
- BPDM Orchestrator Processor PoolSync
evegufy marked this conversation as resolved.
Show resolved Hide resolved

### 2.6 Segregation of duties

The concept of segregation of duties involves having more than one person or role required to complete a task. However, this scenario does not currently exist within the portal.
Expand Down
Loading