Skip to content

Commit

Permalink
feat: add BPDM authentication configuration for 24.08. release (#155)
Browse files Browse the repository at this point in the history 
* feat(BPDM): add BPDM Orchestrator authentication configuration

- add an Orchestrator client
- add Orchestrator client roles
- add technical roles into technical role management client
- add client scope role mappings
- add Orchestrator Admin role to BPDM admin service accounts

* feat(BPDM): add separate BPDM technical users for establishing the golden record process

- add technical user for the Pool to access the Orchestrator component
- add technical user for the Cleaning Dummy to access the Orchestrator component
- add technical user for the Portal Gate to access the Orchestrator component
- add technical user for the Portal Gate to access the Pool component

* fix(BPDM): entries for composite BPDM roles

- making sure that the Portal Data Manager has read and writing access to the Portal Gate
- giving the BPDM Pool Sharing Consumer role the permissions to read all Pool data
- restricting the BPDM Pool Consumer reading access to Pool member data only
- removing outdated write permission for the Cl16-CX-BPDMGate

* docs(BPDM): adapt rights and roles concept and add newly introduced clients

- add rights and roles documentation of BPDM Orchestrator
- adapt documentation to rights and roles of BPDM Pool and Gate
- add Orchestrator client and new fine-granular BPDM service accounts to list of initial clients
  • Loading branch information
@nicoprow
nicoprow authored Sep 20, 2024
1 parent 6782081 commit 5a73f46
Show file tree
Hide file tree
Showing 3 changed files with 987 additions and 57 deletions.
5 changes: 5 additions & 0 deletions docs/technical documentation/03. Clients.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ During the [import of the realms](/import/realm-config/) at startup, the relevan
| CentralIdP | Public | SSI Credential Issuer | Cl24-CX-SSI-CredentialIssuer |
| CentralIdP | Confidential | BPDM | Cl7-CX-BPDM |
| CentralIdP | Confidential | BPDM Portal Gate | Cl16-CX-BPDMGate |
| CentralIdP | Confidential | BPDM Orchestrator | Cl25-CX-BPDM-Orchestrator |
| CentralIdP | Confidential | Managed Identity Wallet | Cl5-CX-Custodian |
| CentralIdP | Service Account | Portal Backend to call Keycloak | sa-cl1-reg-2 |
| CentralIdP | Service Account | Clearinghouse update application | sa-cl2-01 |
Expand All @@ -49,6 +50,10 @@ During the [import of the realms](/import/realm-config/) at startup, the relevan
| CentralIdP | Service Account | SSI Credential Issuer | sa-cl24-01 |
| CentralIdP | Service Account | SSI Credential Issuer - Portal to SSI Credential Issuer | sa-cl2-04 |
| CentralIdP | Service Account | DIM (Decentral Identity Management) Middle Layer to Portal | sa-cl2-05 |
| CentralIdP | Service Account | BPDM Dummy Cleaning Task Processor | sa-cl25-cx-1 |
| CentralIdP | Service Account | BPDM Pool Task Processor | sa-cl25-cx-2 |
| CentralIdP | Service Account | BPDM Portal Gate Task Creator | sa-cl25-cx-3 |
| CentralIdP | Service Account | BPDM Portal Gate Pool Consumer | sa-cl7-cx-1 |
| SharedIdP | Service Account | in master realm for Portal Backend to call Keycloak | sa-cl1-reg-1 |

## Client Authentication Concept
Expand Down
121 changes: 94 additions & 27 deletions docs/technical documentation/06. Roles & Rights Concept.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -276,25 +276,31 @@ For example:

Managed via Client: **Cl7-CX-BPDM**

| | **CX Admin** | **Technical User*** | **Company Admin** | **Business Admin** | **IT Admin** | **CX User** | **Purchaser** | **App Manager** | **App Developer** | **Sales Manager** | **Service Manager** | **Business Partner Data Manager** |
|-|----------|-----------------|---------------|----------------|----------|---------|-----------|-------------|----------|------|-----------|--------------|
|Business Partner Data Management| | | | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | |
| read_changelog **new** | x | x | x | x | x | x | x | x | x | x | x | x |
| read_changelog_member **new** | x | x | x | x | x | x | x | x | x | x | x | x |
| read_metadata **new** | x | x | | | | | | | | | | x |
| read_partner **new** | x | x | | | | | | | | | | |
| read_partner_member **new** | x | x | x | | | | | | | | | |
| write_metadata **new** | x | x | x | x | x | x | x | x | x | x | x | x |
| write_partner **new** | x | x | | | | | | | | | | |

Technical Users*: BPDM Admin & BPDM Pool Consumer.
|   |  **CX Admin** | **Technical User*** | **Company Admin** | **Business Admin** | **IT Admin** | **CX User** | **Purchaser** | **App Manager** | **App Developer** | **Sales Manager** | **Service Manager** | **Business Partner Data Manager** |
|----------------------------------|---------------|---------------------|-------------------|------------------------------|------------------------------|------------------------------|------------------------------|------------------------------|------------------------------|------------------------------|------------------------------|-----------------------------------|
| Business Partner Data Management |   | | | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | |
| read_changelog | x | x |  x | x | x | x | x | x | x | x | x | x |
| read_changelog_member | x | x |  x | x | x | x | x | x | x | x | x | x |
| read_metadata | x | x | | | | | | | | | | x |
| read_partner | x | x | | | | | | | | | | |
| read_partner_member | x | x | x | | | | | | | | | |
| write_metadata | x | x |  x | x | x | x | x | x | x | x | x | x |
| write_partner | x | x | | | | | | | | | | |

Technical Users*: BPDM Admin, BPDM Pool Consumer & BPDM Pool Sharing Consumer.

Following the permission assignment

- BPDM Pool Consumer
- read_changelog
- read_partner_member
- read_changelog_member
- read_metadata

- BPDM Pool Sharing Consumer
- read_partner
- read_metadata
- read_changelog

- BPDM Pool Admin
- read_partner
- write_partner
Expand All @@ -305,26 +311,24 @@ Following the permission assignment
- write_metadata

>**_NOTE_:**
> BPDM Admin as well as BPDM Pool Consumer is only available for the CX-Operator.
> All technical roles are only available for the CX-Operator.
No other customers can create such technical user roles.

#### 2.5.6 BPDM Gate

Managed via Client: **Cl16-CX-BPDMGate**
As well as on runtime created gates

| | **CX Admin** | **Technical User*** | **Company Admin** | **Business Admin** | **IT Admin** | **CX User** | **Purchaser** | **App Manager** | **App Developer** | **Sales Manager** | **Service Manager** | **Business Partner Data Manager** |
|-|----------|-----------------|---------------|----------------|----------|---------|-----------|-------------|----------|------|-----------|--------------|
|Business Partner Data Management| | | | | | | | | | | | |
| read_input_partner | | x | | | | | | | | | | |
| write_input_partner - exclusively for the platform operator | | x | | | | | | | | | | |
| read_input_changelog | | x | | | | | | | | | | |
| read_output_partner | | x | | | | | | | | | | |
| write_output_partner - exclusively for the platform operator | | x | | | | | | | | | | |
| read_output_changelog | | x | | | | | | | | | | |
| read_sharing_state | | x | | | | | | | | | | |
| write_sharing_state - exclusively for the platform operator | | | | | | | | | | | | |
| read_stats | | x | | | | | | | | | | |
|   |  **CX Admin** | **Technical User*** | **Company Admin** | **Business Admin** | **IT Admin** | **CX User** | **Purchaser** | **App Manager** | **App Developer** | **Sales Manager** | **Service Manager** | **Business Partner Data Manager** |
|-----------------------|---------------|---------------------|-------------------|--------------------|--------------|-------------|---------------|-----------------|-------------------|-------------------|---------------------|-----------------------------------|
| read_input_partner |   | x | | | | | | | | | | x |
| write_input_partner |   | x | | | | | | | | | | x |
| read_input_changelog |   | x | | | | | | | | | | x |
| read_output_partner |   | x | | | | | | | | | | x |
| read_output_changelog |   | x | | | | | | | | | | x |
| read_sharing_state |   | x | | | | | | | | | | x |
| write_sharing_state |   | x | | | | | | | | | | x |
| read_stats |   | x | | | | | | | | | | x |

Technical Users Roles/Profiles:

Expand All @@ -340,7 +344,6 @@ Following the permission assignment
- write_input_partner
- read_input_changelog
- read_output_partner
- write_output_partner
- read_output_changelog
- read_sharing_state
- write_sharing_state
Expand Down Expand Up @@ -394,6 +397,70 @@ Managed via Client: **Cl24-CX-SSI-CredentialIssuer**
| Revoke owned credentials (revoke_credential) | x | | x | x | x | | | | | | | |
| Revoke any credentials (revoke_credential_issuer) | x | | | | | | | | | | | |

#### 2.5.6 BPDM Orchestrator

Managed via Client: **Cl25-CX-BPDM-Orchestrator**

|   |  **CX Admin** | **Technical User*** | **Company Admin** | **Business Admin** | **IT Admin** | **CX User** | **Purchaser** | **App Manager** | **App Developer** | **Sales Manager** | **Service Manager** | **Business Partner Data Manager** |
|---------------------------------|---------------|---------------------|-------------------|--------------------|--------------|-------------|---------------|-----------------|-------------------|-------------------|---------------------|-----------------------------------|
| create_task |   | x | | | | | | | | | | |
| read_task |   | x | | | | | | | | | | |
| create_reservation_clean |   | x | | | | | | | | | | |
| create_result_clean |   | x | | | | | | | | | | |
| create_reservation_cleanAndSync |   | x | | | | | | | | | | |
| create_result_cleanAndSync |   | x | | | | | | | | | | |
| create_reservation_poolSync |   | x | | | | | | | | | | |
| create_result_poolSync |   | x | | | | | | | | | | |


Technical Users Roles/Profiles:
- BPDM Orchestrator Admin
- BPDM Orchestrator Task Creator
- BPDM Orchestrator Processor Clean
- BPDM Orchestrator Processor CleanAndSync
- BPDM Orchestrator Processor PoolSync

Following the permission assignment

- BPDM Orchestrator Admin:
- create_task
- read_task
- create_reservation_clean
- create_result_clean
- create_reservation_cleanAndSync
- create_result_cleanAndSync
- create_reservation_poolSync
- create_result_poolSync

- BPDM Orchestrator Task Creator
- create_task
- read_task

- BPDM Orchestrator Processor Clean
- create_reservation_clean
- create_result_clean

- BPDM Orchestrator Processor CleanAndSync
- create_reservation_cleanAndSync
- create_result_cleanAndSync

- BPDM Orchestrator Processor PoolSync
- create_reservation_poolSync
- create_result_poolSync

>**_NOTE:_**
>All technical roles are only available for the Operator.
No other customers can create such technical user roles.


Following Tech User Roles are available for the Operator via the Self-Service:

- BPDM Orchestrator Admin
- BPDM Orchestrator Task Creator
- BPDM Orchestrator Processor Clean
- BPDM Orchestrator Processor CleanAndSync
- BPDM Orchestrator Processor PoolSync

### 2.6 Segregation of duties

The concept of segregation of duties involves having more than one person or role required to complete a task. However, this scenario does not currently exist within the portal.
Expand Down
Loading

0 comments on commit 5a73f46

Please sign in to comment.