Add Roles and Permissions
Add Role-Based Access Control (RBAC) for organisations and users within an ecosystem. Define Roles, granting permissions to chosen participants within by using Role Metadata.
For more explanation on how to successfully model an ecosystem/federation to fully reflect its needs and requirements, see the Modeling Ecosystems article.
-
Domains available and configured within the platform.
Add a Domain if there is not one available already.
-
Get an Access Token with the
directory:websitescope - if you want to create or manage Authorisation Domain Roles and their Metadata using Connect's APIs.
Create Authorisation Domain Role
Authorisation Domain Roles can be created only for an already existing authorisation domain. A role cannot exist by itself -- it needs to be associated with a domain.
-
Select Reference Data > Domains and Roles.
-
Using the dropdown button, expand an Authorisation Domain for which you want to add a role.
-
Select + Add Role.
-
Fill in all the required fields and save.
| Field Name | Description |
|---|---|
| Authorisation Domain Name | Common name of the issuing Domains |
| Authorisation Domain Role Name | Name of the role |
| Authorisation Domain Role Type | Type of the Authorisation Domain Role Federation: Defining how an organisation client application's software statement is presented to the broader ecosystem. Federation roles influence the interaction pattern between the client application and the ecosystem. It shapes the client endpoint behavior and its relations with Authorisation Servers. Directory: Directory roles determine the manner in which an organisation's client applications communicate with the Connect's APIs. Modifications to Directory roles are applied across all client applications registered within a framework. |
| Is this role exclusive? | Controls whether an organisation can have other roles assigned. If an organisation has an exclusive role assigned, it cannot have any other role assigned. |
| Description | Description of the Authorisation Domain Role |
Add Authorisation Domain Role Metadata
-
Select Reference Data > Authorisation Domains and Roles.
-
Using the dropdown button, expand an Authorisation Domain for which you want to configure a role by defining its metadata.
-
Select the role for which you wish to add metadata.
-
Select Authorisation Domain Roles Metadata in the left navigation tree.
-
Select New Authorisation Domain Role Metadata.
-
Fill in the fields defining the role metadata.
-
Save new role metadata.
Available Role Metadata Types
Check available Role Metadata Types:
claim
Specific pieces of information requested by organisation's client applications to be included within the requested access and/or ID tokens to convey information about the client, user, or authentication event.
Example: name, family_name
claim_in_verified_claims
Specific and verified pieces of information requested by organisation's client applications to be included within the requested access and/or ID tokens to convey information about the client, user, or authentication event.
Verified claims differ from regular claims by enabling strong assurance of a claim according to the OpenID Connect Specification for Identity Assurance.
For example of how verified claims look like, see the OIDC for Identity Assurance specification section #5.
scope
OAuth access scope are used by client applications to specify the access scopes the client requests from the authorisation server.
It is considered a best practice to always limit the scopes requested only to the absolute necessary ones for security purposes.
If you are adding metadata to a role of the directory type and wish to
enable client applications to access Connect's APIs, Raidiam's OAuth
Authorisation Servers accepts three
values: directory:website, directory:software, and directory:admin.
Within Connect, all client applications are by default assigned the
directory:software scope to enable them to access the platform's APIs.
response_type
Determines the response type the client application
expects while making requests to the Authorisation Server's /authorization
and /token endpoints.
One of: code, code token, code id_token, id_token token, code id_token token For more information about response types and their
detailed descriptions, see the OAuth 2.0 Multiple Response Type Encoding
Practices specification section
#5.
grant_type
Specifies the OAuth grant type (flow) the client application uses while requesting authorisation from the user or token from the authorisation server.
If you are adding metadata to a role of the directory type and wish to
enable client applications to access Connect's APIs, Raidiam's OAuth
Authorisation Servers accepts two
values: authorization_code, or client_credentials.
Within Connect, all client applications are by default assigned the
client_credentials flow to enable them to access the platform's APIs.
is_resource_server
Specifies whether the client application represents a resource server or not.
One of: true, false
authorization_details_type
Enables client applications to specify their fine-grained authorization requirements while using the OAuth 2.0 Rich Authorization Requests (RAR) grant type.
Example: payments, accounts
Delete Authorisation Domain Role
For security purposes, Raidiam enables Global Administrators only to soft-delete Authorisation Domain Roles by disabling them.
You can disable an Authorisation Domain Role by selecting the Disable button
(access forbidden sign under Actions) or by using the Update Authorisation
Domain Role
and
setting the role's status to inactive.
Manage Authorisation Domain Roles Using APIs
Raidiam Connect allows organisations to integrate with the following APIs for Authorisation Domain Management:
For Metadata, you can integrate with the following APIs:
