Keycloak 24.05. Image Release

[jjeroch]

Summary

CentralIdP: CX-Central realm updates (init container image) based on latest test results.

Follow up to #66.

CX-Central realm updates

The following bugfixes need to be implemented in the new release:

---

Seeded service accounts

1. BPN mapper and user attribute "bpn" were added to the following service accounts:

• sa-cl1-reg-2
• sa-cl2-01
• sa-cl2-02
• sa-cl2-03
• sa-cl2-04
• sa-cl2-05
• sa-cl24-01
• sa-cl7-cx-5
• sa-cl8-cx-1

✅

2. Fix role assignment and BPN od sa-cl3-cx-1

• remove composite roles "Identity Wallet Management" and "Dataspace Discovery"
• change to bpn value in user attribute to CX-Operator BPN

✅

---

Specific Changes on BPDM

• Role "Company Admin" inside the client "Cl1-CX-Registration" need to get following permissions added:

  • read_partner_member of client Cl7-CX-BPDM ✅
  • read_changelog_member of client Cl7-CX-BPDM ✅
  • read_metadata of client Cl7-CX-BPDM ✅
  • read_partner of client Cl7-CX-BPDM ✅

• Role "Company Admin" inside the client "Cl2-CX-Portal" need to get following permissions added:

  • read_partner_member of client Cl7-CX-BPDM ✅
  • read_changelog_member of client Cl7-CX-BPDM ✅
  • read_metadata of client Cl7-CX-BPDM ✅

• Role "CX Admin" inside the client "Cl2-CX-Portal" need to get following permissions added:

  • all permissions of Cl7-CX-BPDM ✅
  • all permissions of Cl16-CX-BPDMGate ✅

New Role needed

"Business Partner Data Manager" inside the client "Cl2-CX-Portal", with following permissions

• read_partner_member of client Cl7-CX-BPDM ✅
• read_changelog_member of client Cl7-CX-BPDM ✅
• read_metadata of client Cl7-CX-BPDM ✅
• and all CX User permissions ✅

=> assign this new role inside the portal DB to all collection. Each company role can assign this role to their users. ✅

Add the role "BPDM Pool Sharing Consumer" inside the client technical_roles_management and assign following permissions

• read_partner_member of client Cl7-CX-BPDM ✅
• read_changelog_member of client Cl7-CX-BPDM ✅
• read_metadata of client Cl7-CX-BPDM ✅
• read_changelog of client Cl7-CX-BPDM ✅

=> assign this new role inside the portal DB to the collection CX Operator ✅

---

The following technical user roles should be available for app/service providers (this is given by linking those roles to the respective collection/company role) in the portal DB.

• BPDM Sharing Input Consumer
• BPDM Sharing Output Consumer

✅
done by eclipse-tractusx/portal-backend#707

---

Assign the role BPDM Pool Consumerof the client technical_user_management to all Composite roles in the Portal Client.

• CX Admin ✅
• Company Admin ✅
• Business Admin ✅
• IT Admin ✅
• CX User ✅
• Purchaser ✅
• App Developer ✅
• App Manager ✅
• Sales Manager ✅
• Service Manager ✅
• Business Partner Data Manager ✅

---

Add Permission

Add new permission view_credential_requests to the client Cl24-CX-SSI-CredentialIssuer ✅

---

Fix for Cl24-CX-SSI-CredentialIssuer and assignment to composite Portal roles

Those specific assignments:

CX Admin

• add "view_use_case_participation" ✅
• add "revoke_credentials_issuer" ✅
• add "revoke_credential" ✅
• add "view_certificates" ✅
• add "view_credential_requests" ✅

Company Admin

• add "view_use_case_participation" ✅
• add "revoke_credential" ✅
• add "view_certificates" ✅
• add "view_credential_requests" ✅

IT Admin

• add "view_use_case_participation" ✅
• add "revoke_credential" ✅
• add "view_certificates" ✅
• add "view_credential_requests" ✅

Business Admin

• add "view_use_case_participation" ✅
• add "revoke_credential" ✅
• add "view_certificates" ✅
• add "view_credential_requests" ✅

Additionally, "view_credential_requests" => to be assigned to all Portal Client Roles

• CX User ✅
• Purchaser ✅
• App Developer ✅
• App Manager ✅
• Sales Manager ✅
• Service Manager ✅
• Business Partner Data Manager ✅

BTW: "view_certificates" refers to credential not certificates, it's poorly named role

---

Re-add "request_ssicredential" role to client Cl2-CX-Portal (removed as part of #66) ✅

---

Newly create "service_management" for client Cl2-CX-Portal ✅

---

Clean-up of the App Manager role:

• remove "add_user_account" ✅
• add "view_connectors" ✅
• add "view_app_subscription" ✅
• add "view_service_subscriptions" ✅

Business Admin

• add "view_client_roles" ✅
• add "view_own_user_account**?** ✅
• add "update_own_user_account" ✅
• remove "view_connectors" ✅
• add "view_documents" ✅
• add "view_membership" ✅
• add "delete_notifications" ✅
• add "request_ssicredential" (Client: portal) ✅

IT Admin

• add "view_documents" ✅
• add "request_ssicredential" (Client: portal) ✅

Service Manager

• add "add_self_descriptions" ✅
• add "delete_documents" ✅
• add "service_management" ✅

App Developer

• add "view_license_types" ✅
• add "view_service_subscriptions" ✅

Sales Manager

• add "view_app_subscription" ✅
• add "app_management" ✅
• add view_service_subscriptions ✅
• add "service_management" ✅

CX Admin

• add "service_management" ✅
• add "request_ssicredential" (Client: portal) ✅

Purchaser

• add "subscribe_service" ✅
• add "view_service_subscriptions" ✅

CX User

• add "view_service_subscriptions" ✅

Company Admin

• add "request_ssicredential" (Client: portal) ✅