-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Portal User Management for BPDM #565
Comments
Not sure, why we need "Sharing Member Admin". Just looking at the permissions, there seems to be no difference to "Sharing Member Input Manager". From a business point of view, no one from outside the Sharing Member company should have access to the Gate. The access by the Sharing Member is always through the EDC. So also from business point of view, we do not need Sharing Member Admin. |
Seems I have forgotten to add more permissions to that role. The Sharing Member Admin role is what specifically the Portal would need in order to access the Gate. Otherwise, the Portal would need to use several technical users for each company to access the Gate. I think since we know the role of the Portal to have full access to the Gate I added it here as well. I also added tables for the role permissions so we have a better overview. I kept the list above to illustrate how these permissions are actually expected to be written. |
Status Release Image of Seeding data Clients: Cl7-CX-BPDM:
Cl16-CX-BPDMGate:
Technical User Roles available inside the core:
|
I incorporated the As-Is information into the requirement description. I think the issue is now ready to be processed. |
Added a keycloak realm definition in order to further illustrate how the BPDM applications currently expect the Keycloak configuration to be. |
Added Orchestrator permissions and restructured comment to better align with Keycloak concepts |
@nicoprow what happened here - this is not the same requirement anymore as shared 2 weeks ago |
@jjeroch Since we are currently working on our own Keycloak configuration I saw the chance to rephrase the issue to be more aligned with a Keycloak configuration requirement to make it more expressive. For the clients BPDM and BPDMGate the requirements didn't change, I just think I expressed it better. In regards to the Orchestrator configuration that is something I actually added afterwards. I was not aware that these requirements had already been digested by you. If the Orchestrator makes problems I can also remove it. Or I can revert the Issue description to the previous version. It's not ideal for us, but it doesn't break anything really |
I fully agree that this feature should describe the BPDM KeyCloak configuration as required for a GoLive of the operating company with BPDM. Since the orchestrator is sadly and probably not used by the only operating company, we know of, it would be OK to not implement this in 24.05 portal. However, I would leave the orchestrator permissions in the description and just state our decision here. |
Orchestrator config is not needed to perform the E2E tests. I also revised the technical user requirements according to our sync. |
Since the feature is a 24.05 feature and the development phase for 24.08 is coming to an end, we need a status on the feature. Can you please update the status?
If you need any clarification, please get in touch, thank you very much. Stephan |
The feature was delivered with 24.05. |
The authorization concept of the golden record process services (BPDM) has evolved. This impacts the permissions of portal users as well as as the creation of technical users in the Portal.
Relevant concepts
The golden record process contains sharing members which need to share their data (input) to the golden record process and read the result of that process (output). The Pool is a central place that offers golden records that have been created from the shared business partner data. Golden records are distinguished between whether they belong to Catena-X members or not.
BPDM Permission Groups
We defined the following relevant permission groups in BPDM:
Permissions
Permissions as client resources
Permissions by permission group
Gate permissions:
Pool Permissions:
Mapping to Portal user roles for all companies (for all Catena-X members):
Technical Users:
The golden record service provider needs to be able to generate technical users for each permission group (1 - 8). The technical users for sharing member roles 1 - 4 should be associated with the sharing member's BPNL (So that resulting tokens will have the sharing member's BPNL for authorization purposes). Furthermore, there needs to be one technical user option per Pool and Orchestrator permission group.
Resulting technical users to be creatable in the Portal:
For BPDM service:
For VAS:
Companies which have booked the golden record service should not be able to create any technical users for BPDM. Any such feature to create technical users for companies that are not the golden record service provider should be removed.
Demo Configuration
BPDM is configurable to have arbitrary configurations when it comes to redirect URLs and clients. As long as the above requirements are implemented, BPDM can be configured to be compatible with any Portal environment.
Still, for the sake of defining a demo configuration, here is a proposal:
Clients:*
Cl7-CX-BPDM
Cl16-CX-BPDMGate
Cl7-CX-BPDM:
Valid Origin: https://business-partners.{env}.demo.catena-x.net/pool/*
Description: BPDM Pool
Cl16-CX-BPDMGate:
Valid Origin: https://business-partners{env}.demo.catena-x.net/companies/*
Description: BPDM Gate
Keycloak Example Configuration
This example configuration includes the roles, clients and client scopes that BPDM currently expects.
The actual client IDs are subject to change depending on the name they receive in the Portal Keycloak configuration.
CX-Central.json
The text was updated successfully, but these errors were encountered: