Add Roles and Permissions

add role based access control (rbac) for organisations and users within an ecosystem define roles docid\ xw3vr6nmb0sirrxtus107 , granting permissions to chosen participants within by using role metadata for more explanation on how to successfully model an ecosystem/federation to fully reflect its needs and requirements, see the modeling ecosystems docid\ doeepqassfziwifctylnv article prerequisites users docid\ ijyftusvdonrn4rxsnsev access to the platform domains docid\ i0uww6vk2u3hkirrqahdw available and configured within the platform manage authorisation domains docid\ tsyz9akqgamxzhlcro7 h if there is not one available already get an access token (r/w) docid\ bpimoxcmny4u46fbf0zsw and with the directory\ website scope if you want to create or manage authorisation domain roles and their metadata using connect's apis create authorisation domain role authorisation domain roles can be created only for an already existing authorisation domain a role cannot exist by itself it needs to be associated with a domain select reference data > domains and roles using the dropdown button, expand an authorisation domain for which you want to add a role select + add role fill in all the required fields and save field name description authorisation domain name c ommon name of the issuing domains docid\ i0uww6vk2u3hkirrqahdw authorisation domain role name n ame of the role authorisation domain role type t ype of the authorisation domain role federation d efining how an organisation client application's software statement is presented to the broader ecosystem federation roles influence the interaction pattern between the client application and the ecosystem it shapes the client endpoint behavior and its relations with authorisation servers docid\ aw0rfr 6i9dbui8sh7hkd directory directory roles determine the manner in which an organisation's client applications communicate with the connect's apis modifications to directory roles are applied across all client applications registered within a framework is this role exclusive? controls whether an organisation can have other roles assigned if an organisation has an exclusive role assigned, it cannot have any other role assigned description d escription of the authorisation domain role add authorisation domain role metadata field name field description authorisation domain role name enter the authorisation domain role name type type of the authorisation domain role metadata name name of the authorisation domain role metadata select reference data > authorisation domains and roles using the dropdown button, expand an authorisation domain for which you want to configure a role by defining its metadata select the role for which you wish to add metadata select authorisation domain roles metadata in the left navigation tree select new authorisation domain role metadata fill in the fields type the type of the role metadata claim specific pieces of information requested by organisation's client applications to be included within the requested access and/or id tokens to convey information about the client, user, or authentication event example name , family name claim in verified claims specific and verified pieces of information requested by organisation's client applications to be included within the requested access and/or id tokens to convey information about the client, user, or authentication event verified claims differ from regular claims by enabling strong assurance of a claim according to the openid connect specification for identity assurance for example of how verified claims look like, see the oidc for identity assurance specification section #5 scope oauth access scope are used by client applications to specify the access scopes the client requests from the authorisation server it is considered a best practice to always limit the scopes requested only to the absolute necessary ones for security purposes if you are adding metadata to a role of the directory type and wish to enable client applications to access connect's apis, raidiam's oauth authorisation servers docid\ aw0rfr 6i9dbui8sh7hkd accepts three values directory\ website , directory\ software , and directory\ admin within connect, all client applications are by default assigned the directory\ software scope to enable them to access the platform's apis response type determines the response type the client application expects while making requests to the authorisation server's /authorization and /token endpoints one of code , code token , code id token , id token token , code id token token for more information about response types and their detailed descriptions, see the oauth 2 0 multiple response type encoding practices specification section #5 grant type specifies the oauth grant type (flow) the client application uses while requesting authorisation from the user or token from the authorisation server if you are adding metadata to a role of the directory type and wish to enable client applications to access connect's apis, raidiam's oauth authorisation servers docid\ aw0rfr 6i9dbui8sh7hkd accepts two values authorization code , or client credentials within connect, all client applications are by default assigned the client credentials flow to enable them to access the platform's apis is resource server specifies whether the client application represents a resource server or not one of true , false authorization details type enables client applications to specify their fine grained authorization requirements while using the oauth 2 0 rich authorization requests (rar) grant type example payments , accounts name defines the name/value of the field example for grant type authorization code save new role metadata delete authorisation domain role for security purposes, raidiam enables global administrators only to soft delete authorisation domain roles by disabling them you can disable an authorisation domain role by selecting the disable button ( access forbidden sign under actions) or by using the update authorisation domain role and setting the role's status to inactive manage authorisation domain roles using apis raidiam connect allows organisations to integrate with the following apis for authorisation domain management create authorisation domain role get authorisation domain role by name get all authorisation domain roles update authorisation domain role for metadata, you can integrate with the following apis associate metadata with authorisation domain role get all metadata associated with authorisation domain role get metadata associated with authorisation domain role update authorisation domain role's metadata next steps assign roles to organisations