Users
Learn about types of Users you can add in Raidiam Connect. Understand Role-Based Access Control (RBAC) and see what permissions the users have.
In Raidiam, users are authenticated directory users with the ability to update and manage various functionalities within the directory.
These users can be registered by an global administrator or another organisation user with the authority to do so, such as an organisation administrator.
After successful authentication, organisation users can access the directory UI to view and update data for the organizations they have permission to manage - visualization and editing powers are subject to the ecosystem policy.
Raidiam Connect has three major types of users:
- Super Users (or Global Administrators)
- Data Administrators
- Organisation Administrators
- Technical Users
Also known as Global Administrators hold a unique position within Raidiam Connect, possessing comprehensive control over the entire platform. They are responsible for managing and maintaining the system, ensuring its optimal functioning and security.
With the ability to oversee all organizations and users, Global Administrators can make critical decisions and adjustments as needed. This level of authority is crucial for maintaining the stability and integrity of Raidiam Connect, fostering a trustworthy and efficient environment for all participants.
The Data Administrator is a user role within Raidiam Connect, acting on behalf of the Trust Framework Administrator organisation. Their primary responsibility is managing the data within the ecosystem or federation, particularly handling the onboarding and ongoing management of organisations.
Although Data Administrators can manage data within the ecosystem, they do not have control over Reference Data, which is managed exclusively by Super Users. Data Administrators can be added to the platform by Super Users, either through the UI or via APIs.
Hold the highest level of authority within an organisation. They can create and update most of the organization's resources, add new administrators, and manage other types of domain users configured within the directory.
If the ecosystem utilizes Single Sign-On (SSO) with the directory, the Open ID Client can verify, upon user consent in the OAuth flow, whether a user is an organization administrator and identify the organizations they administer. This information is registered under "OrgAccessDetails" with "OrgAdmin" set to true.
Also known as Technical Users, are users with specific functions within the directory, usually a subset of permissions granted to an organization administrator. Some domain users may not have direct functions in the directory but instead have access scopes for other platforms that leverage the directory's SSO functionality.
If the ecosystem employs SSO with the directory, the Open ID Client can also verify the organizations for which a user is an Organization Domain User. This information is registered under "OrgAccessDetails/DomainRoleDetails," with the type of Organization Domain User listed under "ContactRole" and the platform specified under "System."
This configuration enables, for example, a Service Desk contact to be registered in the Directory and authorized on a Service Desk platform, even without access or permissions within the Directory itself.
Role-Based Access Control (RBAC) is an essential component of ecosystem, ensuring that users have the appropriate level of access to perform their tasks while minimizing the risk of unauthorized access or data misuse.
By leveraging RBAC and the existence of Organisation Administrators and Domain Usersyou can streamline the management of user permissions, maintain a higher level of security, and create a more organized and compliant system for data access and control.
All organization administrators receive an e-mail informing them of any change to roles and of any role assignment.
Each ecosystem or federation comes with built-in default Domain Users roles like Primary Technical Contact (PTC) and Primary Business Contact (PBC) that enable access to directory and more. Such users can register authorisation servers, publish APIs, request software statement assertions, and interact with the Connect platform in any other way.
Other roles are available depending on the Trust Framework configuration set by your Trust Framework Administrator. Their level of access on Connect hugely depends on the ecosystem policy. Some roles are created to be used solely for Single Sign-On (SSO) purposes - where the users stored within Connect may authenticate with their Connect accounts while accessing other platforms available within the ecosystem.