Roles and IAM

Overview

Identity and Access Management refers to the process of identifying, authorizing, and authenticating participants to interact with the data exchange hub.

Role-based access control is implemented at two levels:

  1. IAM for Client Gateways: Roles are used to govern each Client Gateway’s access to and permissions within a given application, including the gateway’s ability to interact with the Message Broker, access and read/write information within topics, and authenticating messages to ensure that both sender and recipients are known. IAM for Client Gateways is accomplished using a self-sovereign identity framework, in which each actor participating creates a unique identifier and uses it to enrol their gateway instance in one or more roles.

  2. IAM for Users: Each actor participating can govern internal access to their respective Client Gateway by configuring two separate user types: Admin Users, who have permissions to the full suite of features including channel management, API management, and messaging, and Messaging Users, who only have permissions to send, view, and acknowledge messages in the Client Gateway UI. IAM for Users is accomplished with a conventional username/password framework.

User Guide

Pre-requisites

  • User logged into Switchboard

  • An organization was created

  • An application was created

Create a Role

  1. In the Application Management page, click on the action button right next to the application that you want to add a new role

Create role

  1. Fill up the mandatory and optional fields in the Create Role pop-up form

Step 1: New role
Step 2: Set role issuers
Step 3: Set role revokers
Step 4: Set restrictions
Step 5: Set validity period
Step 6: Set requestor fields
Step 7: Set issuer fields
Step 8: Confirm Details

Modify a Role

  1. In the Role Governance page, click on the action button right next to the role that you want to edit

Edit role

  1. Proceed to update your role details, only role name is not allowed to be changed

Update role

Request a Role

  1. Once a role has been set up, proceed to click on action to Copy Role Enrolment URL and share it with the new user that wishes to enrol

  2. The user will be prompted to sign in using their wallet

  3. Fill in the form and submit. The system then will send the enrolment request to the issuer(s) who had previously been specified to approve the role

Enrolment form

Approve/Reject a Role Request

  1. Sign in to Switchboard as the issuer who can approve the requested role

  2. Check the Task Manager located in the top navigation for notification

Task Manager list

  1. Your enrolments screen should display the request from the new user

Enrolment Requests

  1. View Request pop-up under the three vertical dots button contains information about the requestor, chosen role, and the fields from the enrolment form. If you approve this request, you have issued a verified claim that the new user can add to that user’s DID document and thereby access your application in the appropriate role. Alternatively, you may also choose to Revoke the request

“View Request” pop-up

Revoke a Role

For approved roles, they may be revoked both onchain and offchain. This option is available in the Enrolment Requests tab. Click on "View Request" option under the three vertical dots button to review before revoke.

Revoke a role

Sync Roles to Your DID

Once a role is approve, you should add this newly issued claim to your DID document, so that you have the credentials you need in order to access the application with the appropriate role. In My Enrolments tab, use the “Publish” option under the three vertical dots button or under Issuance Status to do this.

Publish credential to DID document
PreviousApplicationsNextDeployment Guide

Last updated