Identity Management¶
Idea¶
The Identity Management Service manages tenants, users and groups within MindSphere. It enables customers to access the User Accounts and Authentication (UAA) service used within MindSphere for identity management and authorization.
Access¶
For accessing this service you need to have the respective roles listed in Identity Management roles and scopes.
Basics¶
Tenants¶
A tenant is an organization-specific logical environment for your data. A tenant typically represents a legal entity, such as a company or corporation. MindSphere is a multi-tenant architecture.
A tenant comprises up to two zones for identity management and access control:
-
User zone
Every tenant has a user zone. It enables users of the tenant to log in and use applications the company has subscribed to. Administrators of tenants can manage the users and assign roles in the user zone to provide users with access to subscribed applications. -
Provider zone
The provider zone represents an additional environment required for web application and API development and operation. Every DevOps plan tenant has a provider zone, which stores all information related to access management required for either development or operations (e.g., roles, permissions, applications, technical users).
As tenant names are global resources, they must be unique across all tenants.
Each user tenant needs to define at least one administrator for managing the users and roles of this tenant.
Users and Groups¶
Every tenant has its own users and has roles available depending on the applications it is subscribed to. A role represents a grouping of permissions required to access an application. By modeling roles as SCIM groups, the User and Roles management in MindSphere follows the SCIM standard (System for Cross-domain Identity Management).
Currently, within the user zone, SCIM groups are only used to represent roles.
In addition, SCIM groups may represent user groups (for managing sets of users), data groups (for managing end customer access to data, assets, etc.) and permissions (for managing more fine-grained access to resources, only within provider zone of a tenant),
Roles and Scopes¶
The following information is relevant for tenants with a provider zone only.
If you expose an API for your web application, scopes define the application specific permissions. Scope names typically reflect these permissions in a syntax like:
{apiName}.{permission/action}
The following list shows examples for the CRUD-permissions of an IoT service:
iot.c
(permission to create objects in IoT)iot.r
(permission to read objects in IoT)iot.u
(permission to update objects in IoT)iot.d
(permission to delete objects in IoT)
Scopes are mapped to a specific role. A role name has the following syntax:
mdsp:{tenantName}:{application/apiName}.{roleName/action}
Thus, all scopes above could be mapped to a role called
mdsp:core:iot.admin
Application-specific roles and scopes are defined in provider tenants and can be managed within the developer cockpit application. See also HowTo Cloud Foundry application.
OAuth Client¶
The following information is relevant for tenants with a provider zone only.
An OAuth client (also called technical user) allows your application to acquire a token to access protected resources without the need of human user interaction. This is necessary for doing regular background activities (batch activities) within your application or if your application is not hosted behind MindSphere Gateway and therefore does not receive interactive user tokens in request headers. OAuth clients are defined within the provider zone of your tenant and comprise a client ID and client secret, which allow to obtain a token using the client credentials grant (RFC 6749).
Note
The userID for Identity Management API is not the same as the user_id in a decoded token. Instead, a filter with the user's email address needs to be used to get the specific data on a user.
OAuth clients for your provider tenant can be acquired as described in the HowTo self-hosted application.
The client secret should be updated before it expires, refer to Client Secret Rotation.
Features¶
The Identity Management Service exposes its API for realizing the following tasks:
- List all users of a tenant
- Create, get, update, delete users of a tenant
- Get all roles assigned to the own user
- List all SCIM groups of the user zone of a tenant
- Create, get, update, delete SCIM groups of the user zone of tenant
- List, add, remove members of a SCIM group of the user zone of tenant
Example Scenario¶
The administrator of a brewery wants to prepare the tenant for the new developers of their web application.
Use the Identity Management Service to populate the tenant with new users and assign them the roles required for development (e.g., mdsp:core:StandardUser, mdsp:core:Developer).
Related Links¶
Any questions left?
Except where otherwise noted, content on this site is licensed under the Development License Agreement.