Changes in Role Management based on Client IDs

Partner Management Services

In previous versions (1.1.5.x) of our system, we utilized the mosip-partner-client for Partner Management Services (PMS). However, starting from version 1.2.0.1 onwards, we have implemented the use of mosip-pms-client instead. This transition has led to updates in service account roles, client scopes, and client configurations.

Please find below the details of the changes made to service account roles and client scopes.

Service account roles for Partner-Management-Services

mosip-partner-client (1.1.5.x)

mosip-pms-client (1.2.0.1)

offline access

CREATE_SHARE

REGISTRATION_PROCESSOR

default_roles_mosip

uma_authorization

DEVICE_PROVIDER

PARTNER

PARTNER_ADMIN

PMS_ADMIN

PMS_USER

PUBLISH_APIKEY_APPROVED_GENERAL

PUBLISH_APIKEY_UPDATED _GENERAL

PUBLISH_CA_CERTIFICATE_UPLOADED_GENERAL

PUBLISH_MISP_LICENSE_GENERATED_GENERAL

PUBLISH_MISP_LICENSE_UPDATED_GENERAL

PUBLISH_OIDC_CLIENT_CREATED_GENERAL

PUBLISH_OIDC_CLIENT_UPDATED _GENERAL

PUBLISH_PARTNER _UPDATED _GENERAL

PUBLISH_POLICY_UPDATED _GENERAL

REGISTRATION_PROCESSOR

SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL

ZONAL_ADMIN

Client Scopes for Partner-Management-Services:

mosip-partner-client (1.1.5.x)

mosip-pms-client (1.2.0.1)

add_oidc_client

profile

roles

get_certificate

web-origins

profile

roles

send_binding_otp

update_oidc_client

uploaded_certificate

wallet_binding

web_origins

Admin-Services

In version 1.1.5.x, the mosip-admin-client was utilized for administrative services. We are also continuing to utilize the same client in version 1.2.0.1. While there have been modifications to the service account roles, the Client scopes have remained unchanged. Please find below the updated service account role adjustments. Additionally, it is worth noting that MOSIP Commons is also utilizing this client.

Service account roles for Admin-Services:

mosip-admin-client (1.1.5.x)

mosip-admin-client (1.2.0.1)

MASTERDATA_ADMIN

Default-roles-mosip

offline_access

ZONAL_ADMIN

uma_authorization

offline-access

PUBLISH_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL

PUBLISH_MASTERDATA_TITLES_GENERAL

PUBLISH_MOSIP_HOTLIST_GENERAL

uma_authorization

Client scopes are the same for mosip-admin-client in 1.2.0.1 & 1.1.5.1

email
profile
roles
web-origins

Pre-registration

In version 1.1.5.x, we utilized the 'mosip-prereg-client' for Pre-Registration. This client is also utilized in version 1.2.0.1. There have been modifications in the service account roles, while the client scopes have remained unchanged. Please find below the updated service account roles.

Service account roles for Pre-Registration:

mosip-prereg-client in 1.1.5.x

mosip-prereg-client in 1.2.0.1

INDIVIDUAL
offline_access
PRE_REGISTRATION_ADMIN
PREREG
REGISTRATION_PROCESSOR
uma_authorization

default_roles_mosip
PRE_REGISTRATION_ADMIN
PREREG
REGISTRATION_PROCESSOR

Note: Prior to proceeding with the upgrade, please ensure that the INDIVIDUAL role has been removed.

Client scopes are the same for mosip-prereg-client in 1.2.0.1 & 1.1.5.1

email
profile
roles
web-origins

ID Authentication

In the previous version 1.1.5.x, the mosip-ida-client module was responsible for handling ID authentication. However, starting from version 1.2.0.1, we have switched to using mpartner-default-auth for this purpose. This transition has brought about several changes, including modifications to service account roles, client scopes, and client configurations. Below is an overview of the changes in service account roles and client scopes.

Service account roles for id-authentication:

mosip-ida-client in (1.1.5.x)

mpartner-default-auth (1.2.0.1)

AUTH
AUTH_PARTNER
ID_AUTHENTICATION
offline_access
uma_authorization

CREDENTIAL_REQUEST
default_roles_mosip
ID_AUTHENTICATION
offline_access
PUBLISH_ANONYMOUS_PROFILE_GENERAL
PUBLISH_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL
PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL
PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL
PUBLISH_IDA_FRAUD_ANALYTICS_GENERAL
SUBSCRIBE_ACTIVATE_ID_INDIVIDUAL
SUBSCRIBE_APIKEY _APPROVED_GENERAL
SUBSCRIBE_APIKEY _UPDATED _GENERAL
SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL
SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_INDIVIDUAL
SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL
SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL
SUBSCRIBE_DEACTIVATE_ID_INDIVIDUAL
SUBSCRIBE_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL
SUBSCRIBE_MASTERDATA_TITLES_GENERAL
SUBSCRIBE_MISP_LICENSE_GENERATED_GENERAL
SUBSCRIBE_MISP_LICENSE_UPDATED_GENERAL
SUBSCRIBE_MOSIP_HOTLIST_GENERAL
SUBSCRIBE_OIDC_CLIENT_CREATED_GENERAL
SUBSCRIBE_OIDC_CLIENT_UPDATED_GENERAL
SUBSCRIBE_PARTNER_UPDATED_GENERAL
SUBSCRIBE_POLICY _UPDATED_GENERAL
SUBSCRIBE_REMOVE _ID_INDIVIDUAL
uma_authorization

Client Scopes for id-authentication:

mosip-ida-client (1.1.5.x)

mpartner-default-auth (1.2.0.1)

email
profile
roles
web-origins

add_oidc_client
email
profile
roles
update_oidc_client
web-origins

Digital-card-service

In the previous version, 1.1.5.x, we did not employ any clients for our digital card service. However, in the latest version, 1.2.0.1, we have implemented the use of the mpartner-default-digitalcard client. Please find below the service account roles and client scopes associated with the mpartner-default-digitalcard client.

Service account roles assigned to _mpartner-default-digitalcard_** in 1.2.0.1**

CREATE_SHARE
CREDENTIAL_REQUEST
default_roles_mosip
PRINT_PARTNER
PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL
SUBSCRIBE_ CREDENTIAL_ISSUED_INDIVIDUAL
SUBSCRIBE_IDENTITY_CREATED_GENERAL
SUBSCRIBE_IDENTITY_UPDATED _GENERAL

Client scopes assigned to _mpartner-default-digitalcard_** in 1.2.0.1**

email
profile
roles
web-origins

Print

In version 1.1.5.x, we do not employ any clients for printing. However, beginning from version 1.2.0.1, we utilize the mpartner-default-print client. Please find below the service account roles and client scopes associated with the mpartner-default-print client.

Service account roles assigned to _mpartner-default-print_** in 1.2.0.1**

CREATE_SHARE
default_roles_mosip
PUBLISH_CREDENTIAL_STATUS_UPDTAE_GENERAL
SUBSCRIBE_ CREDENTIAL_ISSUED_INDIVIDUAL

Client scopes assigned to _mpartner-default-print_** in 1.2.0.1**

email
profile
roles
web-origins

ID Repository

In version 1.1.5.x, we utilized the mosip-regproc-client for id-repository. Starting from version 1.2.0.1, we have transitioned to using mosip-idrepo-client. This switch has led to modifications in service account roles, client scopes, and client settings. Below are the details of the changes in service account roles and client scopes.

Client Scopes for id-repository:

mosip-regproc-client (1.1.5.x)

mosip-idrepo-client (1.2.0.1)

email
profile
roles
web-origins

email
profile
roles
web-origins

Service account roles for id-repository:

mosip-regproc-client (1.1.5.x)

mosip-idrepo-client (1.2.0.1)

ABIS_PARTNER
CENTRAL_ADMIN
CENTRAL_APPROVER
CREDENTIAL_INSURANCE
CREDETIAL_PARTNER
Default
DEVICE_PROVIDER
DIGITAL_CARD
FTM_PROVIDER
GLOBAL_ADMIN
INDIVIDUAL
KEY_MAKER
MASTERDATA_ADMIN
MISP
MISP_PARTNER
ONLINE_VERIFICATION_PARTNER
POLICYMANAGER
PRE_REGISTRATION
PRE_REGISTRATION_ADMIN
PREREG
REGISTRATION_ADMIN
REGISTRATION_OFFICER
REGISTRATION_OPERATOR
REGISTRATION_SUPERVISOR
ZONAL_ADMIN
ZONAL_APPROVER

default_roles_mosip

ID_REPOSITORY
offline_access
PUBLISH_ACTIVATE_ID_ALL_INDIVIDUAL
PUBLISH_AUTH_TYPE_STATUS_UPDATE_ALL_INDIVIDUAL
PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL
PUBLISH_DEACTIVATE_ID_ALL_INDIVIDUAL
PUBLISH_IDENTITY_CREATED_GENERAL
PUBLISH_IDENTITY_UPDATED _GENERAL
PUBLISH_REMOVE _ID_ALL_INDIVIDUAL
PUBLISH_VID_CRED_STATUS_UPDATE_GENERAL
SUBSCRIBE_VID_CRED_STATUS_UPDATE_GENERAL
uma_authorization

Resident Services

In version 1.1.5.x, we utilized the mosip-resident-client for Resident Services. This client is also employed in version 1.2.0.1. Although there were modifications in service account roles, the client scopes remain unchanged. Below the details of the alterations made in service account roles.

Service account roles for Resident-Services:

mosip-resident-client (1.1.5.x)

mosip-resident-client (1.2.0.1)

CREDENTIAL_ISSUANCE
CREDENTIAL_REQUEST
offline_access
RESIDENT
uma_authorization

CREDENTIAL_REQUEST
default_roles_mosip
offline_access
RESIDENT
SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL
SUBSCRIBE_AUTHENTICATION_TRANSACTION_STATUS_GENERAL
SUBSCRIBE_CREDENTIAL_STATUS_UPDATE_GENERAL
uma_authorization

Client Scopes for Resident-Services:

mosip-resident -client (1.1.5.x)

mosip- resident -client (1.2.0.1)

email
profile
roles
web-origins

email
ida_token
individual_id
profile
roles
web-origins

Compliance-Tool-Kit

In previous iterations (1.1.5.x) of our system, we did not employ any clients for the compliance toolkit. However, beginning with version 1.2.0.1, we have implemented the use of mosip_toolkit_client. The following information outlines the service account roles and client scopes associated with mosip_toolkit_client.

Service account roles assigned to _mosip_toolkit_client_** in 1.2.0.1**

default_roles_mosip

Client scopes assigned to _mosip_toolkit_client_** in 1.2.0.1**

email
profile
roles
web-origins

Last updated 1 year ago

Was this helpful?