# Changes in Role Management based on Client IDs ## Partner Management Services In previous versions (1.1.5.x) of our system, we utilized the `mosip-partner-client` for Partner Management Services (PMS). However, starting from version 1.2.0.1 onwards, we have implemented the use of `mosip-pms-client` instead. This transition has led to updates in service account roles, client scopes, and client configurations. Please find below the details of the changes made to service account roles and client scopes. #### **Service account roles for Partner-Management-Services**

mosip-partner-client (1.1.5.x)	mosip-pms-client (1.2.0.1)
offline access	CREATE_SHARE
REGISTRATION_PROCESSOR	default_roles_mosip
uma_authorization	DEVICE_PROVIDER
	PARTNER
	PARTNER_ADMIN
	PMS_ADMIN
	PMS_USER
	PUBLISH_APIKEY_APPROVED_GENERAL
	PUBLISH_APIKEY_UPDATED _GENERAL
	PUBLISH_CA_CERTIFICATE_UPLOADED_GENERAL
	PUBLISH_MISP_LICENSE_GENERATED_GENERAL
	PUBLISH_MISP_LICENSE_UPDATED_GENERAL
	PUBLISH_OIDC_CLIENT_CREATED_GENERAL
	PUBLISH_OIDC_CLIENT_UPDATED _GENERAL
	PUBLISH_PARTNER _UPDATED _GENERAL
	PUBLISH_POLICY_UPDATED _GENERAL
	REGISTRATION_PROCESSOR
	SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL
	ZONAL_ADMIN

#### **Client Scopes for Partner-Management-Services:** | mosip-partner-client (1.1.5.x) | mosip-pms-client (1.2.0.1) | | ------------------------------ | -------------------------- | | email | add\_oidc\_client | | profile | email | | roles | get\_certificate | | web-origins | profile | | | roles | | | send\_binding\_otp | | | update\_oidc\_client | | | uploaded\_certificate | | | wallet\_binding | | | web\_origins | ### **Admin-Services** In version 1.1.5.x, the `mosip-admin-client` was utilized for administrative services. We are also continuing to utilize the same client in version 1.2.0.1. While there have been modifications to the service account roles, the Client scopes have remained unchanged. Please find below the updated service account role adjustments. Additionally, it is worth noting that **MOSIP Commons** is also utilizing this client. **Service account roles for Admin-Services:**

mosip-admin-client (1.1.5.x)	mosip-admin-client (1.2.0.1)
MASTERDATA_ADMIN	Default-roles-mosip
offline_access	ZONAL_ADMIN
uma_authorization	offline-access
	PUBLISH_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL
	PUBLISH_MASTERDATA_TITLES_GENERAL
	PUBLISH_MOSIP_HOTLIST_GENERAL
	uma_authorization

**Client scopes are the same for mosip-admin-client in 1.2.0.1 & 1.1.5.1** * email * profile * roles * web-origins ### **Pre-registration** In version 1.1.5.x, we utilized the 'mosip-prereg-client' for Pre-Registration. This client is also utilized in version 1.2.0.1. There have been modifications in the service account roles, while the client scopes have remained unchanged. Please find below the updated service account roles. **Service account roles for Pre-Registration:** | mosip-prereg-client in 1.1.5.x | mosip-prereg-client in 1.2.0.1 | | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | |

INDIVIDUAL
offline\_access
PRE\_REGISTRATION\_ADMIN
PREREG
REGISTRATION\_PROCESSOR
uma\_authorization

default\_roles\_mosip
PRE\_REGISTRATION\_ADMIN
PREREG
REGISTRATION\_PROCESSOR

| **Note**: Prior to proceeding with the upgrade, please ensure that the `INDIVIDUAL` role has been removed. **Client scopes are the same for mosip-prereg-client in 1.2.0.1 & 1.1.5.1** * email * profile * roles * web-origins ### ID Authentication In the previous version 1.1.5.x, the `mosip-ida-client` module was responsible for handling ID authentication. However, starting from version 1.2.0.1, we have switched to using `mpartner-default-auth` for this purpose. This transition has brought about several changes, including modifications to service account roles, client scopes, and client configurations. Below is an overview of the changes in service account roles and client scopes. **Service account roles for id-authentication:**

mosip-ida-client in (1.1.5.x)	mpartner-default-auth (1.2.0.1)
AUTH AUTH_PARTNER ID_AUTHENTICATION offline_access uma_authorization	CREDENTIAL_REQUEST default_roles_mosip ID_AUTHENTICATION offline_access PUBLISH_ANONYMOUS_PROFILE_GENERAL PUBLISH_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL PUBLISH_IDA_FRAUD_ANALYTICS_GENERAL SUBSCRIBE_ACTIVATE_ID_INDIVIDUAL SUBSCRIBE_APIKEY _APPROVED_GENERAL SUBSCRIBE_APIKEY _UPDATED _GENERAL SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_INDIVIDUAL SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL SUBSCRIBE_DEACTIVATE_ID_INDIVIDUAL SUBSCRIBE_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL SUBSCRIBE_MASTERDATA_TITLES_GENERAL SUBSCRIBE_MISP_LICENSE_GENERATED_GENERAL SUBSCRIBE_MISP_LICENSE_UPDATED_GENERAL SUBSCRIBE_MOSIP_HOTLIST_GENERAL SUBSCRIBE_OIDC_CLIENT_CREATED_GENERAL SUBSCRIBE_OIDC_CLIENT_UPDATED_GENERAL SUBSCRIBE_PARTNER_UPDATED_GENERAL SUBSCRIBE_POLICY _UPDATED_GENERAL SUBSCRIBE_REMOVE _ID_INDIVIDUAL uma_authorization

mosip-ida-client in (1.1.5.x)

mpartner-default-auth (1.2.0.1)

AUTH
AUTH_PARTNER
ID_AUTHENTICATION
offline_access
uma_authorization

CREDENTIAL_REQUEST
default_roles_mosip
ID_AUTHENTICATION
offline_access
PUBLISH_ANONYMOUS_PROFILE_GENERAL
PUBLISH_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL
PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL
PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL
PUBLISH_IDA_FRAUD_ANALYTICS_GENERAL
SUBSCRIBE_ACTIVATE_ID_INDIVIDUAL
SUBSCRIBE_APIKEY _APPROVED_GENERAL
SUBSCRIBE_APIKEY _UPDATED _GENERAL
SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL
SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_INDIVIDUAL
SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL
SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL
SUBSCRIBE_DEACTIVATE_ID_INDIVIDUAL
SUBSCRIBE_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL
SUBSCRIBE_MASTERDATA_TITLES_GENERAL
SUBSCRIBE_MISP_LICENSE_GENERATED_GENERAL
SUBSCRIBE_MISP_LICENSE_UPDATED_GENERAL
SUBSCRIBE_MOSIP_HOTLIST_GENERAL
SUBSCRIBE_OIDC_CLIENT_CREATED_GENERAL
SUBSCRIBE_OIDC_CLIENT_UPDATED_GENERAL
SUBSCRIBE_PARTNER_UPDATED_GENERAL
SUBSCRIBE_POLICY _UPDATED_GENERAL
SUBSCRIBE_REMOVE _ID_INDIVIDUAL
uma_authorization

**Client Scopes for id-authentication:** | mosip-ida-client (1.1.5.x) | mpartner-default-auth (1.2.0.1) | | ------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | |

email
profile
roles
web-origins

add\_oidc\_client
email
profile
roles
update\_oidc\_client
web-origins

| ### Digital-card-service In the previous version, 1.1.5.x, we did not employ any clients for our digital card service. However, in the latest version, 1.2.0.1, we have implemented the use of the `mpartner-default-digitalcard` client. Please find below the service account roles and client scopes associated with the `mpartner-default-digitalcard` client. **Service account roles assigned to \_mpartner-default-digitalcard**\_\*\* in 1.2.0.1\*\* * CREATE\_SHARE * CREDENTIAL\_REQUEST * default\_roles\_mosip * PRINT\_PARTNER * PUBLISH\_CREDENTIAL\_STATUS\_UPDATE\_GENERAL * SUBSCRIBE\_ CREDENTIAL\_ISSUED\_INDIVIDUAL * SUBSCRIBE\_IDENTITY\_CREATED\_GENERAL * SUBSCRIBE\_IDENTITY\_UPDATED \_GENERAL **Client scopes assigned to \_mpartner-default-digitalcard**\_\*\* in 1.2.0.1\*\* * email * profile * roles * web-origins ### Print In version 1.1.5.x, we do not employ any clients for printing. However, beginning from version 1.2.0.1, we utilize the `mpartner-default-prin`t client. Please find below the service account roles and client scopes associated with the `mpartner-default-print` client. **Service account roles assigned to \_mpartner-default-print**\_\*\* in 1.2.0.1\*\* * CREATE\_SHARE * default\_roles\_mosip * PUBLISH\_CREDENTIAL\_STATUS\_UPDTAE\_GENERAL * SUBSCRIBE\_ CREDENTIAL\_ISSUED\_INDIVIDUAL **Client scopes assigned to \_mpartner-default-print**\_\*\* in 1.2.0.1\*\* * email * profile * roles * web-origins ### ID Repository In version 1.1.5.x, we utilized the `mosip-regproc-client` for id-repository. Starting from version 1.2.0.1, we have transitioned to using `mosip-idrepo-client`. This switch has led to modifications in service account roles, client scopes, and client settings. Below are the details of the changes in service account roles and client scopes. **Client Scopes for id-repository:**

mosip-regproc-client (1.1.5.x)	mosip-idrepo-client (1.2.0.1)
email profile roles web-origins	email profile roles web-origins

**Service account roles for id-repository:** | mosip-regproc-client (1.1.5.x) | mosip-idrepo-client (1.2.0.1) | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | |

ABIS\_PARTNER
CENTRAL\_ADMIN
CENTRAL\_APPROVER
CREDENTIAL\_INSURANCE
CREDETIAL\_PARTNER
Default
DEVICE\_PROVIDER
DIGITAL\_CARD
FTM\_PROVIDER
GLOBAL\_ADMIN
INDIVIDUAL
KEY\_MAKER
MASTERDATA\_ADMIN
MISP
MISP\_PARTNER
ONLINE\_VERIFICATION\_PARTNER
POLICYMANAGER
PRE\_REGISTRATION
PRE\_REGISTRATION\_ADMIN
PREREG
REGISTRATION\_ADMIN
REGISTRATION\_OFFICER
REGISTRATION\_OPERATOR
REGISTRATION\_SUPERVISOR
ZONAL\_ADMIN
ZONAL\_APPROVER

default\_roles\_mosip
ID\_REPOSITORY
offline\_access
PUBLISH\_ACTIVATE\_ID\_ALL\_INDIVIDUAL
PUBLISH\_AUTH\_TYPE\_STATUS\_UPDATE\_ALL\_INDIVIDUAL
PUBLISH\_AUTHENTICATION\_TRANSACTION\_STATUS\_GENERAL
PUBLISH\_DEACTIVATE\_ID\_ALL\_INDIVIDUAL
PUBLISH\_IDENTITY\_CREATED\_GENERAL
PUBLISH\_IDENTITY\_UPDATED \_GENERAL
PUBLISH\_REMOVE \_ID\_ALL\_INDIVIDUAL
PUBLISH\_VID\_CRED\_STATUS\_UPDATE\_GENERAL
SUBSCRIBE\_VID\_CRED\_STATUS\_UPDATE\_GENERAL
uma\_authorization

| ### Resident Services In version 1.1.5.x, we utilized the `mosip-resident-client` for Resident Services. This client is also employed in version 1.2.0.1. Although there were modifications in service account roles, the client scopes remain unchanged. Below the details of the alterations made in service account roles. **Service account roles for Resident-Services:** | mosip-resident-client (1.1.5.x) | mosip-resident-client (1.2.0.1) | | -------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | |

CREDENTIAL\_ISSUANCE
CREDENTIAL\_REQUEST
offline\_access
RESIDENT
uma\_authorization

CREDENTIAL\_REQUEST
default\_roles\_mosip
offline\_access
RESIDENT
SUBSCRIBE\_AUTH\_TYPE\_STATUS\_UPDATE\_ACK\_GENERAL
SUBSCRIBE\_AUTHENTICATION\_TRANSACTION\_STATUS\_GENERAL
SUBSCRIBE\_CREDENTIAL\_STATUS\_UPDATE\_GENERAL
uma\_authorization

| **Client Scopes for Resident-Services:** | mosip-resident -client (1.1.5.x) | mosip- resident -client (1.2.0.1) | | ------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- | |

email
profile
roles
web-origins

email
ida\_token
individual\_id
profile
roles
web-origins

| ### **Compliance-Tool-Kit** In previous iterations (1.1.5.x) of our system, we did not employ any clients for the compliance toolkit. However, beginning with version 1.2.0.1, we have implemented the use of `mosip_toolkit_clien`t. The following information outlines the service account roles and client scopes associated with `mosip_toolkit_client`. **Service account roles assigned to \_mosip\_toolkit\_client**\_\*\* in 1.2.0.1\*\* * default\_roles\_mosip **Client scopes assigned to \_mosip\_toolkit\_client**\_\*\* in 1.2.0.1\*\* * email * profile * roles * web-origins --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.mosip.io/1.2.0/setup/upgrade/upgrade-runbook/mock-services/upgrade-changes-in-role-management.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.