Changes in Role Management based on Client IDs

Partner Management Services

In previous versions (1.1.5.x) of our system, we utilized the mosip-partner-client for Partner Management Services (PMS). However, starting from version 1.2.0.1 onwards, we have implemented the use of mosip-pms-client instead. This transition has led to updates in service account roles, client scopes, and client configurations.

Please find below the details of the changes made to service account roles and client scopes.

Service account roles for Partner-Management-Services

mosip-partner-client (1.1.5.x)
mosip-pms-client (1.2.0.1)

offline access

CREATE_SHARE

REGISTRATION_PROCESSOR

default_roles_mosip

uma_authorization

DEVICE_PROVIDER

PARTNER

PARTNER_ADMIN

PMS_ADMIN

PMS_USER

PUBLISH_APIKEY_APPROVED_GENERAL

PUBLISH_APIKEY_UPDATED _GENERAL

PUBLISH_CA_CERTIFICATE_UPLOADED_GENERAL

PUBLISH_MISP_LICENSE_GENERATED_GENERAL

PUBLISH_MISP_LICENSE_UPDATED_GENERAL

PUBLISH_OIDC_CLIENT_CREATED_GENERAL

PUBLISH_OIDC_CLIENT_UPDATED _GENERAL

PUBLISH_PARTNER _UPDATED _GENERAL

PUBLISH_POLICY_UPDATED _GENERAL

REGISTRATION_PROCESSOR

SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL

ZONAL_ADMIN

Client Scopes for Partner-Management-Services:

mosip-partner-client (1.1.5.x)
mosip-pms-client (1.2.0.1)

email

add_oidc_client

profile

email

roles

get_certificate

web-origins

profile

roles

send_binding_otp

update_oidc_client

uploaded_certificate

wallet_binding

web_origins

Admin-Services

In version 1.1.5.x, the mosip-admin-client was utilized for administrative services. We are also continuing to utilize the same client in version 1.2.0.1. While there have been modifications to the service account roles, the Client scopes have remained unchanged. Please find below the updated service account role adjustments. Additionally, it is worth noting that MOSIP Commons is also utilizing this client.

Service account roles for Admin-Services:

mosip-admin-client (1.1.5.x)
mosip-admin-client (1.2.0.1)

MASTERDATA_ADMIN

Default-roles-mosip

offline_access

ZONAL_ADMIN

uma_authorization

offline-access

PUBLISH_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL

PUBLISH_MASTERDATA_TITLES_GENERAL

PUBLISH_MOSIP_HOTLIST_GENERAL

uma_authorization

Client scopes are the same for mosip-admin-client in 1.2.0.1 & 1.1.5.1

  • email

  • profile

  • roles

  • web-origins

Pre-registration

In version 1.1.5.x, we utilized the 'mosip-prereg-client' for Pre-Registration. This client is also utilized in version 1.2.0.1. There have been modifications in the service account roles, while the client scopes have remained unchanged. Please find below the updated service account roles.

Service account roles for Pre-Registration:

mosip-prereg-client in 1.1.5.x
mosip-prereg-client in 1.2.0.1
  • INDIVIDUAL

  • offline_access

  • PRE_REGISTRATION_ADMIN

  • PREREG

  • REGISTRATION_PROCESSOR

  • uma_authorization

  • default_roles_mosip

  • PRE_REGISTRATION_ADMIN

  • PREREG

  • REGISTRATION_PROCESSOR

Note: Prior to proceeding with the upgrade, please ensure that the INDIVIDUAL role has been removed.

Client scopes are the same for mosip-prereg-client in 1.2.0.1 & 1.1.5.1

  • email

  • profile

  • roles

  • web-origins

ID Authentication

In the previous version 1.1.5.x, the mosip-ida-client module was responsible for handling ID authentication. However, starting from version 1.2.0.1, we have switched to using mpartner-default-auth for this purpose. This transition has brought about several changes, including modifications to service account roles, client scopes, and client configurations. Below is an overview of the changes in service account roles and client scopes.

Service account roles for id-authentication:

mosip-ida-client in (1.1.5.x)
mpartner-default-auth (1.2.0.1)
  • AUTH

  • AUTH_PARTNER

  • ID_AUTHENTICATION

  • offline_access

  • uma_authorization

  • CREDENTIAL_REQUEST

  • default_roles_mosip

  • ID_AUTHENTICATION

  • offline_access

  • PUBLISH_ANONYMOUS_PROFILE_GENERAL

  • PUBLISH_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL

  • PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL

  • PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL

  • PUBLISH_IDA_FRAUD_ANALYTICS_GENERAL

  • SUBSCRIBE_ACTIVATE_ID_INDIVIDUAL

  • SUBSCRIBE_APIKEY _APPROVED_GENERAL

  • SUBSCRIBE_APIKEY _UPDATED _GENERAL

  • SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL

  • SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_INDIVIDUAL

  • SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL

  • SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL

  • SUBSCRIBE_DEACTIVATE_ID_INDIVIDUAL

  • SUBSCRIBE_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL

  • SUBSCRIBE_MASTERDATA_TITLES_GENERAL

  • SUBSCRIBE_MISP_LICENSE_GENERATED_GENERAL

  • SUBSCRIBE_MISP_LICENSE_UPDATED_GENERAL

  • SUBSCRIBE_MOSIP_HOTLIST_GENERAL

  • SUBSCRIBE_OIDC_CLIENT_CREATED_GENERAL

  • SUBSCRIBE_OIDC_CLIENT_UPDATED_GENERAL

  • SUBSCRIBE_PARTNER_UPDATED_GENERAL

  • SUBSCRIBE_POLICY _UPDATED_GENERAL

  • SUBSCRIBE_REMOVE _ID_INDIVIDUAL

  • uma_authorization

Client Scopes for id-authentication:

mosip-ida-client (1.1.5.x)
mpartner-default-auth (1.2.0.1)
  • email

  • profile

  • roles

  • web-origins

  • add_oidc_client

  • email

  • profile

  • roles

  • update_oidc_client

  • web-origins

Digital-card-service

In the previous version, 1.1.5.x, we did not employ any clients for our digital card service. However, in the latest version, 1.2.0.1, we have implemented the use of the mpartner-default-digitalcard client. Please find below the service account roles and client scopes associated with the mpartner-default-digitalcard client.

Service account roles assigned to _mpartner-default-digitalcard_** in 1.2.0.1**

  • CREATE_SHARE

  • CREDENTIAL_REQUEST

  • default_roles_mosip

  • PRINT_PARTNER

  • PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL

  • SUBSCRIBE_ CREDENTIAL_ISSUED_INDIVIDUAL

  • SUBSCRIBE_IDENTITY_CREATED_GENERAL

  • SUBSCRIBE_IDENTITY_UPDATED _GENERAL

Client scopes assigned to _mpartner-default-digitalcard_** in 1.2.0.1**

  • email

  • profile

  • roles

  • web-origins

Print

In version 1.1.5.x, we do not employ any clients for printing. However, beginning from version 1.2.0.1, we utilize the mpartner-default-print client. Please find below the service account roles and client scopes associated with the mpartner-default-print client.

Service account roles assigned to _mpartner-default-print_** in 1.2.0.1**

  • CREATE_SHARE

  • default_roles_mosip

  • PUBLISH_CREDENTIAL_STATUS_UPDTAE_GENERAL

  • SUBSCRIBE_ CREDENTIAL_ISSUED_INDIVIDUAL

Client scopes assigned to _mpartner-default-print_** in 1.2.0.1**

  • email

  • profile

  • roles

  • web-origins

ID Repository

In version 1.1.5.x, we utilized the mosip-regproc-client for id-repository. Starting from version 1.2.0.1, we have transitioned to using mosip-idrepo-client. This switch has led to modifications in service account roles, client scopes, and client settings. Below are the details of the changes in service account roles and client scopes.

Client Scopes for id-repository:

mosip-regproc-client (1.1.5.x)
mosip-idrepo-client (1.2.0.1)
  • email

  • profile

  • roles

  • web-origins

  • email

  • profile

  • roles

  • web-origins

Service account roles for id-repository:

mosip-regproc-client (1.1.5.x)
mosip-idrepo-client (1.2.0.1)
  • ABIS_PARTNER

  • CENTRAL_ADMIN

  • CENTRAL_APPROVER

  • CREDENTIAL_INSURANCE

  • CREDETIAL_PARTNER

  • Default

  • DEVICE_PROVIDER

  • DIGITAL_CARD

  • FTM_PROVIDER

  • GLOBAL_ADMIN

  • INDIVIDUAL

  • KEY_MAKER

  • MASTERDATA_ADMIN

  • MISP

  • MISP_PARTNER

  • ONLINE_VERIFICATION_PARTNER

  • POLICYMANAGER

  • PRE_REGISTRATION

  • PRE_REGISTRATION_ADMIN

  • PREREG

  • REGISTRATION_ADMIN

  • REGISTRATION_OFFICER

  • REGISTRATION_OPERATOR

  • REGISTRATION_SUPERVISOR

  • ZONAL_ADMIN

  • ZONAL_APPROVER

  • default_roles_mosip

  • ID_REPOSITORY

  • offline_access

  • PUBLISH_ACTIVATE_ID_ALL_INDIVIDUAL

  • PUBLISH_AUTH_TYPE_STATUS_UPDATE_ALL_INDIVIDUAL

  • PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL

  • PUBLISH_DEACTIVATE_ID_ALL_INDIVIDUAL

  • PUBLISH_IDENTITY_CREATED_GENERAL

  • PUBLISH_IDENTITY_UPDATED _GENERAL

  • PUBLISH_REMOVE _ID_ALL_INDIVIDUAL

  • PUBLISH_VID_CRED_STATUS_UPDATE_GENERAL

  • SUBSCRIBE_VID_CRED_STATUS_UPDATE_GENERAL

  • uma_authorization

Resident Services

In version 1.1.5.x, we utilized the mosip-resident-client for Resident Services. This client is also employed in version 1.2.0.1. Although there were modifications in service account roles, the client scopes remain unchanged. Below the details of the alterations made in service account roles.

Service account roles for Resident-Services:

mosip-resident-client (1.1.5.x)
mosip-resident-client (1.2.0.1)
  • CREDENTIAL_ISSUANCE

  • CREDENTIAL_REQUEST

  • offline_access

  • RESIDENT

  • uma_authorization

  • CREDENTIAL_REQUEST

  • default_roles_mosip

  • offline_access

  • RESIDENT

  • SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL

  • SUBSCRIBE_AUTHENTICATION_TRANSACTION_STATUS_GENERAL

  • SUBSCRIBE_CREDENTIAL_STATUS_UPDATE_GENERAL

  • uma_authorization

Client Scopes for Resident-Services:

mosip-resident -client (1.1.5.x)
mosip- resident -client (1.2.0.1)
  • email

  • profile

  • roles

  • web-origins

  • email

  • ida_token

  • individual_id

  • profile

  • roles

  • web-origins

Compliance-Tool-Kit

In previous iterations (1.1.5.x) of our system, we did not employ any clients for the compliance toolkit. However, beginning with version 1.2.0.1, we have implemented the use of mosip_toolkit_client. The following information outlines the service account roles and client scopes associated with mosip_toolkit_client.

Service account roles assigned to _mosip_toolkit_client_** in 1.2.0.1**

  • default_roles_mosip

Client scopes assigned to _mosip_toolkit_client_** in 1.2.0.1**

  • email

  • profile

  • roles

  • web-origins

Last updated

Copyright © 2021 MOSIP. This work is licensed under a Creative Commons Attribution (CC-BY-4.0) International License unless otherwise noted.

#300: Mock Services -1st draft

Change request updated