Changes in Role Management based on Client IDs
Partner Management Services
In previous versions (1.1.5.x) of our system, we utilized the mosip-partner-client
for Partner Management Services (PMS). However, starting from version 1.2.0.1 onwards, we have implemented the use of mosip-pms-client
instead. This transition has led to updates in service account roles, client scopes, and client configurations.
Please find below the details of the changes made to service account roles and client scopes.
Service account roles for Partner-Management-Services
offline access
CREATE_SHARE
REGISTRATION_PROCESSOR
default_roles_mosip
uma_authorization
DEVICE_PROVIDER
PARTNER
PARTNER_ADMIN
PMS_ADMIN
PMS_USER
PUBLISH_APIKEY_APPROVED_GENERAL
PUBLISH_APIKEY_UPDATED _GENERAL
PUBLISH_CA_CERTIFICATE_UPLOADED_GENERAL
PUBLISH_MISP_LICENSE_GENERATED_GENERAL
PUBLISH_MISP_LICENSE_UPDATED_GENERAL
PUBLISH_OIDC_CLIENT_CREATED_GENERAL
PUBLISH_OIDC_CLIENT_UPDATED _GENERAL
PUBLISH_PARTNER _UPDATED _GENERAL
PUBLISH_POLICY_UPDATED _GENERAL
REGISTRATION_PROCESSOR
SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL
ZONAL_ADMIN
Client Scopes for Partner-Management-Services:
add_oidc_client
profile
roles
get_certificate
web-origins
profile
roles
send_binding_otp
update_oidc_client
uploaded_certificate
wallet_binding
web_origins
Admin-Services
In version 1.1.5.x, the mosip-admin-client
was utilized for administrative services. We are also continuing to utilize the same client in version 1.2.0.1. While there have been modifications to the service account roles, the Client scopes have remained unchanged. Please find below the updated service account role adjustments. Additionally, it is worth noting that MOSIP Commons is also utilizing this client.
Service account roles for Admin-Services:
MASTERDATA_ADMIN
Default-roles-mosip
offline_access
ZONAL_ADMIN
uma_authorization
offline-access
PUBLISH_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL
PUBLISH_MASTERDATA_TITLES_GENERAL
PUBLISH_MOSIP_HOTLIST_GENERAL
uma_authorization
Client scopes are the same for mosip-admin-client in 1.2.0.1 & 1.1.5.1
email
profile
roles
web-origins
Pre-registration
In version 1.1.5.x, we utilized the 'mosip-prereg-client' for Pre-Registration. This client is also utilized in version 1.2.0.1. There have been modifications in the service account roles, while the client scopes have remained unchanged. Please find below the updated service account roles.
Service account roles for Pre-Registration:
INDIVIDUAL
offline_access
PRE_REGISTRATION_ADMIN
PREREG
REGISTRATION_PROCESSOR
uma_authorization
default_roles_mosip
PRE_REGISTRATION_ADMIN
PREREG
REGISTRATION_PROCESSOR
Note: Prior to proceeding with the upgrade, please ensure that the INDIVIDUAL
role has been removed.
Client scopes are the same for mosip-prereg-client in 1.2.0.1 & 1.1.5.1
email
profile
roles
web-origins
ID Authentication
In the previous version 1.1.5.x, the mosip-ida-client
module was responsible for handling ID authentication. However, starting from version 1.2.0.1, we have switched to using mpartner-default-auth
for this purpose. This transition has brought about several changes, including modifications to service account roles, client scopes, and client configurations. Below is an overview of the changes in service account roles and client scopes.
Service account roles for id-authentication:
AUTH
AUTH_PARTNER
ID_AUTHENTICATION
offline_access
uma_authorization
CREDENTIAL_REQUEST
default_roles_mosip
ID_AUTHENTICATION
offline_access
PUBLISH_ANONYMOUS_PROFILE_GENERAL
PUBLISH_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL
PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL
PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL
PUBLISH_IDA_FRAUD_ANALYTICS_GENERAL
SUBSCRIBE_ACTIVATE_ID_INDIVIDUAL
SUBSCRIBE_APIKEY _APPROVED_GENERAL
SUBSCRIBE_APIKEY _UPDATED _GENERAL
SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL
SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_INDIVIDUAL
SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL
SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL
SUBSCRIBE_DEACTIVATE_ID_INDIVIDUAL
SUBSCRIBE_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL
SUBSCRIBE_MASTERDATA_TITLES_GENERAL
SUBSCRIBE_MISP_LICENSE_GENERATED_GENERAL
SUBSCRIBE_MISP_LICENSE_UPDATED_GENERAL
SUBSCRIBE_MOSIP_HOTLIST_GENERAL
SUBSCRIBE_OIDC_CLIENT_CREATED_GENERAL
SUBSCRIBE_OIDC_CLIENT_UPDATED_GENERAL
SUBSCRIBE_PARTNER_UPDATED_GENERAL
SUBSCRIBE_POLICY _UPDATED_GENERAL
SUBSCRIBE_REMOVE _ID_INDIVIDUAL
uma_authorization
Client Scopes for id-authentication:
email
profile
roles
web-origins
add_oidc_client
email
profile
roles
update_oidc_client
web-origins
Digital-card-service
In the previous version, 1.1.5.x, we did not employ any clients for our digital card service. However, in the latest version, 1.2.0.1, we have implemented the use of the mpartner-default-digitalcard
client. Please find below the service account roles and client scopes associated with the mpartner-default-digitalcard
client.
Service account roles assigned to _mpartner-default-digitalcard_** in 1.2.0.1**
CREATE_SHARE
CREDENTIAL_REQUEST
default_roles_mosip
PRINT_PARTNER
PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL
SUBSCRIBE_ CREDENTIAL_ISSUED_INDIVIDUAL
SUBSCRIBE_IDENTITY_CREATED_GENERAL
SUBSCRIBE_IDENTITY_UPDATED _GENERAL
Client scopes assigned to _mpartner-default-digitalcard_** in 1.2.0.1**
email
profile
roles
web-origins
Print
In version 1.1.5.x, we do not employ any clients for printing. However, beginning from version 1.2.0.1, we utilize the mpartner-default-prin
t client. Please find below the service account roles and client scopes associated with the mpartner-default-print
client.
Service account roles assigned to _mpartner-default-print_** in 1.2.0.1**
CREATE_SHARE
default_roles_mosip
PUBLISH_CREDENTIAL_STATUS_UPDTAE_GENERAL
SUBSCRIBE_ CREDENTIAL_ISSUED_INDIVIDUAL
Client scopes assigned to _mpartner-default-print_** in 1.2.0.1**
email
profile
roles
web-origins
ID Repository
In version 1.1.5.x, we utilized the mosip-regproc-client
for id-repository. Starting from version 1.2.0.1, we have transitioned to using mosip-idrepo-client
. This switch has led to modifications in service account roles, client scopes, and client settings. Below are the details of the changes in service account roles and client scopes.
Client Scopes for id-repository:
email
profile
roles
web-origins
email
profile
roles
web-origins
Service account roles for id-repository:
ABIS_PARTNER
CENTRAL_ADMIN
CENTRAL_APPROVER
CREDENTIAL_INSURANCE
CREDETIAL_PARTNER
Default
DEVICE_PROVIDER
DIGITAL_CARD
FTM_PROVIDER
GLOBAL_ADMIN
INDIVIDUAL
KEY_MAKER
MASTERDATA_ADMIN
MISP
MISP_PARTNER
ONLINE_VERIFICATION_PARTNER
POLICYMANAGER
PRE_REGISTRATION
PRE_REGISTRATION_ADMIN
PREREG
REGISTRATION_ADMIN
REGISTRATION_OFFICER
REGISTRATION_OPERATOR
REGISTRATION_SUPERVISOR
ZONAL_ADMIN
ZONAL_APPROVER
default_roles_mosip
ID_REPOSITORY
offline_access
PUBLISH_ACTIVATE_ID_ALL_INDIVIDUAL
PUBLISH_AUTH_TYPE_STATUS_UPDATE_ALL_INDIVIDUAL
PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL
PUBLISH_DEACTIVATE_ID_ALL_INDIVIDUAL
PUBLISH_IDENTITY_CREATED_GENERAL
PUBLISH_IDENTITY_UPDATED _GENERAL
PUBLISH_REMOVE _ID_ALL_INDIVIDUAL
PUBLISH_VID_CRED_STATUS_UPDATE_GENERAL
SUBSCRIBE_VID_CRED_STATUS_UPDATE_GENERAL
uma_authorization
Resident Services
In version 1.1.5.x, we utilized the mosip-resident-client
for Resident Services. This client is also employed in version 1.2.0.1. Although there were modifications in service account roles, the client scopes remain unchanged. Below the details of the alterations made in service account roles.
Service account roles for Resident-Services:
CREDENTIAL_ISSUANCE
CREDENTIAL_REQUEST
offline_access
RESIDENT
uma_authorization
CREDENTIAL_REQUEST
default_roles_mosip
offline_access
RESIDENT
SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL
SUBSCRIBE_AUTHENTICATION_TRANSACTION_STATUS_GENERAL
SUBSCRIBE_CREDENTIAL_STATUS_UPDATE_GENERAL
uma_authorization
Client Scopes for Resident-Services:
email
profile
roles
web-origins
email
ida_token
individual_id
profile
roles
web-origins
Compliance-Tool-Kit
In previous iterations (1.1.5.x) of our system, we did not employ any clients for the compliance toolkit. However, beginning with version 1.2.0.1, we have implemented the use of mosip_toolkit_clien
t. The following information outlines the service account roles and client scopes associated with mosip_toolkit_client
.
Service account roles assigned to _mosip_toolkit_client_** in 1.2.0.1**
default_roles_mosip
Client scopes assigned to _mosip_toolkit_client_** in 1.2.0.1**
email
profile
roles
web-origins
Last updated