Overview

The MOSIP platform requires integration with several other systems. Typically, a System Integrator (SI) would assemble all the pieces to build a complete national ID solution. All entities that participate in providing the external components are called MOSIP Partners.

The below diagram illustrates the MOSIP Ecosystem, highlighting how the MOSIP platform integrates with various components to provide a complete ID solution.

Partner types

Partner Policies

The MOSIP Partner Policy establishes a structured framework for collaboration between MOSIP adopters and their partners and defines the rules for data access and sharing.

It specifies which partners can access what information and the procedures for requesting it, for instance, a registered print provider automatically receives data via WebSub if designated under the print policy whereas an authentication partner must actively call the authentication system to retrieve data based on policy guidelines. If eKYC is permitted, the partner may receive additional personally identifiable information (PII).

The policy ensures granular control over shared attributes allowing different partners to receive varying levels of information; one may access only a name while another may obtain both a name and a photograph. This structured approach enhances security, compliance, and flexibility.

To learn more about partner policies please refer here.

Partner onboarding

Onboarding of a partner refers to registering a partner in a particular deployment of MOSIP. Partners need to be onboarded to establish trust. The onboarding process consists of loading partner details in the database, exchanging certificates, etc, detailed in the later sections. Such onboarding is required to be done on any fresh MOSIP installation. For instance, if you install a sandbox, you would need to follow the onboarding process for each partner.

The sections below describe the onboarding process for each type of partner.

MISP

1. MISP should have a trusted X.509 certificate with a chain of CA certificates.

2. MISP self-registers on the PMS portal providing partner ID, name, organization name (same as in certificate), partner type (MISP_type) (This functionality will be available on the portal in the 1.2.x version of MOSIP)

3. MISP uploads all certificates.

4. MOSIP Admin generates the MISP license key and provides it to MISP.

Authentication Partner (AP)

1. Policy for the AP must be pre-defined (see Partner policies).

2. AP should have a trusted X.509 certificate with a chain of CA certificates.

3. AP registers with MISP and obtains the MISP license key (this setup is outside of the MOSIP system).

4. The MISP used by AP should have been already onboarded onto MOSIP.

5. AP self-registers on the PMS portal providing partner ID, name, organization name (same as in certificate), partner type (Auth_Partner) etc.

6. AP uploaded all certificates.

7. AP selects the policy group and policy. This request is sent to the MOSIP Admin for approval.

8. On approval, AP generates an API key that can be used along with the MISP license key to interact with the IDA system.

Device Provider (DP)

1. DP should have a trusted X.509 certificate with a chain of CA certificates.

2. DP self-registers on the PMS portal providing partner ID, name, organization name (same as in certificate), partner type (Device_Provider) etc.

3. DP uploads all certificates.

4. Any approval from MOSIP? (TODO)

FTM Provider (FTMP)

1. FTMP should have a trusted X.509 certificate with a chain of CA certificates.

2. FTMP self-registers on the PMS portal providing partner ID, name, organization name (same as in certificate), partner type (FTM_Provider) etc.

3. FTMP uploads all certificates.

4. TODO

Credential Partner (CP)

1. Datashare policy must be pre-defined (see Partner policies).

2. CP should have a trusted X.509 certificate with a chain of CA certificates.

3. CP self-registers on the PMS portal providing partner ID, name, organization name (same as in certificate), partner type (Credential_Partner) etc.

4. CP uploads all certificates.

5. CP selects the policy group and policy.

6. CP maps policy to one of the supported credential types.

7. CP adds biometric extractors for the policy.

Online Verification Partner (OVP)

1. Datashare policy must be pre-defined (see Partner policies).

2. OVP should have a trusted X.509 certificate with a chain of CA certificates.

3. OVP self-registers on the PMS portal providing partner ID, name, organization name (same as in certificate), partner type (Credential_Partner) etc. (Using APIs, as OVP support on PMS Portal is available in the later version of MOSIP.)

4. OVP uploads all certificates.

5. OVP selects the policy group and policy.

6. OVP maps policy to auth credential type.

7. OVP adds biometric extractors for the policy.

MOSIP Partner Program

The MOSIP Partner Programme (MPP) was initiated to help stakeholders connect with MOSIP, and become part of an ecosystem invested in building foundational digital ID systems that are trustworthy, secure, efficient, and interoperable while being customized to specific needs.

Refer MPP document for further details.

PMS module

Refer to Partner Management Services.

Overview

The admin application is a web-based application used by a privileged group of administrative personnel to manage various master data. The various resources that can be managed by an administrator are:

• Center (Registration centers)

• Device

• Machine

• User (Admin, Registration staff)

Along with resource and data management, the admin can generate master keys, check registration status, retrieve lost RIDs, and resume processing of paused packets.

• Masterdata Service exposes API to perform CRUD operations on masterdata through Admin service.

• Hotlist Service provides functionality to block/unblock any IDs with option of expiry. This hotlisted information will also be published to MOSIP_HOTLIST WebSub topic.

• Sync Data Service can be accessed only by the privileged group of admin personnel and enables default configurations and seed data to be setup when the MOSIP platform gets initialized.

The admin module has four services:

• Admin service

• Kernel Masterdata service

• Kernel Syncdata service

• Hotlist service

The documentation here will guide you through the pre-requisites required for the developer' setup.

Software setup

1. JDK 11

2. Any IDE (like Eclipse, IntelliJ IDEA)

3. Apache Maven (zip folder)

4. pgAdmin

5. Postman

6. Git/GitHub Desktop

7. Notepad++ (optional)

8. lombok.jar (file)

9. settings.xml

Follow the steps below to set up Admin Services on your local system:

2. Unzip Apache Maven and move the unzipped folder in C:\Program Files and settings.xml to conf folder C:\Program Files\apache-maven-3.8.4\conf.

3. Install Eclipse, open the lombok.jar file and wait for some time until it completes the scan for Eclipse IDE and then click Install/ Update.

1. Check the Eclipse installation folder C:\Users\userName\eclipse\jee-2021-12\eclipse to see if the lombok.jar is added. By doing this, you don't have to add the dependency of lombok in your pom.xml file separately as it is auto-configured by Eclipse.

2. Configure the JDK (Standard VM) with your Eclipse by traversing through Preferences → Java → Installed JREs.

Code setup

Importing and building of a project

1. Open the project folder where pom.xml is present.

2. Open command prompt from the same folder.

3. Run the command mvn clean install -Dgpg.skip=true -DskipTests=true to build the project and wait for the build to complete successfully.

4. After building of a project, open Eclipse and select Import Projects → Maven → Existing Maven Projects → Next → Browse to project directory → Finish.

5. After successful importing of project, update the project by right-click on Project → Maven → Update Project.

Environment setup

2. Any changes in the properties for Masterdata and Admin services should be done in application-local1.properties file.

3. By default the Admin-services is connected to dev environment.

4. To run the specific service from IDE, Open IDE -> Specific service -> src/main/java/io.mosip.specific service -> Right click on the file and select run as Java Application.

For example, to run the Admin service, open IDE -> admin-service -> src/main/java/io.mosip.admin -> Right click on AdminBootApplication.java and select run as Java Application.

1. To run the specific service from Command Prompt, Open Project folder -> open command prompt from same folder -> Execute java -jar target/specific-service-1.2.0.jar.

For example, to run the admin service, Open Project folder -> open command prompt from same folder -> Execute java -jar target/admin-service-1.2.0-SNAPSHOT.jar.

The service should now be up and running.

Admin services API

• The APIs can be tested with the help of Swagger-UI and Postman.

• Swagger is an interface description language for describing restful APIs expressed using JSON. You can access Swagger-UI of admin-services for dev-environment from:

Admin service– http://dev.mosip.net/v1/admin/swagger-ui/index.html?configUrl=/v1/admin/v3/api-docs/swagger-config#/ and localhost from http://localhost:8098/v1/admin/swagger-ui/index.html?configUrl=/v1/admin/v3/api-docs/swagger-config#/.

Masterdata- http://dev.mosip.net/v1/masterdata/swagger-ui/index.html?configUrl=/v1/masterdata/v3/api-docs/swagger-config#/ and localhost from http://localhost:8086/v1/masterdata/swagger-ui/index.html?configUrl=/v1/masterdata/v3/api-docs/swagger-config#/.

Syncdata- http://dev.mosip.net/v1/syncdata/swagger-ui/index.html?configUrl=/v1/syncdata/v3/api-docs/swagger-config#/ and localhost from http://localhost:8089/v1/syncdata/swagger-ui/index.html?configUrl=/v1/syncdata/v3/api-docs/swagger-config#/.

Hotlist- http://dev.mosip.net/v1/hotlist/swagger-ui/index.html?configUrl=/v1/hotlist/v3/api-docs/swagger-config#/ and localhost from http://localhost:8095/v1/hotlist/swagger-ui/index.html?configUrl=/v1/hotlist/v3/api-docs/swagger-config#/

• Postman is an API platform for building and using APIs. Postman simplifies each step of the API lifecycle and streamlines collaboration so you can create better APIs—faster. It is widely used tool for API testing.

• Create an environment as shown in the image below.

This environment is created for dev. Give the variable name as url and set both the values as https://dev.mosip.net.

• In the similar way, create another environment for localhost as shown below.

This environment is created for localhost. Give the variable name as url and set both the values as http://localhost:8099.

Overview

The MOSIP platform is configured via the Admin application. This application can be accessed only by a privileged group of administration personnel. The admin module provides the following functions:

1. Management of resources via CRUD operations:

   1. Zone

   2. Centers (registration centers)

   3. Device

   4. Machine

   5. Users (Admin, registration staff)

2. Registration administration

   1. Packet status

   2. Retrieve lost RID

   3. Resume RID

Administrative zones

• Administrative zones are virtual boundaries which a country can define to better manage their resources that are used during registrations. These resources includes Centers, Users, Machines and Devices. These zones can be defined in a hierarchical fashion and a country can allocate resources to such zones based on their requirements.

• Resources under each zone is managed by a Zonal Admin. This is done by assigning an Administrative zone to the Zonal Admin during user creation.

• These Zonal Admins can exist at any zonal hierarchy. (For e.g, a Zonal Admin can directly be mapped to the whole country as a Zone or can be mapped to a significantly smaller zone such as a city). Thus, these resources when mapped to an Administrative zone can only be managed by the Admin of that zone.

Activate/deactivate/decommission resources

What is deactivation of a resource?

Deactivation refers to a reversible action in which the isActive value for a resource in database is set to "False". This means that the resource will not be available for use unless and until it is activated later through the admin portal as required by the country.

What is decommissioning a resource?

• Decommission refers to a permanent/irreversible action of the resource. This also automatically deactivates it and the isDeleted value for the resource is set to "True".

• The primary difference being that a decommissioned resource cannot be bought into commission again as decommission refers to a permanent shutdown.

• Also, in cases where a center has some resources mapped to it (e.g. machines, devices or users), the portal will not allow the admin to decommission such a center.

Note- Activation/Deactivation/Decommission of a center in one language will be applied to the same center created in all the languages.

Services

Frontend- Admin portal

Developer Guide

API

Source code

Overview

Populating masterdata

Masterdata may be uploaded in the following manner:

1. One-time bulk upload:

Creating country specific data

The tables that need to be modified for country specific data are listed below. Other tables in mosip_master DB are either system-filled or pre-filled and not to be modified.

Common guidelines

• Modify the files for your deployment as per guide below.

Tables to be updated

Partners are vendors or solution providers who offer their products/services to ensure the effective implementation and operation of MOSIP-based identity systems.

Partner Management Portal (PMP) is a web based application that is designed to facilitate the collaboration and integration of external partners with the MOSIP ecosystem. This portal serves as a platform to onboard all types of MOSIP partners, manage their details and build partner specific functionalities for seamless interaction.

We are undertaking a comprehensive overhaul of our existing Partner Management Portal (PMP). This revamp includes introducing a suite of new features and significantly enhancing the current ones. Our aim is to improve usability and elevate the overall user experience (UX). Also incorporating tech stack upgrade and realigning our focus to bring user centered design to PMP, we are committed to making the PMP more intuitive, efficient, and aligned with our partners' evolving needs.

You can refer to the comprehensive documentation as below:

Who are the partners in MOSIP?

Policy group

Common policies group examples include 'Telecom', 'Banking', 'Insurance' among others.

What are the policies used in MOSIP?

• Data Share Policy

• Authentication Policy

Partner Policies

Partner roles

Documentation

Partner Management System (PMS) is undergoing a major revamp and as our first step, we have introduced a brand new web application - Partner Management Portal. This brings:

• Technology stack upgrade

• Introduce new partner types.

• Introduce new features.

• Enhancement of existing features.

• Improved usability and user experience.

The key features of Authentication Partner incorporated in this release are:

• Partner Certificate:

  • Upload and Re-upload: Easily upload or re-upload Certificate Authority (CA) signed Partner Certificate.

  • Download: Download CA signed Partner Certificate and corresponding MOSIP Signed Certificate.

• Policies:

  • Request Policies: Request policies within selected policy group.

  • Policy List: View a tabular list of requested policies along with approval status from 'Partner Admin'.

  • View Policy Details: Access detailed views of individual policies, including status of Partner Admin approval/rejection.

• Authentication Services:

  • OIDC Client:

    • Create OIDC Client: Create OIDC Clients for approved policies.

    • View OIDC Details: Access a tabular list and individual views of submitted OIDC Client details, including OIDC Client IDs.

    • Edit: Edit existing OIDC Client details.

    • Deactivate: Deactivate OIDC Client whenever needed.

  • API Key:

    • Generate API Key: Create API Keys for approved policies.

    • View API Key Details: View a tabular list and individual details of submitted API Keys.

    • Deactivate: Deactivate API Keys when necessary.

We are reconstructing the entire PMS ground up and our upcoming releases is going to keep the best of current system and rebuild everything else from scratch.

The 'Legacy PMS' will be available during the overhaul and new system is to gradually take over in phase wise releases of the system, ensuring thereby a smooth and seamless transition. This means existing system will continue to work and be available during the course of undergoing the rebuilding process.

The key features of Authentication Partner and the Partner Management System are here below.

Ease of Use and Usability Enhancements

Self-registration

A Partner can self-register with much of the process as automated with least manual intervention.

Policy Group Selection and Choosing a Policy

Partner has to select the Policy Group and then choose an applicable Policy which is based on the Partner Type the organization belongs to. Policy selection gets easier as there is description provided against each policy helping a Partner carefully select an applicable policy.

Interface / User Experience:

The new interface of PMP, for its user part, has undergone a complete revamp not only on UI but the UX been worked upon ground up. The select few points from the UX enhancements are as below:

• Card view presentation – You now get ‘Partner User Dashboard’ and this offers Card view presentation for each functionality with brief / one liner description to help you understand the services offered in:

• User Profile - User can view his organisation name and username on the top right , the user dropdown on the top right- has two options: User Profile and Logout.

User Access

• Login: Existing Partner who has already registered can login to the portal with email / username and password.

• Retrieve Password / Forgot Password: Partner will have option to reset password using the Forget Password option.

Partner Certificate

• Upload and Re-upload: Easily upload or re-upload Certificate Authority (CA) signed Partner Certificate.

• Download: Download CA signed Partner Certificate and corresponding MOSIP Signed Certificate.

Policies

• Request Policies: Request policies within selected policy group.

• Policy List: View a tabular list of requested policies along with Partner Admin approval status.

• View Policy Details: Access detailed views of individual policies, including status of Partner Admin approval/rejection.

Authentication Services:

• OIDC Client:

  • Create OIDC Client: Create OIDC Clients for approved policies.

  • View OIDC Details: Access a tabular list and individual views of submitted OIDC Client details, including OIDC Client IDs.

  • Edit: Edit existing OIDC Client details.

  • Deactivate: Deactivate OIDC Client whenever needed.

• API Key:

  • Generate API Key: Create API Keys for approved policies.

  • View API Key Details: View a tabular list and individual details of submitted API Keys.

  • Deactivate: Deactivate API Keys when necessary.

Browser Support:

• Complete support on Chrome, Firefox, Edge and Safari ensures a seamless user experience across these popular browsers.

Language Support:

• Currently supports English, French and Arabic with plans to incorporate additional languages in future releases.

Compatibility:

• Optimized for standard browser sizes (laptop/desktop) with responsive UI design for laptop/desktop views.

Build and Development Guide

This guide contains all the information required for successful deployment and running of Partner Management Portal. It includes information about the Database and roles.

DB scripts

Partner Management Service DB Scripts to be run: DB scripts

Keycloak Roles

mosip-pms-client needs to have below roles in keycloak:

• CREATE_SHARE`

• DEVICE_PROVIDER

• PARTNER

• PARTNER_ADMIN

• PMS_ADMIN

• PMS_USER

• PUBLISH_APIKEY_APPROVED_GENERAL

• PUBLISH_APIKEY_UPDATED_GENERAL

• PUBLISH_CA_CERTIFICATE_UPLOADED_GENERAL

• PUBLISH_MISP_LICENSE_GENERATED_GENERAL

• PUBLISH_MISP_LICENSE_UPDATED_GENERAL

• PUBLISH_OIDC_CLIENT_CREATED_GENERAL

• PUBLISH_OIDC_CLIENT_UPDATED_GENERAL

• PUBLISH_PARTNER_UPDATED_GENERAL

• PUBLISH_POLICY_UPDATED_GENERAL

• REGISTRATION_PROCESSOR

• SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL

• ZONAL_ADMIN

• view-users (from realm-management roles)

Config Changes:

Add below property to partner-management-default.properties file in mosip-config repository to Deploy PMS Revamp 1.3.0-DP.1 release in your env.

## This property is used by kernel-authcodeflowproxy-api to check request is coming from allowed urls not.
auth.allowed.urls=https://${mosip.pmp.host}/,https://${mosip.pmp.reactjs.ui.host}/

This repository contains the UI code for Partner Management portal. To know more about the features and functions present on the portal, refer here.

Build and Deployment

Note: The code is written in React JS.

• Install node.js- To build the react JS code that runs on node, recommended Node: 21.7.3, Package Manager: npm 5.2+

• Check out the source code from GIT – To download the source code from git, follow the steps below to download source code on your local system.

  • git clone https://github.com/mosip/partner-management-portal (to clone the source code repository from git)

For Production build

• Build the code

  Follow the steps below to build the source code on your system.

  • Navigate to the pmp-reactjs-ui directory inside the cloned repository.

  • Run the command npm run build in that directory to build the code.

• Build Docker image

  Follow the steps below to build the docker image on your system.

  • docker build -t name . (replace name with the name of the image you want, "." signifies the current directory from where the docker file has to be read.)

  • Example: docker build -t pmp-revamp-ui .

• Run the Docker image

  Follow the steps to build docker image on your system.

  • docker run –d –p 80:80 --name container-name image-name (to run the docker image created with the previous step,-d signifies to run the container in detached mode, -p signifies the port mapping left side of the":" is the external port that will be exposed to the outside world and right side is the internal port of the container that is mapped with the external port. Replace container-name with the name of your choice for the container, replace image-name with the name of the image specified in the previous step)

  • Example: docker run -d -p 3000:3000--name nginx pmp-revamp-ui

• Now you can access the user interface over the internet via browser.

  • Example: http://localhost:3000

For Local build

• Build & deploy the code locally

  Follow the steps below to build the source code on your system.

  • Navigate to the pmp-reactjs-ui directory inside the cloned repository. Then, run the following command in that directory:

    • npm install

    • npm start

• Now, you can access the user interface via browser.

  • Example: http://localhost:3000

PMS Revamp Portal web application is currently compatible and certified with the following list of browsers:

Scope for Release 1.3.0-dp.1 - Compatible on standard browser size (laptop/desktop) and UI responsiveness in laptop/desktop.

Compatibility on Mobile and also on specific tablet and mobile sizes will be taken up only after Release 1.3.0-dp.1.

Overview

An admin application is a web-based application used by a privileged group of administrative personnel to manage various master data sets. The various resources that an Admin can manage are:

1. Center (Registration centers)

2. Device

3. Machine

4. Users (Admin, Registration staff)

Along with the resource and data management, the admin can generate master keys, check registration status, retrieve lost RID, and resume processing of paused packets. To start using the Admin portal, an admin user must be assigned to a zone.

To learn more, refer to the video below!

Session 1

First Admin user

1. Setup of hierarchical zones

2. Create Admin roles in KeyCloak

3. Create the first admin user in KeyCloak and assign the "GLOBAL_ADMIN" role

The above is done automatically as part of the default sandbox installation.

Login

1. Select the preferred language.

2. Login with KeyCloak credentials.

Actions

1. Map the other users(admins/registration operators/supervisors) to their respective zones

2. Create centers and assign the users to a particular center

3. Highly recommended: Ensure to revoke the first super user's zone mapping and role after the first user actions are completed.

Admin roles and their default accessibility matrix

• GLOBAL_ADMIN

• ZONAL_ADMIN

• REGISTRATION_ADMIN

• MASTERDATA_ADMIN

• KEY_MAKER

Center

• This portal allows an Admin to view, create, edit, activate, deactivate and decommission registration centers.

• An Admin can manage only centers under their administrative zones.

The administrator can filter the list of registration centers based on parameters like Center name, Center type, Status, and Location code.

• The system does not fetch the details of decommissioned registration centers but only active and inactive centers are displayed.

• If the admin does not find a center, they can click the Center not available in logged in language button. Clicking on this button displays the list of centers that are already created in other languages. On selecting a particular center, the information will be auto-populated in the Create page and be made available to the admin for modifications.

• Language specific fields can be modified to create a center with the currently logged in language.

Create center

• A center is created with multiple attributes and is mapped to the administrative zone that it belongs to.

• A center can only be mapped to the configured location hierarchy level.

• While defining centers, an admin can also define the working days of the week for a center and any exceptional holidays that might be applicable for a particular center.

Update center

• An admin can update a center even after it has been created. The updates can include adding the details that were missed during the creation of the center or changing the details of a center as required.

• To update, click the Edit option from the Actions menu against a center name.

Activate/deactivate/decommission center

• Select the Deactivate/Decommission option from the Actions menu against the center.

• Activation/Deactivation/Decommission of a center in one language will be applied to the same center created in all the languages.

To know more, refer Activate/deactivate/decommission resources

Devices

• Using this portal, an admin can manage the devices a country will use for registering residents like devices used for bio-metric capture (Fingerprint, Iris, Web camera, etc.), printers, and scanners.

• This portal allows an Admin to view, create, edit, activate, deactivate, and decommission registration centers.

• The admin portal allows an admin to view the list of all the devices available in the jurisdiction of their administrative zone.

• The system does not fetch the details of decommissioned devices but only the active and inactive devices.

The Admin can filter the list of Registration centers based on parameters like Device Name, Mac Address, Serial Number, Status, Map Status, Device Type, and Device Spec ID.

Create devices

A Device can be created with multiple attributes and be mapped to the Administrative Zone it belongs to.

Update devices

• An admin can update missing information or change device details even after it is created.

• To update, click the Edit option from the Actions menu against a device.

Activate/deactivate/decommission device

Select the Deactivate/Decommission option from the Actions menu against the device.

Map/un-map/re-map the device to a center

• Admin portal allows an Admin to map/un-map each device to a center.

• This mapping specifies as to which center the device will be used in.

• A device can only be mapped to a center that belongs under the device’s Administrative Zone.

• To do so, select the device and choose a Center Name from the dropdown.

Machines

• Admin portal allows an administrator to manage the machines a country will use for registering residents.

• This portal allows an Admin to view, create, edit, activate, deactivate and decommission machines.

• The admin portal allows an admin to view the list of all the machines available in the jurisdiction of their administrative zone.

• The system does not fetch the details of decommissioned machines but only shows the active and inactive machines.

The administrator can filter the list of machines based on parameters like Machine name, Mac address, Serial number, Status, and Machine type.

Create machines

• A machine can be created with attributes like Machine ID, machine name, MAC address, serial number, machine spec ID, and administrative zone the machine belongs to.

• A machine needs to be mapped to an administrative zone.

Update machines

• An admin can update missing details or make changes to machine details even after it is created.

• To update, click the Edit option from the Actions menu against a machine.

Note- Updates made to language specific fields update data only for that language in the database while updates made to non-language dependent fields updates data against all the language entries for that center.

Activate/deactivate/decommission machine

An admin can deactivate or decommission a machine through the admin portal.

Map/un-map/re-map machine to a center

• Admin portal allows an Admin to map/un-map each machine to a center.

• This mapping specifies as to which center the machine will be used in.

• A machine can only be mapped to a center that belongs under the machine’s Administrative Zone.

• To do so, select the machine and choose a Center Name from the dropdown.

Users

• MOSIP uses Keycloak as an IAM (Identity access management tool) for managing Users. These users are internal users of MOSIP including Registration Officers, Registration Supervisors, Zonal Admins, Global Admins, etc.

• using this portal, an Admin can map the users to a zone and a center.

User Zone Mapping

• Once a user is created in KeyCloak, they need to be mapped to a zone to access specific information available in that zone.

• Admin portal allows an admin to map users to a zone. This mapping specifies which zone the user will belong to.

• A user can only be mapped to a zone that belongs under the user’s Administrative Zone.

• A user can later be unmapped from the zone in case a user needs to be moved to another zone. In such cases, the user will later need to be mapped to the new zone. The below image displays the list of users that are mapped to a zone.

Map/Un-map/re-map user to a zone

To map a user to a zone,

1. Click Resources-> User Zone mapping

2. Click +Map Zone

3. Select the User Name, and Administrative Zone from the dropdown.

4. Click Save.

To re-map a user to a zone,

1. Click Resources-> User Zone mapping

2. Select Remap from the Actions menu against the mapped user.

3. Update the User Name/ Administrative Zone from the dropdown.

4. Click Save.

User Center Mapping

• Once the user is mapped to a zone, they will be listed in the screen below. Now, the user will be mapped to a center to be able to manage their assigned center.

• Admin portal allows an admin to map users to a center. This mapping specifies as to which center the user will be used in.

• A user can only be mapped to a center that belongs under the user’s Administrative Zone.

• A user can later be unmapped from the Center in cases where a User needs to be moved to another Center. In such cases, the user will later need to be mapped to the new center. In case the user is required to be mapped to a Registration center outside the Administrative Zonal restriction, the Administrative Zone of the user must be changed.

Map/un-map/re-map user to a registration center

To map a user to a center,

1. Click Resources-> User Center Mapping

2. Select Map from the Actions menu against the mapped user.

3. Select the Center Name from the dropdown against the User Name, Administrative Zone.

4. Click Save.

Search and dropdowns

• To get the results starting with a specific character/ set of characters, prepend that specific character/set of characters with asterisk symbol.

• Similarly to get the results ending with a specific character/ set of characters, append that specific character/ set of characters with asterisk.

• For the results containing a specific character/ set of characters, prepend and append that specific character/ set of characters with asterisk.

Below is the image illustrating the same.

Packet status (based on RID)

• A Registration packet generated in the Registration client is sent to the Registration Processor for further processing and UIN generation.

• Using this Portal, A Registration Admin can view the status of a packet by entering the RID of the packet.

• The packet status will contain all the stages the packet has passed through along with the last stage the packet is in.

• In case the packet has not been processed or is marked for Re-Send/Re-Register, the admin will be able to view specific comments indicating the reason for that particular status.

Pause/Resume RID

• The Registration Admin has the privilege to view the registration packets that are in a paused state.

• Admin can use this portal to resume or reject paused packets. They would have 3 options:

  • Resume processing (from where it was paused)

  • Resume from the beginning

  • Reject

Once processing of a packet is resumed, it will be removed from this list

Retrieve lost RID

• The Registration Admin can use this feature to retrieve lost RID.

• For instance, if the resident did not provide any valid email and/or phone number and has lost the RID slip received during the registration, to find their RID details, the resident contact the MOSIP helpline and share details such as name, center name, registration date, and postal code to the admin, who will use the lost RID feature and try to retrieve the RID number.

A few filters may be applied to retrieve the RID.

Note: This feature is currently under development.

Master Data

• Admin portal allows an Admin to manage the Masterdata applicable for a country.

• These data include a list of Genders, a list of Holidays, Templates, Center Types, Machine Types, etc.

To know more, refer to the Masterdata guide.

Bulk upload

• If a country decides to upload the data through the .csv files, they could use this feature to upload the existing data into the MOSIP platform.

• The listing screen displays the uploaded data transaction information.

• As the information inside .csv files may be huge, it would go through the batch job to process the information and store it in the tables. Also, it may take time to get a unique transaction ID against a particular action.

Master Data

To upload Master data using the Admin portal,

1. Go to Bulk Upload > Master Data

2. On the master data dashboard, click Upload Data.

3. Select the operation (insert/update/delete)

4. Select the table name into which the data needs to be uploaded.

5. Click Choose file to select the data and click Upload

• To view the format for inserting data in a particular table, click on the Download icon.

• A CSV file gets downloaded in which the first row represents the column names and the rest of the rows are the data that will be inserted into the table(sample).

• From the 1.2.0.1-B2 version, apart from the comma, other special characters (i.e., '|','$'etc.) can also be used as a separator in the CSV file used for masterdata bulk upload. This can be done by updating the property mosip.admin.batch.line.delimiter with the same special character.

Note: While editing CSV files, it is recommended to keep track of the Date format and Time format to be the same as the acceptable formats. The acceptable Date format is YYYY-MM-DD and the acceptable Time format is HH:MM:SS. Any other Date and Time formats in CSV files will result in a DataType Mismatch Error.

Packets

To upload packets using the Admin portal,

1. Go to Bulk Upload > Packets

2. On the packet upload dashboard, click Upload Packet.

3. Select the following from the dropdown:

   • Center name

   • Source (currently displays Registration Client)

   • Process (New, Update UIN, Lost, Biometric correction)

   • Supervisor status (Approved/Rejected)

   These details are important if the packet needs to be synced before upload.

4. Click Choose file to select the packets and click Upload.

How is the packet upload performed with or without the DATA_READ role?

For uploading the packets through the Admin portal, ensure that the packets are available in the machine or the external hard disk connected from where the Admin Portal is being used.

Key Manager

With the help of this feature, the Admin user can generate and manage the keys required in MOSIP.

GenerateMasterKey

• The logged in user with KEY_MAKER role will have access to view and generate the master key in the Admin portal.

• Using this option, the logged in user will be able to generate only the Root key and Module master key. To generate the key, the user has to select the Application ID from the options available in the dropdown, leave the Reference ID blank for the Root and Module master key, and provide other certificate attributes to be used at the time of generation of the certificate for the key.

• These certificate attributes in the portal are optional, if not provided, default values configured in the Key Manager service will be used.

• For the Kernel signature key (which is considered the master key and stored in HSM), a Reference ID needs to be provided and the value has to be SIGN.

• The force flag option is available in key generation. The logged in user can select the option value True to force the invalidation existing key and generate a new key in Key Manager service.

• The logged in user has to select the return object after the generation of the key.

• The user can select either Certificate or CSR (Certificate Signing Request). The key will be generated only when the key is not available in Key Manager service otherwise already generated key certificate will be returned for the generation request.

GenerateCSR

• CSR (certificate signing request) is required when there is a need to procure a valid certificate from a valid CA.

• GenerateCSR option can be used to request for a CSR and this option will be visible to all the users who log in to the Admin portal.

• The logged in user can request for generation of CSR for any key generated in Key Manager service.

• The user has to provide the Application ID and Reference ID to get a CSR.

• A new key will be auto-generated in case the key does not exist and the already existing key has expired for the Module Encryption keys.

• Whereas, for Module master key or Root key, a new key will not get auto-generated in case the key does not exist, but the new key will get auto generated if the key exists and has expired. The current valid key will always be used to generate a CSR.

GetCertificate

• The user can get a certificate for all the keys generated in Keymanager and any partner certificates uploaded in Keymanager service for partner data sharing purposes.

• The GetCertificate option is visible to all the users who log in to the Admin portal.

• The user has to provide the Application ID and Reference ID to get a certificate.

• A new key will be auto generated in case the key does not exist and the already existing key has expired for Module encryption keys.

• Whereas, for Module master key or Root key, a new key will not get auto-generated in case the key does not exist, but a new key will get auto-generated if the key exists and has expired. For the partner certificate, a new key will not be generated in the Key Manager service.

• Only current valid certificates will be returned when the user requests a certificate.

UploadCertificate

• The logged in user can use this option to update the certificate for all the keys generated in the Key Manager service.

• This option is used in scenarios where a valid CA certificate has been procured for a key available in the Key Manager service.

UploadOtherDomainCertificate

• The logged in user can use this option to upload a partner certificate in Key Manager service.

• Partner certificates will be used in the Key Manager service to encrypt any sharable data using the partner certificate required in datashare from MOSIP to any partner.

• Partner certificates can also be used in the Key Manager service for signature verification purposes.

PMS Portal UI:

The table below outlines the frameworks, tools, and technologies used in PMS Portal.

Partner Management Services:

The table below outlines the frameworks, tools, and technologies employed by Partner Management Services.

Partner Management Service

Partner Management Service provides various partner services like onboarding partners and providing partner data to other modules.

The diagram below illustrates the relationship of this service to other MOSIP services.

1. Certificates of partner are uploaded to Key Manager as part of onboarding.

2. Registration processor fetches ABIS datashare policy from PMS.

3. PMS sends notification messages to partners via notification service (of Kernel).

4. Audit logs are logged into Auditmanager.

5. ID Repository fetches credential data share partners and their polices from PMS.

6. All PMS data is stored in mosip_pms DB.

7. Certificates of Authentication Partners are sent to IDA module as IDA runs independently. The certificates are shared using Datashare (which futher uses Websub to share data with IDA).

8. PMS invokes the client management endpoint of eSignet to register OIDC client

Rest of the content can be referred to here: https://docs.mosip.io/1.2.0/modules/partner-management-services

Overview

PMS Portal is used by the Partners to onboard with MOSIP and manage Devices, FTM, Create API Keys and Create OIDC clients etc.

Partner Management module has two services:

• Partner Management service

• Policy Management service

The documentation here will guide you through the prerequisites required for the developer's setup.

Software setup

Below is a list of tools required in Partner Management Services:

1. JDK 11

2. Any IDE (like Eclipse, IntelliJ IDEA)

3. Apache Maven (zip folder)

4. pgAdmin

5. Postman

6. Git

7. Notepad++ (optional)

8. lombok.jar (file)

9. settings.xml (document)

Follow the steps below to set up Partner Management Services on your local system:

1. Download lombok.jarand settings.xml from here.

2. Install Apache Maven.

3. Copy the settings.xml to ".m2" folder C:\Users\<username>\.m2.

4. Install Eclipse.

5. Open the lombok.jar file and wait for some time until it completes the scan for Eclipse IDE and then click Install/Update. Specify the eclipse installation location if required by clicking the ‘Specify location…’ button. Then, click Install/Update the button to proceed.

1. Check the Eclipse installation folder C:\Users\userName\eclipse\jee-2021-12\eclipse to see if lombok.jar is added. By doing this, you will not have to add the dependency of lombok in your pom.xml file separately as it is auto-configured by Eclipse.

2. Configure the JDK (Standard VM) with your Eclipse by traversing through Preferences → Java → Installed JREs.

Code setup

For the code setup, clone the repository and follow the guidelines mentioned in the Code Contributions.

Importing and building a project

1. Open the project folder partner-management-services\partner where pom.xml is present.

2. Open the command prompt from the same folder.

3. Run the command mvn clean install -Dgpg.skip=true to build the project and wait for the build to complete successfully.

4. After building a project, open Eclipse and select Import Projects → Maven → Existing Maven Projects → Next → Browse to project directory → Finish

5. This will import 5 projects into Eclipse: partner, partner-management-service, pms-common, policy-management-service and policy-validator

1. After successful importing of all the projects, update each project by right-clicking on Project → Maven → Update Project.

Environment setup

• For the environment setup, you need an external JAR that is available here with different versions. Download the below-mentioned JARs with appropriate latest/appropriate versions. You will need to input the appropriate artifact ID and version and other inputs. kernel-auth-adapter.jar

• E.g.: You can download kernel-auth-adapter.jar and add to the project Libraries → Classpath → Add External JARs → Select Downloaded JAR → Add → Apply and Close).

• Properties Files - Update application-dev.properties and bootstrap.properties files in below folder partner-management-services\partner\partner-management-service\src\main\resources to run the Partner Management Service locally

• Click the "run" option, the service will start locally on port 9109.

Policy management service also can run by following the above steps.

Partner Management Services API

• For API documentation, refer here.

• The APIs can be tested with the help of Postman or Swagger-UI.

• Swagger is an interface description language for describing restful APIs expressed using JSON. Can access Swagger-UI of partner-management-services for dev-environment from https://dev.mosip.net/v1/partnermanager/swagger-ui/index.html?configUrl=/v1/partnermanager/v3/api-docs/swagger-config and localhost from http://localhost:9109/v1/partnermanager/swagger-ui/index.html?configUrl=/v1/partnermanager/v3/api-docs/swagger-config.

• Can access Swagger-UI of policy-management-services for dev-environment from https://dev.mosip.net/v1/policymanager/swagger-ui/index.html?configUrl=/v1/policymanager/v3/api-docs/swagger-config and localhost from http://localhost:9107/v1/policymanager/swagger-ui/index.html?configUrl=/v1/policymanager/v3/api-docs/swagger-config.

• Postman is an API platform for building and using APIs. Postman simplifies each step of the API lifecycle and streamlines collaboration so you can create better APIs—faster. It is widely used tool for API testing.

• Download the JSON collection and then import it in your postman.

New Language Support

Overview

This guide provides step-by-step instructions for adding support for a new language in PMS application that uses react-i18next for internationalization. The i18n.js file is already configured to dynamically load language files based on the selected locale. Currently, the application supports English, French, and Arabic. For demonstration, we will add Spanish as an additional language.

Repository

The PMS React application source code is available at: PMP Revamp UI Repository.

Steps to Add a New Language

1. Add a New Translation File

Each language in the application is stored as a separate JSON file inside the /pmp-revamp-ui/public/i18n directory. To add Spanish (es), create a new translation file:

es.json

Open es.json and add the translations required, for example:

{

"dashboard": {

"welcomeMsg": "Bienvenido {{firstName}} {{lastName}}",

"accountStatus": "Estado de la cuenta"

}

}

2. Add Language Locale in Keycloak

We use Keycloak for authentication, and users select their preferred language during login. Once logged in, the selected language is picked up by the i18n bundle. This requires updating Keycloak's supported locales.

Steps to Enable Spanish in Keycloak

1. Log in to Keycloak Admin Console as an administrator.

2. Navigate to Realm Settings:

   • Select the appropriate realm.

   • Go to the "Realm Settings" section.

   • Click on the "Themes" tab.

1. Add Spanish to Supported Locales:

   • Ensure that "Internationalization" is enabled.

   • In the "Supported Locales" field, add es (for Spanish) to the list.

   • Click "Save" to apply changes.
2. Verify Language Selection in Keycloak Login Page:

   • Navigate to the Keycloak login page.

   • Ensure that Spanish appears as an option in the language selection dropdown.

3. Rebuild the Application

After adding the new language bundle, you must rebuild the code to ensure the new translations are correctly loaded into the application.

Steps to Rebuild the React Application

1. Open a terminal or command prompt.

2. Navigate to your React project directory:

cd partner-management-portal\pmp-revamp-ui

1. Install dependencies (if not already installed):

npm install

1. Build the project:

npm run build

1. Deploy the updated build to your hosting environment.

4. Verify Language Support in PMS Application

1. Open the application in a browser.

   • Select Spanish from the language options on the Keycloak login page.

   • Confirm that the UI displays the correct Spanish translations after logging in.

By following these steps, you can easily add support for any new language in your applica

PMS Admin (Partner Admin)

Partner Management Portal (PMP) is used by both; PMS Admin and Partner User.

• Partner Administrator: Partner Admin

• Partners: Partner User

• [Partner User - 'Authentication Partners' can use the new interface to perform all the activities mentioned under 'Authentication Partner Workflow']{.mark}

• [Partner Admin - Partner Admin still will have to user the older 'Partner Admin Interface to perform all the activities explained under'What all activities does a 'Partner Admin' perform for Authentication Partner?'.

]{.mark}

What all activities does a 'Partner Admin' perform for Authentication Partner?

Being a 'Partner Admin' you can perform following 3 activities to complete the end to end functionality pertaining to Authentication partner.

It should be noted that all these activities that you can perform as an admin you will still have to use the older 'Partner Admin Interface' as of now untill we complete its revamp which is already underway on a war footing.

• Upload Root CA and Sub CA Certificates

• Create Policy Group and Policy

• Approve/Reject Policy

Upload Root CA and Sub CA

Only after you 'Upload Root CA and Sub CA Certificates (From Older PMP Interface)' that a Partner will then be able to 'Upload CA signed Partner Certificate.

As a process of Partner onboarding onto PMP after successful registration, Partner is required to Upload CA signed Partner Certificate on behalf of their organisation which would be used to build a trust store in MOSIP to cryptographically validate that they are from a trusted organisation to perform authentication of citizens. Also this certificate is used to encrypt the response shared in e-KYC.

[To Upload Root CA and Sub CA Certificates]{.mark}

1. [In 'Certificate Trust Store' click on 'Upload Trust Certificate'.]{.mark}

2. [Select the Partner Domain- AUTH in Upload Trust Certificate page.]{.mark}

3. [Choose the Root CA Certificate to upload (only files with extensions as .cer or .pem).]{.mark}

4. [Click Submit.]{.mark}

5. [Similarly, sub/intermediate CA certificate should be uploaded by following the above steps (1-4).]{.mark}

[Creating Policy Group and Policy]{.mark}

[As Partner Admin you are required to 'Create Policy Group' and 'Create Policy(s)' which a 'Partner' will be able to select while self-registering on PMP.]{.mark}

[As an admin you will also have privilege to 'Approve Policy Request' when a Partner selects a Policy and it comes to you for approval, You can read more about this here.]{.mark}

[Create Policy group]{.mark}

• [Login as Partner Admin into the PMS portal (Older PMP Interface).]{.mark}

• [All the policy groups created so far by Partner Admin/ Policy Manager are displayed on 'List of Policy Groups' page.]{.mark}

• [On clicking the 'Create Policy Group' option on the top right of the screen, we can create a Policy Group by providing suitable name and description that is self explanatory for partners, who would be selecting them during Partner Policy Request to create API Key/ OIDC Client etc.]{.mark}

• [On click of Submit, a success message appears.]{.mark}

[Create Auth policy]{.mark}

[Once you 'Create Policy' you will also be required to activate it and then it will reflect when a Partner wants to select a policy. You can also change the status of Policy Group ( Deactivate) or edit it using the Action menu as shown below.]{.mark}

1. [On clicking Authentication Policy tab, List of all previously created Authentication Policies are displayed.]{.mark}

[On clicking Authentication Policy tab, List of all previously created Authentication Policies are displayed.]{.mark}

[On clicking 'Create Authentication Policy' button, Partner Admin/ Policy manager is navigated to Create Authentication Policy page where details such as policy group, policy name, description etc will have to be entered]{.mark}

[Note: Only active policy groups are available in the policy group dropdown.]{.mark}

[click on the upload button to upload policy data . Only json files are allowed for upload.]{.mark}

[On clicking on Save as Draft, following success message appears .]{.mark}

[On clicking 'Go Back', admin is navigated back to tabular view where the policy is saved as 'draft' status.]{.mark}

[To publish policy which is currently in draft status, click on 'publish' option in action menu. A popup window appears seeking for confirmation to publish.]{.mark}

[On clicking Publish, a success message appears . Click on close to close the window.]{.mark}

[The given policy changes to 'Activated' status after being published. Once activated, the admin cannot edit the policy, hence the option is disabled.]{.mark}

[Approve Policy Request]{.mark}

[When a Partner have chosen a 'Policy Group' and the 'Policy', an approval request will come to you and you can approve or reject a 'Policy Request' using 'Request Policy' screen.]{.mark}

[When a Partner have chosen a 'Policy Group' and the 'Policy' an approval request will come to you and you can approve or reject a 'Policy Request' using 'Request Policy' screen.]{.mark}

• [Click on Partner Policy Linking in the admin dashboard.]{.mark}

• [Select the policy mapping that needs an approval.The options provided for policy linking requests in 'Pending for Approval' are to Approve/ Reject. Also an option to view the policy request details is also provided.]{.mark}

[On clicking the Approve/ Reject option, the window appears - and partner admin can click on either Approve or Reject to take appropriate action]{.mark}

[The status- Approved / Rejected gets updated in the tabular view.]{.mark}

Authentication Partner Workflow

To be able to access the services by PMP and to validate that the partner is from a trusted organisation, undergoing self registration on PMP and uploading CA signed certificate is necessary'.

• Self Register on PMS Interface

• Upload CA signed Certificate

Self-Register on PMP as Authentication Partner

1. The Authentication Partner can register themselves on MOSIP PMS portal by clicking Register on the Login Page, a form comes up.

2. Enter the Authentication Partner details:

   1. Partner type (Authentication Partner)

   2. First and Last name

   3. Organization Name

   4. Address, Phone number

   5. e-mail, Username and password

1. Click on Register, a popup comes up which asks you to 'Choose a Policy Group' and seeks you to 'Agree to Terms and Conditions' before you can be considered as 'Authentication Partner.

2. Select the relevant/applicable Policy Group on Select Policy Group popup using Policy Group dropdown by reading through policy group description in dropdown.

1. On Submit it will ask you to read through ‘Terms and Condition’ and having carefully read through it you can agree and accept it.

CA Signed Partner Certificate Upload / Download or Re-Upload

User is now in Home Page/Dashboard where the following features are provided to Authentication Partner: 1) Partner Certificate, 2) Policies and 3) Authentication Services: OIDC Client and API Key generation.

Once registered, as a process of Partner onboarding onto PMP after successful registration, user is required to perform upload CA signed Partner Certificate on behalf of their organisation which would be used to build a trust store in MOSIP to cryptographically validate that they are from a trusted organisation to perform authentication of citizens. Also this certificate is used to encrypt the response shared in e-KYC.

To Upload CA signed Certificate

1. Go to Authentication Partner (New UI) -> Dashboard.

1. Click on Partner Certificate option, Click on the Upload button to upload the partner certificate signed by CA.

1. Select the CA signed partner certificate from local system by tapping on the upload section (blue area).

1. Certificate is successfully fetched from local system.

1. Click on Submit, Partner Certificate is uploaded successfully.

1. On closing the popup, The user can view the uploaded certificate details in the form of a list view.

Download Certificate

There is also an option to download initially uploaded CA signed certificate and also the MOSIP Signed Certificate.

Re-Upload Certificate

Reuploading certifacte is required in cases when MOSIP Signed Certificate gets expired after one year.

You must ensure that you re-upload the partner certificate again so that new MOSIP signed certificate can be generated and other functionalities such as Request Policy, Authentication Policies can function.

Request Policy

Pre-Requisite: Policy Manager (in our case 'Admin') must have created a Policy Group and then created a Policy within it for the Partner to be able to ‘Request a Policy’.

To Request a Policy

1. Click on the 'Request Policy' option in User homepage/dashboard.

   1. Each policy name is provided with policy description, You can make a suitable policy selection. You can provide appropriate request comments and submit the policy request details. A message conveying Policy request submitted successfully to admin is displayed.

1. This newly created policy request will be in ‘Pending for Approval’ status. You can also click on action menu to see all the submitted policy details irrespective of its status.

1. Once the request is approved (Partner Admin will Approve Policy Request). Once the request is approved you can view the status turns to ‘Approved’ status.

Authentication Service

After the partner has selected a policy group, uploaded partner certificate, requested for policy and also got admin approval - partner can now perform 'Authentication Services':

• OIDC Client: Create OIDC Client for approved policy

• API Key : Generate API Key for approved policy

Prerequisites: Policy requested by the Partner must be already approved by Policy Manager (Read More here).

Creating OIDC Client

• The authentication partner needs to provide the following details to create OIDC Client

  • Select suitable Authentication policy for OIDC Client creation. Only the policies that are APPROVED by admin will be available in dropdown for selection.

  • Enter the public key in JWK format, name or label for OIDC Client, LogoURI and one or more Redirect URI.

  • On successful submission, user can find this record in tabular list of submitted OIDC Client details in ‘Activated’ status. Tabular list and individual view of submitted OIDC Client details along with OIDC Client ID, Edit OIDC Client details and Deactivate OIDC Client can also be seen from here.

• This Client ID can then be consumed in eSignet to perform authentication. Client ID can be accessed by clicking on eye icon.

• User can utilize this OIDC Client ID to perform eSignet based authentication of citizens

• The user can also view every OIDC Client detail individually using the View option

• The user can also edit the OIDC Client details in Activated status (only OIDC Client Name, LogoURI and RedirectURI are editable) by selecting the edit option in Action Menu.

• User can deactivate the OIDC Client ID by clicking on deactivate option . The deactivate popup window appears and on clicking confirm, the OIDC Client record is changed to Deactivated status. Once deactivated, the client ID can not be used anymore for authentication.

API Key Generation

The authentication partner needs to provide the following details to generate API Key

• Select suitable Authentication policy for API Client. Only the policies that are Approved by admin will be available in dropdown for selection.

1. Enter an appropriate name or label for API Key to be generated and submit, On successful submission, a popup window displays API Key along with a copy button.

1. This API Key can be viewed by user in PMS application only once due to security reasons, hence the user is well notified with an appropriate message in the same API Key popup window to avoid closing the window unless user has not copied the API Key.\
2. User can find this record in tabular list of submitted API details in ‘Activated’ status.
3. User can either view individual API Key entries or view the consolidated list in tabular view.

1. You also have an option to deactivate an API Key, which thereafter cannot be used for authentication. On clicking confirm, the API Key record is changed to Deactivated status. Once deactivated, it cannot be activated again. You may need to generate a new API key as per requirement.

Interface Overview

PMP (Partner Management Portal) is going under a comprehensive overhaul. This revamp includes improving usability and elevate the overall user experience (UX). The focus is to bring user centered design to PMP, make the PMP more intuitive, efficient, and aligned with our partners' evolving needs.

Card view presentation is there for each functionality with brief description to help you understand the services offered in Partner User Dashboard.

After successfully registering you can access the Home Page / Dashboard. You will be able to view the features and functionalities on the dashboardand based on your Partner Type.

Note: You can access the partner dashboard only when you are duly registered and have selected the 'Policy Group'.

Each functionality that the user can perform is displayed in each card so that there is independent navigation for each tasks.

• Partner Certificate: Upload or Reupload CA Signed Partner Certificate and Download CA Signed Partner Certificate & corresponding MOSIP Signed Certificate

• Policies: Request for a policy within the selected policy group, tabular list of requested policies along with status of admin approval, view requested policy details along with admin comments/status.

• Authentication Services:

  • OIDC Client : Create OIDC Client for approved policy, tabular list and individual view of submitted OIDC Client details along with OIDC Client ID, Edit OIDC Client details and Deactivate OIDC Client

  • API Key : Generate API Key for approved policy, tabular list and individual view of submitted API Key details and Deactivate API Key.

You can view your organisation name and username on the top right called 'User Profile', logout options is also placed here only.

Reupload a new partner certificate through the following steps

1. Login to PMP and Go to Dashboard.

1. Click on Re-Upload button of Authentication Partner Type.

1. Re-upload certificate pop-up window appears. The time and date of previous certificate upload is also displayed for user reference. Click on the certificate upload section (blue area) to upload a new partner certificate from the local system.

1. After selecting the certificate from local system, the fetched certificate name is displayed.

1. Click on Submit, Partner certificate upload success message is displayed.

1. Click on Close to come back to list view of partner certificate.

Forgot Password

You can retrieve password in case you are unable to recall.

1. Click on Forgot Password link displayed on login page to reset password.

1. Enter registered email address and submit, a message is displayed informing user that further instructions to reset password has been sent on te email address entered.

1. Click on the Reset password link received on his email address, you will be redirected to Change Password screen.

1. Enter a new password that adheres to password policy and re enter to confirm before you save it.

1. After clicking submit, This new password will be further used in subsequent logins

Partner Administration

End User Guide - Partner Admin & Policy Manager

What all activities does a 'Partner Admin' perform?

Partner Admin [supervises]{.mark} the overall partner and policy management functionalities in PMS. The admin is responsible for:

• Upload Root Certificate

• Intermediate CA Certificates

• Manage Partners and Policies

• Approve / Reject new entries created by different partners or deactivate partner related records

Note:

Partner Admin can also assume the role of Policy Manager to

• Create and manage policy groups and policies

What all activities does a 'Policy Manager' perform?

As a partner admin [cum]{.mark} policy manager a Policy Manager performs following roles:

1. Creation and management of Policy Group, Authentication Policy, Datashare Policy

Notes:

In UI - both PARTNER_ADMIN and POLICYMANAGER roles should be granted for the 'POLICIES' card to appear in the dashboard.

Partner Admin / Policy Manager

Register as Partner Admin and Policy Manager

Partner admin too has to register [himself]{.mark} just like any other 'Partner Registration' by selecting any one of the partner type i.e. Admin has to register in PMS with any one of the partner type.

Registering as Partner Admin

Partner Admin can register in PMP as any one of the partner type and then get the various roles/privileges by going to Keycloak.

Using Keycloak to allocate 'Partner Admin' and/or 'Policy Manager'

After registration .....you need to come to keycloak..

1. Go to keycloak and search your user name in Users tab.

1. Go to the Role Mapping tab.

1. In the Available Roles section, select PARTNER_ADMIN or POLICYMANAGER, click Add to move the selected role to the Assigned Roles list.

1. You can now log in to the PMS portal with the same user credentials and you will have access to the Admin Dashboard.

Note: Add POLICYMANAGER role if Policies card should be made accessible in UI

Allocating Policy Manager Role

By following the above steps (1-4) in keycloak, the admin can also configure POLICY_MANAGER role to view and manage Policies card as shown in the dashboard below:

Notes:

1. If only 'Policy Manager' role is configured in keycloak, then the user will still be able to access as a normal partner. Hence 'Partner Admin' & 'Policy Manager' roles are necessary to access all the cards above.

1. After configuring the roles and if PMS portal is still logged in, make sure to logout and login again for the roles to get updated.

Certificate Trust Store

Certificate Trust Store provides features such as Upload, Download, View Root CA and Intermediate CA certificates to Partner Admin such that at the time of CA Signed Certificate upload by partner MOSIP verifies the certificate chain of trust and then signs the partner's certificate using MOSIP(PMS) private key.

• Root Trust (Root CA) Certificate

• Intermediate Trust (Intermediate CA) Certificate

Root Trust (Root CA) Certificate

You can use the 'Root Trust (Root CA) Certificate' section to do the following:

• Upload Certificate -- Upload Root CA certificate such that the root of trust can be verified when an intermediate CA is uploaded.

• Download Root CA: Download the root certificate as and when needed.

• View Root CA

  • Root CA: Tabular view of all uploaded Root CA certificates is displayed.

  • View Root CA Details

Root CA Certificate

View Root CA Certificate

List of Root CA Certificates

Viewing Root CA Certificate

In Certificate Trust Store, the user can view the list of 'Root CA Certificates' uploaded by admin till date with details such as Certificate ID, Partner Domain, Issued To, Issued By, Validity Period and Validity Status (Valid / Expired) [etc]{.mark}.

Each active certificate record has two options in action menu - View and Download Certificate.

View Root CA details

On clicking View, the Root CA certificate detail can be viewed individually.

Download Root CA

In the same page (Root CA details), an option to download the Root CA certificate in .p7b file is also provided. Clicking on download, a success message appears.

On opening the .p7b file from local system, the Root CA Certificate can be viewed as below:

NOTE: any external installation required swetha.N Prathmesh Jadhav ???

Upload Root CA

To upload Root CA/ Intermediate CA Certificate, click on 'Upload Trust Certificate'.

Admin is thus [navigated]{.mark} to Upload Trust Certificate page.

Note:

Admin can upload Root CA / Intermediate CA certificate in the same page but should be in a sequential order ie. Root CA Certificate upload first and then Corresponding Intermediate CA certificate upload.

Select the partner domain (AUTH / DEVICE / FTM) in the Upload section. Partner Domain typically refers to the specific functional area for which the Root or Intermediate CA certificate is being uploaded.

• AUTH: Select Partner domain as AUTH if Root or Intermediate CA certificate is being uploaded for Authentication Partner.

• DEVICE: Select Partner domain as DEVICE if Root or Intermediate CA certificate is being uploaded for Device Provider.

• FTM: Select Partner domain as FTM if Root or Intermediate CA certificate is being uploaded for FTM Chip Provider.

Note:

• Only .cer or .pem format certificates are allowed for upload

• Future dated certificates [is]{.mark} [should]{.mark} not [be]{.mark} allowed for upload, in case it is attempted an error message is thrown.

• Only [Version 3]{.mark} certificate is allowed for upload.

• If the corresponding root certificate is not uploaded, then while submitting the Intermediate certificate upload, an error message appears asking 'Please upload corresponding Root Certificate to proceed further'.

Note for Root CA Certificate:

• Issued To and Issued By is the same - which means these are self signed certificates.

Intermediate Trust (Intermediate CA) Certificate

• Upload Root CA Certificate: Partner Admin can upload Intermediate CA certificate so that the root of trust can be verified when a partner uploads Partner / FTM Chip Certificate.

• Download Certificate Chain of Trust: Partner Admin downloads the certificate chain of trust of intermediate certificate as and when needed.

• View Intermediate CA: Tabular view of all uploaded Intermediate CA certificates is displayed.

• View Intermediate Certificate details: Uploaded intermediate certificate details is displayed along with the list of certificates within the certificate trust chain.

Viewing the Intermediate CA Certificate

List of Intermediate CA Certificates

On clicking the Intermediate CA tab, List of all Intermediate CA certificates uploaded by Partner Admin is displayed.

Action menu for all active certificates displays the following options:

• View

• Download Certificate Chain

Viewing the Intermediate CA Certificate

Either by clicking on the row item or the View option in action menu, the admin is [navigated]{.mark} to View Intermediate CA Certificate details page where the certificate details are displayed such as Certificate ID, Partner Domain - (AUTH, FTM, DEVICE), Issued To- <subject > field of Certificate, Issued By- <issuer > field of Certificate, Valid From, Valid To*- same as system browser date format* etc

Downloading the Intermediate CA Certificate

Clicking on Download, downloads the entire certificate chain as .p7b file and a success message is displayed - 'Certificate Chain of Trust for the given Intermediate CA certificate is downloaded successfully'.

Note: For expired status, 'Download Certificate Chain' button will be disabled in View Root Certificate page / Tabular View page.

On clicking the .p7b file from local system, the certificate hierarchy of the intermediate CA certificate is present where its corresponding root certificate is also downloaded.

[Upload Intermediate Certificate]{.mark}

To upload the Intermediate CA certificate, carry out the same steps of Root CA Certificate upload.

Note for Intermediate CA Certificate:

• The Subject of the root certificate matches the Issuer of the intermediate certificate.

• Issued To and Issued By are different as the Intermediate CA certificate is signed by the Root CA.

• Intermediate certificate must expire before its root certificate.

• Validity of Root CA Certificate > Intermediate CA Certificate > CA Signed Partner Certificate

• Sequence of Upload: Root CA Certificate (by Partner Admin)→ Intermediate CA Certificate (by Partner Admin) → CA signed Partner Certificate (by Partner)

Partners

As a Partner Admin you can view the list of all partners who have enrolled to PMS portal by clicking on the Partners card on dashboard or side panel, hamburger menu.

This [card]{.mark} / [Section]{.mark} has the following features:

1. View

• List view of partner detail (Action menu: View, Deactivate)

• Details view of individual Partner an the certificate details

1. Download original Partner Certificate and MOSIP Signed certificate

2. Deactivate Partner

Note: Deactivate option appears disabled if the partner is already deactivated.

View Partner Details

Click on a row item or use the view option in action menu you come to 'Partner Details Page' to view the Partner Details such as Partner type, Organisation name, First Name, Last Name, Phone Number, Email Address, Policy Group (If partner is of the type 'Authentication Partner'). Partner certificate details are also visible.

Download original certificate / MOSIP Signed certificate

The admin can download original certificate / MOSIP Signed certificate as and when necessary.

Notes:

The download functionality of following certificates is possible only during following instances:

• This button is enabled only for Activated partner record of which the certificate is already uploaded.

• This button is disabled for deactivated partner records/partner records whose partner certificate is not uploaded yet.

• If Original Certificate / MOSIP Signed Certificate is expired then on clicking respective menu items in the button-dropdown an appropriate error message is displayed.

On downloading the Original / MOSIP Signed certificate, a success message appears.

Deactivate a Partner

To deactivate a partner, click on Deactivate option in action menu. A popup window appears seeking for confirmation from the partner.

After confirming deactivation, the respective record is greyed out in the tabular view. The action menu here appears enabled with only 'View' option after deactivation and Deactivate in action menu is disabled.

Note: After deactivation, the View partners page will display the following-

1. 'Deactivated' status

2. Certificate section is greyed out with and download button is disabled.

The deactivated partner will not be able to create or utilize any of the services in their PMS portal (For e.g. no new transactions will work such as creation of OIDC Client , API Key etc).

Known Issue: Even after partner deactivation, partner is able to access the existing transactions in their PMS portal such as

1. Existing OIDC client ids are still operational for Authentication Partner.

2. Existing API keys are still operational for Authentication Partner.

3. SBI / Devices / FTM - trust validation does not fail even after partner deactivation.

Policies

You can use the 'Policies' section/card for creation and management of Policy Group, Authentication Policy, Datashare, You should have privileges of both; Partner Admin and Policy Manager.

This [card]{.mark} / [Section]{.mark} is accessible to you only if both Partner Admin and Policy Manager roles are configured / allocated which, from the UI, for the card to appear in the dashboard.

Policies has theree tabs

• **Policy Group, (This tab is selected by default)

• Authentication Policy,

• Datashare Policy

Policy Group

• Create Policy Group

• View Policy Group

  • List view

  • Details View

• Deactivate Policy Group

Authentication Policy

• Create Authentication Policy (by mapping to an already created Policy Group)

• View Authentication Policy

  • List view

  • Details View

• Deactivate Authentication Policy

• Clone Authentication Policy

• Edit Authentication Policy (Which is in draft status)

• Publish Authentication Policy (Which is in draft status so that the status changes to 'Activated')

Datashare Policy

• Create Datashare Policy

• View Datashare Policy:

  1. List view

  2. Details view

• Deactivate Datashare Policy

• Clone Datashare Policy

• Edit Datashare Policy (Which is in draft status)

• Publish Datashare Policy (Which is in draft status so that the status changes to 'Activated')

Policy Group

List View - Policy Groups

All the policy groups created so far by Partner Admin / Policy Manager are displayed on 'List of Policy Groups' page.

Details View - Policy Group

Admin can either click on 'Go Back' to redirect to 'List of Policy Groups' page as shown below or click on 'Home' to navigate back to Home page/ dashboard.

The options provided in 'Action menu are: View, Deactivate.

Clicking on View in action menu or by clicking the row item itself, admin is navigated to View Policy Group page where the policy group details are displayed along with its status: Activated or Deactivated.

Create Policy Group

On clicking the 'Create Policy Group' option on the top right of the screen, we can create a Policy Group by providing suitable name and description that is self explanatory for partners, who would be selecting them during Partner Policy Request to create API Key / OIDC Client [etc]{.mark}.

On click of Submit, a success message appears.

Deactivate Policy Group

If the admin wants to deactivate the Policy Group, then click on Deactivate option in action menu.

A popup window appears seeking for confirmation before proceeding to deactivate.

After confirming deactivation, the respective record is greyed out in the tabular view.

The action menu here [should be]{.mark} enabled with only View option. (Deactivate in action menu is disabled).

After deactivation, the View policy group page MOSIP-36963 will display 'Deactivated' status

Once the policy group is deactivated by Policy Manager, the partner will not be able to fetch this policy group in any of the screens in their [PMS portal]{.mark}.

Note:

Policy Group cannot be deactivated if there are active or draft policies associated to the given policy group.

If the Policy Group has active or draft policy / policies associated to it, then on clicking Confirm, following error message is displayed along with the count of such policies -

a) In case of Active and Draft policies associated to Policy Group:

b) In case of Active policies associated to Policy Group:

c) In case of Draft policies associated to policy group:

Authentication Policy / Datashare Policy:

• On clicking Authentication Policy tab, List of all previously created Authentication Policies are displayed.

• On clicking Datashare Policy tab, List of all previously created Datashare Policies are displayed.

Note:

The steps and features are same for both Authentication and Datashare Policy.

Policies can have the following status - Draft, Activated or Deactivated.

1. Only Draft or Activated row items are clickable which [navigates]{.mark} to View Authentication Policy details.

2. Action - Action menu displays a common menu item (View, Clone, Deactivate) with only the following menu items enabled for clicking based on below statuses:

   1. Draft: Publish, View, Edit

   2. Activated: View , Clone , Deactivate

   3. Deactivated: View

Create Authentication Policy

On clicking 'Create Authentication Policy' button, Partner Admin / Policy manager is navigated to Create Authentication Policy page where details such as policy group, policy name, description etc will have to be entered.

Note:

Only active policy groups are available in the policy group dropdown.

Click on the upload button to upload policy data. Only json files are allowed for upload.

Before saving the policy in draft, the policy data can be edited in the text area after policy data json file has been successfully uploaded.

On clicking on Save as Draft, following success message appears.

On clicking 'Go Back', admin is navigated back to List view where the policy is saved as 'draft' status.

The Edit option provided to Draft policy can be used by admin to make any changes in the policy details (except policy group) before publishing the policy.

On submitting after making required changes, a success message appears.

To publish policy which is currently in draft status, click on 'publish' option in action menu. A popup window appears seeking for confirmation to publish.

On clicking Publish, a success message appears . Click on close to close the window.

The given policy changes to 'Activated' status after being published. Once activated, the admin cannot edit the policy, hence the option is disabled.

Clone Policy

To clone any active policy onto another policy group, click on 'clone' in action menu. A popup window appears to select the policy group where the policy has to be cloned.

On selecting the policy group where policy has to be cloned, click on Clone and a success message appears.

Click on Close to navigate back to List of Authentication Policies screen.

Deactivate Policy

To deactivate a policy, click on Deactivate option in action menu of any activated policy record. A popup window appears seeking for confirmation.

Note:

If the Policy has active partners associated to it i.e. there are Approved partner policy requests, then on clicking Confirm, following error message is displayed and the admin will be restricted to deactivate such policy groups.

Note:

1. Policy can be deactivated if there are no policy requests associated with this policy

2. Policy can be deactivated if there are Rejected policy requests associated with this policy.

3. Policy cannot be deactivated if there are pending policy requests associated with this policy. In this case , following error message is displayed- '<title> Error: Partner - Policy Request Detected! <Description> Pending policy requests are associated with this policy. Please take appropriate action in List of Partner Policy Linking screen'

4. Once the policy is deactivated by partner admin/policy manager, the partner will not be able to fetch this policy in any of the screens in their PMS portal.

Viewing Policy

On clicking View option of any policy or by clicking the row item itself, admin is navigated to View Authentication Policy where policy details can be viewed. Also click on preview to view the policy data in json format.

On clicking preview, policy data can be viewed in json format and an option to Download the data in local system is provided.

Partner - Policy Linking:

The features provided to Partner Admin:

1. Approve/ Reject Policy requested by partner - clicking on 'Approve/ Reject' option in action menu of a policy record whose status is in pending for approval

2. Tabular view of Policies requested by partners along with the status

3. View individual policy request details : Either on clicking on view option in action menu of any of the active policy request in the tabular view or by clicking on the row item itself, it navigates to View Policy Request details page.

All the policy requests created by various partners are displayed in 'List of Partner - Partner Linkages' . The different statuses possible are: Pending for Approval, Approved, Rejected, Deactivated.

The options provided for policy linking requests in 'Pending for Approval' are to Approve/ Reject. Also an option to view the policy request details is also provided.

On clicking the Approve/ Reject option, the window appears - and partner admin can click on either Approve or Reject to take appropriate action

The status- Approved / Rejected gets updated in the tabular view.

On clicking view of active record or the row item itself, the partner- policy linking view page is displayed along with comment history where partner comments and admin's approval status is displayed.

SBI - Device:

This card is exclusively used to manage Device Provider's requests on SBI and Device creation.

1. The 'SBI-Devices' option will have the following features:

   1. 2 Tabs- SBI and Device are displayed. SBI tab view is selected by default

SBI features

• Tabular view of SBIs created by Device Providers along with the status

• Approve/ Reject SBIs on clicking Approve/Reject in action menu of Pending for Approval records

• View submitted SBI details : Either on clicking on view option in action menu of any of the submitted SBI details in the tabular view or by clicking on the active row item itself, it navigates to View SBI details page

• Deactivate an SBI on clicking Deactivate option in action item of activated records in Tabular view screen

• Linked Devices of a given SBI can be viewed through a filtered search on the pre-selected SBI

Device features:

• Tabular view of Devices created by Device Providers along with the status

• Approve/ Reject devices on clicking Approve/Reject in action menu of Pending for Approval records

• View submitted Device details : Either on clicking on view option in action menu of any of the submitted API key details in the tabular view or by clicking on the row item itself, it navigates to View device details page

• Deactivate device on clicking Deactivate option in action item of activated records in Tabular view screen

• List of all SBIs created by various different device providers are available here. Any SBIs that are pending for approval can be approved/ rejected

Approve or reject SBI

The SBI can be approved or rejected by partner admin by going to Dashboard → SBI-Device → List of SBIs.

The admin selects on Approve/ Reject option from the given record and chooses appropriate action.

On approval, the status changes to 'Approved' and on rejection, the status changes to 'Rejected'

To view any individual records, click on View option in the action menu.

To approve or reject an SBI, select the approve / reject option in action menu.

The approved / rejected status is updated on the tabular view.

To know the list of linked devices associated to this SBI, click on the linked devices count in the tabular view or in the individual view page.

Deactivate SBI

To deactivate an SBI, click on Deactivate option in action menu. An alert appears seeking for confirmation. Also admin is informed how the linked devices will be impacted after SBI deactivation.

After confirming Deactivation: the respective SBI record is greyed out and the status is displayed as 'Deactivated'.

Impact on linked devices after SBI deactivation

Impact on linked devices after SBI deactivation is as below

1. All approved device records are displayed in 'Deactivated' status and those row items being greyed out. The action menu in such records should be enabled with only View option. (Deactivate in action menu is disabled)

2. The devices of which the status was 'Pending for Approval' before SBI deactivation will now be displayed with 'Rejected' status.

3. Rejected devices will continue to remain in the same status even after SBI deactivation.

Device

View Devices

On clicking 'Devices' tab, List of all Devices submitted so far are displayed.

Approve / Reject Devices

On clicking the action menu of the respective device record, an option 'Approve / Reject' is provided

A popup window appears for the admin to take appropriate action- APPROVE/ REJECT and select the respective button

The status is thus updated accordingly in List of Devices Page as Approved / Rejected based on the above action.

'Pending for Approval' status is displayed when the device request is pending with admin for approval and no action has been taken by admin yet.

Click on view option in action menu or the row item itself (of any active device record) to view the device details individually

Deactivate Device

Click on deactivate option in action menu . A confirmation window appears to proceed for deactivation.

The deactivated device record is greyed out and status is also changed to 'Deactivated'

FTM Chip:

The following features are provided to admin to manager FTM Chip Provider's requests:

• [Tabular view of FTM chip details]{.underline} along with the status of approval

• [Approve/ Reject]{.underline} FTM chip details submitted by FTM Chip Providers

• [View FTM details]{.underline} : Either on clicking on view option in action menu of active FTM Chip details in the tabular view or by clicking on the row item itself, it navigates to View FTM details page

• [Download FTM Chip Certificate]{.underline} : On clicking on Download option within FTM Chip Certificate section in 'View FTM Chip Certificate' page, then originally uploaded FTM Chip certificate can be downloaded

• [Deactivate FTM detail]{.underline} : On clicking on 'Deactivate' option in action menu of approved records in Tabular view of FTM details screen, the respective FTM detail along with its certificate will be deactivated.

View FTP Chip Details

The List of FTM Chip details displays all FTM Chip details created by FTM Chip Provider

The admin navigates to 'List of FTM Chip details' page where list of all FTM Chip records submitted so far by different FTM Chip providers are displayed.

Approve / Reject FTM Chip

On clicking the action menu of the respective FTM Chip record, an option 'Approve/ Reject' is provided

A popup window appears for the admin to take appropriate action- APPROVE/ REJECT and select the respective button

The status is thus updated accordingly in List of Devices Page as Approved / Rejected based on the above action.

Note: 'Pending for Approval' status is displayed when the FTM Chip request is pending with admin for approval and no action has been taken by admin yet.

View Details of FTM Chip

To view FTM Chip details indivudally, click on View option in action menu

Download FTM Chip Certificate

To download the FTM Chip Certificate uploaded by FTM Chip Provider, click on download button.

To deactivate an FTM Chip record, click on Deactivate option in action menu and a confirmation popup appears.

The deactivated FTM Chip record is greyed out after deactivation.

Authentication Services:

The screen will have the following features:

1. [Two tabs namely OIDC Client and API key]{.underline} are displayed. OIDC Client tab view is selected by default [as shown in UXD]{.mark}.

OIDC Client

• [Tabular view of OIDC clients created by partners]{.underline} along with the status

• [View submitted OIDC Client details]{.underline} : Either on clicking on view option in action menu of any of the submitted OIDC details in the tabular view or by clicking on the row item itself, it navigates to View OIDC Client details page

• [Deactivate]{.underline} an OIDC Client on clicking Deactivate option in action item of activated records in Tabular view screen

API Key

• [Tabular view of API keys]{.underline} [generated by partners]{.underline} along with the status

• [View submitted API Key details]{.underline} : Either on clicking on view option in action menu of any of the submitted API key details in the tabular view or by clicking on the row item itself, it navigates to View API key details page

• [Deactivate]{.underline} API key on clicking Deactivate option in action item of activated records in Tabular view screen

OIDC Client

View OIDC Clients

Within OIDC Client tab, all OIDC Clients created by various Authentication partners are displayed.

For Activated records → the action menu has two options: View, Deactivate

For Deactivated records → the action menu is enabled with only 1 option: View, Deactivate.

On clicking view option in action menu, the admin is redirected to View OIDC Client details page.

Deactivate OIDC Client:

On clicking view option in action menu, the admin is redirected to View OIDC Client details page.