Document version (last updated) : 2021, October 14th.
Prerequisite
- A PhenixID Identity Manager (IM) 5.6.6 or later running
- A PhenixID Identity Provisioning (PIP) 5.3.4 or later running
- NOTE: For better understanding of how PIP and PIP communicate using REST Web Service, please read PSD1062.
Overview
This use case demonstrate different use cases where PIM and PIP used to delegate administration for partners/external users. Instead of an organisation should manage the accounts for a partner you can delegated the administration to the partner it self.
- Film to show use case – click me
Use cases included
See screenshots further down in the document.
- Partner User
- Manage private mail and mobile
- Change password
- Partner Admin
- Manage passwords for its own organisation, either individual or reset several/all at the same time
- Manage private mail and mobile for the individual accounts
- Super Admin
- Can manage all Partner Admin accounts. For example reset passwords or change who is the partner admin for a partner.
- Partner Use Case Admin
- Role to setup the demo use case in your own environment (Active Directory)
Configuration
This PSD includes configuration so you can set this up in your own environment. First you need to download a ZIP file that contains a number of files. Open the different files and update them to map your environment, e.g change to your Active Directory name. All explained below.
Use Cases
1. Download and extract configuration ZIP
Download PSD1186.zip from the PSD1186 and extract them on your server.
2. Create a PIM Use Case root folder
All Active Directory objects for all PIM/PIP Use Cases will be created under root of your domain and in an OU called PhenixID IM Use Cases. Copy and paste the name when you create since the use cases requires that it exits.
See screenshoot below.
3. Update PIM with files and configuration
3.1 – Add PIM configuration for use case
- From PSD1186-role folder copy the four folders:
- UC – PartnerDemo – 1 – PartnerUseCaseAdmin
- UC – PartnerDemo – 2 – PartnerUser
- UC – PartnerDemo – 3 – PartnerAdmin
- UC – PartnerDemo – 4 – SuperAdmin
- Paste them to your IM installation and the /role folder.
Example path to role folder ..PhenixID\\IM\\customer\\role - Open each roles DSEditor.properties
- Find and update below parameters to map your environment:
BASEDN=DC=demo,DC=phenixid,DC=net
filter.PIPFilter.URL=http://127.0.0.1:8085 - Save file and restart PhenixID Identity Manager service
- Find and update below parameters to map your environment:
- Use for example Notepad++ to replace for all files in the PIM roles DC=demo,DC=phenixid,DC=net with your AD domain name.
- Restart PIM and try verify that you can login using the four roles.
- Note: All roles are set to AUTH_ROLE_QUERY=cn=* so they will be available to all users. This you need to change by yourself if you like it differently.
3.2 – Running the use case in Swedish (optional)
In the bottom of this document in the Misc section there is the Swedish translation words that you can add to your sv.lang file.
3.3 – Update theme (optional)
If you like the different objects to have different icons images, in the bottom of this document in the Misc section there are some configuration to update the theme.
4. PIP files and configuration
4.1 – Import “PIM UC – Partner demo – PSD1186.aax”
- Open the Identity Provisioning Configurator
- Click File -> Import Objects
- Choose PIM UC – Partner demo – PSD1186.aax from the downloaded files
- Click Import Objects
- Save the PIP configuration
4.2 – Change data source to map your Active Directory
- Open PIP configurator
- Expand Data Sources and click LDAP – PSD1186
- Change the LDAP data source configuration to map you environment
4.3 – Import one Global parameter
- Open PIP configurator
- Click Tools -> Global Parameters -> Import
- Choose PSD1186-GlobalParameters.aax from the downloaded files
- Click Import Objects
- Change for the global parameter PSD1186_PartnerRoot the value DC=demo,DC=phenixid,DC=net to map you environment
- Save the PIP configuration
4.4 – Copy data files to correct location
There are four data files used to setup a demo environment.
- From the downloaded files, open the folder data_files and copy the four *.CSV file to C:\\temp
4.5 – Verify port for PIP web service
- Open PIP configurator
- Click Tools -> Options
- In Web Service, change Port: to map you environment
For this use case we are using 8085 as REST WS port. You can also verify this in each DSEditor.properties for the different use case roles. - Save the PIP configuration
4.6 – Start the PIP web service
Either you start the PIP service or open PIP Configurator and start the Web Service manually and do Run Policy for each policy you run.
5. Test the use cases
Below is a short description how to use the different roles. What they do is explained earlier in this document.
UC – PartnerDemo – 1 – PartnerUseCaseAdmin
This role is the only role that uses PIM and PIP to create and update data. Role 2-4 is only PIM.
For the Partner setup role, login as any account you have in your LDAP directory. For example your own account.
There are three functions in this role:
- Manage partner use case environment
Click the three first option one by one or select all three at once. This will create a root OU called PSD1186_PartnerUseCase and some demo user and group accounts. See below.
The last (fourth) option will remove OU=PSD1186_PartnerUseCase and all inside.
- Show partner users
Verify that the demo user accounts have been created - Show access groups
Verify that the demo group accounts have been created
When logged in to the role it should look like below:
UC – PartnerDemo – 2 – PartnerUser
Login in as one of the partner accounts. For example FrejaOlsen with password Password1. All account has Password1 as password.
A partner can update some data about it self and aslo reset its password.
See below when a partner user is logged in.
UC – PartnerDemo – 3 – PartnerAdmin
Login in as one of the PartnerAdmin, for example AnnEk with password Password1. All account has Password1 as password.
A partner admin can:
- Manage some data for its partner users.
- Reset a password of one of its partner users or all its partner users at once.
- Create new partner accounts for its company
- Manage partner user access
See below when a partner admin is logged in and can see its partner users. For example, AnnEk is PartnerAdmin for ACME.
UC – PartnerDemo – 4 – SuperAdmin
Login in as one of the SuperAdmin. All account has Password1 as password.
SuperAdmin has access to all partner.
SuperAdmin is supposed to be an admin in the company that the various partner account accesses. SuperAdmin can handle all partners, e.g. the partners who do not have a partner admin..
In this demo scenarion there is one account with SuperAdmin privileges and that is HugoAdmin / Password1. See screenshot below.
6. Misc
Swedish translation words
Add the configuration below to your sv.lang file if you like to test the use case with Swedish.
..PhenixID\\IM\\customer\\lang
PIM needs to be restarted after you updated the file.
# Partner use case - PSD1186
Manage partner use case environment=Hantera miljö för partneranvändningsfall
Show partner users=Visa partner användare
Show access groups=Visa partner grupper
Create Partner OU structure= Skapa partner OU-struktur
Provision Users from Partner system= Provisionera användare från partnersystem
Add attributes to Partner objects= Lägg till attribut till partneranvändare
Remove Partner demo structure= Ta bort demostrukturen
Execute=Utför
Email=E-post
If anything above is incorrect, please contact Customer IT.=Om något ovan är felaktigt, kontakta IT.
Access Groups=Accessgrupper
Available Access Group=Tillgängliga accessgrupper
Current Access Groups=Nuvarande accessgrupper
If you click check below all selected account will be enabled.=Om du klickar på kryssrutan nedan aktiveras alla valda konton.
Enable accounts=Aktivera konto
Manage account status=Hantera kontostatus
If anything above is incorrect, please contact Partner Admin.=Om något ovan är felaktigt, kontakta partneradmin.
Manage Users=Hantera användare
Manage Access=Hantera åtkomst
Manage passwords=Hantera lösenord
Manage account status=Hantera kontostatus
Generate New Passwords=Generera nya lösenord
Save Passwords as PDF=Spara lösenord till PDF
Save Passwords as Excel=Spara lösenord till Excel
Confirm Change=Bekräfta ändring
Changes will take immediate upon execution=Ändring träder i kraft omedelbart vid Verkställ!
* All types=* Alla typer
* All companies=* All företag
PartnerAdmin=Partneradministratörer
Partner OU structure was created successfully!<BR>=Partner OU-struktur skapades!<BR>
Example partner user & groups created!<BR>=Exempel partneranvändare och grupper skapade!<BR>
Some data added to partner objects!<BR>=Data har lagts till partnerobjekt!<BR>
Partner OU structure was created successfully!<BR>Example partner user & groups created!<BR>Some data added to partner objects!<BR>=Partner OU-struktur skapades!<BR>Exempel partneranvändare och grupper skapade!<BR>Data har lagts till partnerobjekt!<BR>
Partner Use Case OUs and users was removed!=Partner demo miljön togs bort!
# End of Partner use case - PSD1186
Theme
Add the configuration below to your theme.properties file if you like to test the use case with Swedish.
..PhenixID\\IM\\customer\\theme\\PhenixID
Note: Put the lines at the top of the theme.properties file.
PIM needs to be restarted after you updated the file.
(url\=SuperAdmin)=red-user.png (url\=PartnerAdmin)=grey-user.png (url\=User)=user.png
DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.
PhenixID - support.phenixid.se