Identity and Access Management refers to the process of identifying, authorizing, and authenticating participants to interact with the data exchange hub.
Role-based access control is implemented at two levels:
IAM for Client Gateways: Roles are used to govern each Client Gateway’s access to and permissions within a given application, including the gateway’s ability to interact with the Message Broker, access and read/write information within topics, and authenticating messages to ensure that both sender and recipients are known. IAM for Client Gateways is accomplished using a self-sovereign identity framework, in which each actor participating creates a unique identifier and uses it to enrol their gateway instance in one or more roles.
IAM for Users: Each actor participating can govern internal access to their respective Client Gateway by configuring two separate user types: Admin Users, who have permissions to the full suite of features including channel management, API management, and messaging, and Messaging Users, who only have permissions to send, view, and acknowledge messages in the Client Gateway UI. IAM for Users is accomplished with a conventional username/password framework.
User Guide
Pre-requisites
User logged into Switchboard
An organization was created
An application was created
Create a Role
In the Application Management page, click on the action button right next to the application that you want to add a new role
Create role
Fill up the mandatory and optional fields in the Create Role pop-up form
Step 1: New role
Step 2: Set role issuers
Step 3: Set role revokers
Step 4: Set restrictions
Step 5: Set validity period
Step 6: Set requestor fields
Step 7: Set issuer fields
Step 8: Confirm Details
Modify a Role
In the Role Governance page, click on the action button right next to the role that you want to edit
Edit role
Proceed to update your role details, only role name is not allowed to be changed
Update role
Request a Role
Once a role has been set up, proceed to click on action to Copy Role Enrolment URL and share it with the new user that wishes to enrol
The user will be prompted to sign in using their wallet
Fill in the form and submit. The system then will send the enrolment request to the issuer(s) who had previously been specified to approve the role
Enrolment form
Approve/Reject a Role Request
Sign in to Switchboard as the issuer who can approve the requested role
Check the Task Manager located in the top navigation for notification
Task Manager list
Your enrolments screen should display the request from the new user
Enrolment Requests
View Request pop-up under the three vertical dots button contains information about the requestor, chosen role, and the fields from the enrolment form. If you approve this request, you have issued a verified claim that the new user can add to that user’s DID document and thereby access your application in the appropriate role. Alternatively, you may also choose to Revoke the request
“View Request” pop-up
Revoke a Role
For approved roles, they may be revoked both onchain and offchain. This option is available in the Enrolment Requests tab. Click on "View Request" option under the three vertical dots button to review before revoke.
Revoke a role
Sync Roles to Your DID
Once a role is approve, you should add this newly issued claim to your DID document, so that you have the credentials you need in order to access the application with the appropriate role. In My Enrolments tab, use the “Publish” option under the three vertical dots button or under Issuance Status to do this.
