Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 34 Next »

work in progress

Description

Account service offers operations to manage a CollectionSpace account. To securely access the CollectionSpace services, an account for a user is required in the system. An account is associated with an identity. The identity could either reside in [collectionspace:CollectionSpace Identity Provider (CSIP)] which is the default identity provider or a foreign identity provider such as CalNet or an OpenID provider.

In release 0.4 only CSIP is supported

Key Concepts

A CollectionSpace user's identity could reside in the default identity provider or a foreign identity provider. Account Service manages an identity only if the identity is stored in the realm managed by the default identity provider. That means, Account Service also provides identity management functions for the default identity provider.

Relationships

Following describes the relationship between an Account, a Person and a User in the [default identity provider].

Unknown macro: {gliffy}
  • An account is associated with one person.
  • An account could be associated with one or more tenants.
  • An account is always associated with one user identity. This user identity could be managed by CSIP or by a 3rd party identity provider.

Assumptions

  1. Tenant provisioning has already taken place before provisioning any account for that tenant.
  2. At the time of provisioning a tenant, an administrator account is provisioned off-band (without using the account service).
  3. Account service is not a management interface for the 3rd party identity providers.

Account Provisioning

Unknown macro: {multi-excerpt}

Every user of CollectionSpace should complete registration or signup process. This process is called account provisioning. During this process, in addition to typical user specific attributes such as screen name, userid, password (only for [default id provider]), email, etc., the system would explicitly ask the user to provide tenant specific information such as unique tenant id and name. It would be possible to associate with multiple tenants (e.g. all of BNHM). On successful completion of the request, the system would create an entry into its [Accounts] database for the user. The system would also associate that user with a tenant(s).

How to obtain tenant specific information?

The tenant specific information should be available to the user from the tenant. It is assumed that tenant is already provisioned in CollectionSpace.

Approval

If users are registered by a tenant administrator, no approval would be necessary during account provisioning. If that is not the case and the user is self-registering, approval of the tenant would be needed for the account provisioning to complete. On successful approval (due process) from tenant administrator(s), user would be associated with respective tenant(s). Note that it should be possible for a tenant administrator to associate an already registered user with the tenant.

Account Provisioning Scenarios

This section describes how accounts are provisioned in CollectionSpace. There are two scenarios.

  1. Account for a user managed by CollectionSpace's default identity provider
  2. Account for a user managed by a 3rd party identity provider such as CalNet, LDAP, OpenId provider, etc.
User managed by CollectionSpace identity provider (CSIP)
Unknown macro: {gliffy}
  1. The [account create (POST)] request from service consumer provides account information including user id and one or more tenant ids to which the user is associated with.
  2. The account service creates an account.
  3. Person service is called to create a person.
  4. Account service registers userid and password with CSIP.
  5. Account service registers the userid with one or more tenant ids provided.
User managed by a 3rd party identity provider
Unknown macro: {gliffy}
  1. The [account create (POST)] request from service consumer provides account information including user id and one or more tenant ids to which the user is associated with.
  2. The account service creates an account.
  3. Person service is called to create a person.
  4. Account service registers the userid with one or more tenant ids provided.

Issues

Unknown macro: {multi-excerpt-include}
  • The Person Service is the System of Record (SOR), or authoritative data source, for personIds.
  • The SOR for systemIds is TBD.

References

  1. [collectionspace:Authentication Service Description and Assumptions]
  2. [collectionspace:CollectionSpace Identity Provider (CSIP)]
  3. [Design notes for multi-tenancy in CollectionSpace]

Questions

  • No labels