BP03B – Onboarding of a new data space - Participant End-User
To help understand the content of this document, readers should familiarize themselves with the key definitions and actors.
Overview
This Business Process covers the configuration of User and Roles module of Simpl-Open.
It includes the following main steps:
- Configure roles: the Participant's User and Roles Manager manages the roles that should be available in the Participant's Simpl-Open Agent;
- Configure Identity Provider Federation: if needed, the Participant's User and Roles Manager configures the federation between an external Identity Provider (an Identity Provider not belonging to Simpl-Open Agent, such as the organisation's private IDP or third-party IDP like eIDAS, EU Login, etc.) and the Simpl-Open Identity Provider;
- Manage end users: the Participant's User and Roles Manager manages the users that should be available in Participant's Simpl-Open Agent
Actors
The actor involved in this business process is referred to as the Participant, and can correspond to a End-User or Representative of the:
- Consumer
- Provider
- Governance Authority
Assumptions
The following assumptions are made:
- The Participant has installed the Simpl-Open agent, and default users and roles are available for usage.
Prerequisites
The following prerequisites must be fulfilled:
- Governance Authority configured and ready for operations: The Governance Authority has defined the onboarding procedure and identity attributes relevant for the data space (Business Process 2).
- Participant onboarded: The Participant onboarding has been completed, and the Participant is fully onboarded (Business Process 3A).
Details
The following shows the detailed business process diagram and gives the step descriptions.
Trigger participant configuration
The Participant initiates the configuration of the agent.
BP03B.01 Configure roles
The Participant's Tier 1 User Roles Manager configures the roles to be used by the participant agent. As a part of the process, they map all the relevant Identity Attributes assigned to the participant by the Governance Authority to their respective user roles. After the configuration, roles are available to be assigned to end users. Role configuration features consist of several actions, such as:
- Role creation - a new role is created in the Participant's Agent
- Role update - one or more role attributes of an existing role are modified, Simpl-Open checks if the role can be safely updated
- Role cancellation - a role is deleted; before the action, Simpl-Open checks if the role can be safely deleted
BP03B.02 Configure identity provider federation
The Participant's Tier 1 User Roles Manager configures the federation between an external Identity Provider (an Identity Provider not belonging to Simpl-Open Agent, such as the organisation's private IDP or third-party IDP like eIDAS, EU Login, etc.) and the Simpl-Open Identity Provider. Through this federation, existing users within the participant's organisation can log into Simpl-Open. This step is not mandatory, and federation will be configured only if the organisation owning the Participant chooses to use an existing external or third-party IDP.
BP03B.03 Manage end user
The Participant's Tier 1 User Roles Manager manages the users of the Participant's Simpl-Open Agent. As a part of the configuration, they assign a role or a set of roles, created with BP03C.01, to the end users. User management features consist of several actions, such as:
- User account creation - a new end user is created in the Participant's Agent, including the assignment of initial roles
- User account update - one or more user attributes of an existing user are modified, including the assignment of roles
- User account cancellation - an end user is deleted; before the action, Simpl-Open checks if the user can be safely deleted
- User account inactivation - an end user is inactivated; the end user still exists on Simpl-Open, but it can't be used for further logins.
Outcomes
Participant's User and Roles Configured: Participant's Agent User and Roles module is configured, and Tier 1 users can start logging in to perform operations within the Agent.
| Business Process | Status: Proposed |
High Level Requirements
3B.1 - Access control - end users to agent
Simpl shall support Role-based Access Control (RBAC).3B.2 - Access control - roles management
Simpl shall support the management of end users to be...3B.3 - Manage users and permissions
Simple shall provide support to the new participant for the registration ...3B.4 - Federated authentication
Simpl shall support authentication systems coming from trusted service ...
Moderator note: Comments are from the previous discussion platform.
Submitted by Luis Carlos BU… on Mon, 25/03/2024 - 14:34
The Description of the high-level requirement should also include provision for the possible withdrawal of participants in Dataspaces. Also, the middleware will provide the tools for easy identification of dead users and participants.
Submitted by Mark Dietrich on Thu, 04/07/2024 - 14:16
Luis mentions withdrawal. There must also be procedures for "sanction" and possible "removal" of non-compliant participants from a Data Space.
In reply to Luis mentions withdrawal. … by Mark Dietrich
Submitted by Rick Santbergen on Thu, 25/07/2024 - 10:28
Hi Mark, at the moment there is no “sanction” procedure foreseen to be implemented as software functionality and in any case every Dataspace Governance Authority will manage it outside Simpl-Open
Submitted by Andreas Eisenrauch on Fri, 16/08/2024 - 11:02
I am not sure, if the human end users are really relevant for the data space governance authority. I have doubt, that they will acquire connectors for getting an airlines flight schedule or a museum catalogue directly from the source. Instead, they will register to applications (developed in use case projects) provided by corporate participants, which retrieve the data from partners in the DS. I think this, item has no high priority at least.
Please log in or sign up to comment.