Skip to content

Identity Management

Idea

The Identity Management Service manages tenants, users and groups within the MindSphere platform. It enables customers to access the User Accounts and Authentication (UAA) service used within MindSphere for identity management and authorization.

Access

For accessing this service you need to have the respective roles listed in Identity Management roles and scopes.

Basics

Tenants

A tenant is an organization-specific logical environment for your data. A tenant typically represents a legal entity, such as a company or corporation. MindSphere is a multi-tenant architecture.

A tenant comprises up to two zones for identity management and access control:

  • User zone
    Each tenant has a user zone. It enables users of the tenant to log in and use applications the company has subscribed to. Administrators of tenants can manage the users and assign roles in the user zone to provide users with access to subscribed applications.

  • Provider zone
    The provider zone represents an additional environment required for web application and API development and operation. Each DevOps plan tenant has an additional provider zone, which stores all information related to access management required for either development or operations (e.g., roles, permissions, applications, technical users).

As tenant names are global resources, they must be unique across all MindSphere tenants.

Each user tenant needs to define at least one administrator for managing the users and roles of this tenant.

Users and Groups

Every tenant has its own users and has roles available depending on the applications it is subscribed to. A role represents a grouping of permissions required to access an application. By modeling roles as SCIM groups, the User and Roles management in MindSphere follows the SCIM standard (System for Cross-domain Identity Management).

Currently, within the user zone, SCIM groups are only used to represent roles.

In addition, SCIM groups may represent user groups (for managing sets of users), data groups (for managing end customer access to data, assets, etc.) and permissions (for managing more fine-grained access to resources, only within provider zone of a tenant),

Roles and Scopes

The following information is relevant for tenants with a provider zone only.

If you expose an API for your web application, scopes define the application specific permissions. Scope names typically reflect these permissions in a syntax like:

{apiName}.{permission/action}

The following list shows examples for the CRUD-permissions of an IoT service:

  • iot.c (permission to create objects in IoT)
  • iot.r (permission to read objects in IoT)
  • iot.u (permission to update objects in IoT)
  • iot.d (permission to delete objects in IoT)

Scopes are mapped to a specific role. A role name has the following syntax:

mdsp:{tenantName}:{application/apiName}.{roleName/action}

Thus, all scopes above could be mapped to a role called

mdsp:core:iot.admin

Application-specific roles and scopes are defined in provider tenants and can be managed within the developer cockpit application. See also HowTo Cloud Foundry application.

OAuth Client

The following information is relevant for tenants with a provider zone only.

An OAuth client (also called technical user) allows your application to acquire a token to access protected resources without the need of an interactive user to currently use your application.

An OAuth client is useful, for example, for doing regular background activities (batch activities) within your application or if your application is not hosted behind MindSphere Gateway and therefore does not find interactive user tokens in request headers. OAuth clients are defined within the provider zone of your tenant and comprise a client ID and client secret, which allow to obtain a token using the client credentials grant (RFC 6749).

OAuth clients for your provider tenant can be acquired as described in the HowTo self-hosted application.

Features

The Identity Management Service exposes its API for realizing the following tasks:

  • List all users of a tenant
  • Create, get, update, delete users of a tenant
  • Get all roles assigned to the own user
  • List all SCIM groups of the user zone of a tenant
  • Create, get, update, delete SCIM groups of the user zone of tenant
  • List, add, remove members of a SCIM group of the user zone of tenant

Example Scenario

The administrator of a brewery wants to prepare the tenant for the new developers of their web application.

Use the Identity Management Service to populate the tenant with new users and assign them the roles required for development (e.g., mdsp:core:StandardUser, mdsp:core:Developer).

Any questions left?

Ask the community


Except where otherwise noted, content on this site is licensed under the MindSphere Development License Agreement.