Administration

IAMS provides a set of APIs to manage the identity and access control. IAMS also provides a Web Administration Console called IAMS-Web to allow you to perform the administration task via a Web UI.

You can use the IAMS-Web container image as-is, or customize the UI to suite your project needs. The source code to the IAMS-Web can be found in the IAMS-Web Release Page

IAMS-Web uses the APIs to handle the administration tasks. The concept explained below will apply to both APIs and IAMS-Web.

Each realm has 2 default system roles:

• system-admin
• tenant-admin

Users will system-admin role can perform all administrative tasks within the realm while user with tenant-admin role can only perform administrative tasks pertaining to the tenant that he is assigned administer to.

User must be a member of a tenant in order to be assign with tenant-admin role for that tenant. User can be a member of multiple tenants and hence, tenant-admin of multiple tenant.

IAMS provides APIs to allow management of the followings:

• User
• Tenant
• Role
• Group
• Resource
• Scope
• Permission

Please refer to the API documentation for more information.

note

you will need read access to AGIL Ops Hub private repository to download the API documentation.

If you have deployed IAMS locally, you can also access the APIs via to following link:

http://iams-aas.127.0.0.1.nip.io/swagger-ui/index.html

The following table document what user with system-admin and tenant-admin roles can invoke:

Administration Tasks	system-admin	tenant-admin
User Management
List user	✔️	✔️
Create user	✔️
Delete user	✔️
Update user	✔️
Get user	✔️	✔️
Tenant Management
List tenants	✔️	✔️ Only return tenants that he is administrator to.
Create tenant	✔️
Create tenant	✔️	✔️ Only return tenants that he is administrator to.
Delete Tenant	✔️	✔️ Only return tenants that he is administrator to.
Get tenant	✔️	✔️ Only can access tenant he is administrator to.
Tenant Memberships Management
List member of a tenant	✔️	✔️ Only can access tenant he is administrator to.
Add user as member to tenant	✔️	✔️ Only can access tenant he is administrator to.
Remove user from tenant	✔️	✔️ Only can access tenant he is administrator to.
List memberships of user	✔️
List user not member of tenant	✔️	✔️ Only can access tenant he is administrator to.
System Administrator Management
Assign user with system-admin role	✔️
Un-assign user with system-admin role	✔️
List user with system-admin role.	✔️
Tenant Administrator Management
List all user with tenant-admin role	✔️	✔️ Only can access tenant he is administrator to.
Assign user as tenant-admin	✔️	✔️ Only can access tenant he is administrator to. The assignee need to be member of the tenant.
Un-assign user as tenant-admin	✔️	✔️ Only can access tenant he is administrator to.
Tenant Group Management
List top level tenant groups	✔️	✔️ Only can access tenant he is administrator to.
Create top-level tenant group	✔️	✔️ Only can access tenant he is administrator to.
List subgroup from a group	✔️	✔️ Only can access tenant he is administrator to.
Create subgroup to a group	✔️	✔️ Only can access tenant he is administrator to.
Get group	✔️	✔️ Only can access tenant he is administrator to.
Delete group	✔️	✔️ Only can access tenant he is administrator to.
Add user to group	✔️	✔️ Only can access tenant he is administrator to.
Remove user from group	✔️	✔️ Only can access tenant he is administrator to.
List users in group	✔️	✔️ Only can access tenant he is administrator to.
List groups user is in	✔️	✔️ Only can access tenant he is administrator to.
List roles assigned to group	✔️	✔️ Only can access tenant he is administrator to.
Assign role to group	✔️	✔️ Only can access tenant he is administrator to.
Un-assign role from group	✔️	✔️ Only can access tenant he is administrator to.
List roles that can be assign to group	✔️	✔️ Only can access tenant he is administrator to.
Tenant Role Management
List roles in tenant	✔️	✔️ Only can access tenant he is administrator to.
Create a role	✔️	✔️ Only can access tenant he is administrator to.
Delete role	✔️	✔️ Only can access tenant he is administrator to.
List user assigned with a role	✔️	✔️ Only can access tenant he is administrator to.
Assign users with a role	✔️	✔️ Only can access tenant he is administrator to.
Un-assign users from a role	✔️	✔️ Only can access tenant he is administrator to.
List of users that can be assigned with role	✔️	✔️ Only can access tenant he is administrator to.
List roles assigned to user	✔️	✔️ Only can access tenant he is administrator to.
Assign roles to user	✔️	✔️ Only can access tenant he is administrator to.
Un-assign roles from user	✔️	✔️ Only can access tenant he is administrator to.
List roles that can be assigned to user	✔️	✔️ Only can access tenant he is administrator to.
Tenant Scope Management
List all scopes	✔️	✔️ Only can access tenant he is administrator to.
Create a scope	✔️	✔️ Only can access tenant he is administrator to.
Delete scope	✔️	✔️ Only can access tenant he is administrator to.
Update scope	✔️	✔️ Only can access tenant he is administrator to.
List resources with scope	✔️	✔️ Only can access tenant he is administrator to.
Tenant Resource Management
List all resources	✔️	✔️ Only can access tenant he is administrator to.
Create resource	✔️	✔️ Only can access tenant he is administrator to.
Get resource	✔️	✔️ Only can access tenant he is administrator to.
Update resource	✔️	✔️ Only can access tenant he is administrator to.
Delete resource	✔️	✔️ Only can access tenant he is administrator to.
Add scope to resource	✔️	✔️ Only can access tenant he is administrator to.
Remove scope from resource	✔️	✔️ Only can access tenant he is administrator to.
List all resource scopes	✔️	✔️ Only can access tenant he is administrator to.
Tenant Resource Permissions
List all users granted scoped access to a resource	✔️	✔️ Only can access tenant he is administrator to.
Grant users with a scoped access to a resource	✔️	✔️ Only can access tenant he is administrator to.
List all roles granted scoped access to a resource	✔️	✔️ Only can access tenant he is administrator to.
Grant roles with a scoped access to a resource	✔️	✔️ Only can access tenant he is administrator to.
List all groups granted scoped access to a resource	✔️	✔️ Only can access tenant he is administrator to.
Grant groups with a scoped access to a resource	✔️	✔️ Only can access tenant he is administrator to.

Set up User Account

Some modules require the user account to be assigned to a tenant, so you'll need to configure certain settings accordingly.

Create a New User Account

If you're already have an account but haven't assigned tenant for it yet go to this section

1. Open browser and access the IAMS-Web.

2. Login to the IAMS-WEB with an account that has the Add User permission.

3. After login you will be redirect to the Users page, if not click on the Users menu item in the side menu.

4. Next, Click on Add user button.

5. In the Add user form, enter the followings:

• Username – the desired username of the account. In the example below, myadmin is used.
• Password - the desired password for the account

7. Click on Next button to move to the Memberships tab.

8. Select the tenant you want to assigned to the account. In the example below development is used.

9. (Optional) Check the Tenant Admin option in the Permission section if you want to set Tenant Admin role for the account.

10. Click on Next button to move to the Review and Create tab to review your account's information.

11. Click Create button.

Assign the User Account to a Tenant

In case you want to assign an existing account to a tenant.

1. Open browser and access the IAMS-Web.

2. Login to the IAMS-WEB with an account that has the Add to Tenant permission.

3. After login, click on the Tenants menu item in the side menu.

4. Click on the tenant you want.

5. Click on Select Users button.

6. Check box the user accounts you want to add to tenant on the left column.

7. Click on Confirm to complete the process.