Role-based authorization
Role-based authorization enables customer management of users and their roles independently from Payment Feature Services. Role-based authorization has a user registry that is not part of Payment Feature Services. This authorization is optional and does not replace the current model. Customers must select the implementation that best fits their business needs.
The primary configuration points are users, groups, and permissions. In this model, a user is defined and assigned to one or many groups. Each group has a set of permissions.
For role-based authorization, the customer is responsible for providing the user ID, any optional attributes, and all mandatory user attributes necessary to define the user to Payment Feature Services. The customer must also define the roles that are assigned to the user. Each role must match a group name that is defined in Payment Feature Services. Following a successful user sign-on, Payment Feature Services adds the user to the user repository and assigns them to groups. After the user is assigned to groups, the user interface is displayed according to the permissions assigned to the roles. If the user ID is already defined, an update might occur if any user information changed. If the roles for the user changed, the user is removed from their old roles and configured for the new ones.
A new user exit, which is called when the user is authenticated, is provided. The user exit populates the
user definition object (LoginDefinition). The information used to populate the object can be
obtained by the user exit from the HTTP header. Additionally, the user exit can make a remote call to fetch
other user attributes from a remote repository or use defaults to populate fields common across all users.
Information from the user object is used to create the user and assign them to a set of groups (roles).
The property used to configure the login user exit class for role-based authorization is login user exit.
The only user administration that is done by a customer that is using role-based authorization, is to delete the stale users from the repository. The presence of users in the repository does not preclude any user authentication to the system.
| User attribute name | Description | Required |
|---|---|---|
| User ID | User ID | Yes |
| First Name | Given name of the user | No |
| Last Name | Surname of the user | No |
| Email address | Email address | No |
| Phone number | Phone number | No |
| Language Locale | Preferred language for the user | Yes |
| Format Locale | Determines the way times and dates are formatted and presented to the user. When a user enters a date and time, it must match the format locale for the account. | Yes |
| Time zone | Time zone of the user. When a user is presented a time, it usually matches the time zone of the user. | Yes |
| Roles | Must map to the group name defined in Payment Feature Services. Each user can have one or many roles. The maximum size of each role name is 32 characters. | Yes |