... | ... | @@ -55,7 +55,7 @@ All groups and permissions are unique at the data partition level, meaning grant |
|
|
|
|
|
When a data partition is provisioned, corresponding group is created: **_users_** (e.g., _users@instance.osdu.opengroup.org_).
|
|
|
|
|
|
Group named _users_ contains all the identities that are allowed access to the data partition in question. When a contract is created in DELFI, we create the corresponding data partition in the Data Ecosystem and all user identities are added to the users group of the corresponding data partition.
|
|
|
Group named _users_ contains all the identities that are allowed access to the data partition in question. When a contract is created in ISV SaaS, we create the corresponding data partition in the Data Ecosystem and all user identities are added to the users group of the corresponding data partition.
|
|
|
|
|
|
### <a name="header">Relevant Data Ecosystem headers</a>
|
|
|
|
... | ... | @@ -87,8 +87,8 @@ The SAuth service ID needs to be whitelisted by the Data Ecosystem support team, |
|
|
|
|
|
Entitlements service also requires users or services to have the following authorization to access the APIs. Users' authorization is automatically granted if they are added to the proper contract. For new users, authorization is granted instantly. For existing users, changes to the contract or department are synced every 8 hours. For service account authorization, please contact the Data Ecosystem team via [Teams](#https://teams.microsoft.com/l/channel/19%3ad1e17837859f41748ffb264c6a444171%40thread.skype/Entitlements?groupId=bf1bf782-ae93-466e-acad-0db33222b783&tenantId=41ff26dc-250f-4b13-8981-739be8610c21).
|
|
|
|
|
|
- **Valid data partition member** - Entitlements service checks whether the member ID from the Authorization header consisting of JWT belongs to users@{data-partition-id}.delfi.slb.com, where {data-partition-id} information is received from slb-data-partition-id header.
|
|
|
- **Valid entitlements service user** - Entitlements service checks whether the member ID from Authorization header consisting of JWT belongs to service.entitlements.user@{data-partition-id}.delfi.slb.com, where {data-partition-id} information is received from slb-data-partition-id header.
|
|
|
- **Valid data partition member** - Entitlements service checks whether the member ID from the Authorization header consisting of JWT belongs to users@{data-partition-id}.instance.osdu.opengroup.org, where {data-partition-id} information is received from slb-data-partition-id header.
|
|
|
- **Valid entitlements service user** - Entitlements service checks whether the member ID from Authorization header consisting of JWT belongs to service.entitlements.user@{data-partition-id}.instance.osdu.opengroup.org, where {data-partition-id} information is received from slb-data-partition-id header.
|
|
|
|
|
|
#### <a name="serviceAuthorization">Service authorization</a>
|
|
|
Service authorization is used to establish if the client or service calling another service has a proper permission to invoke the service. This means that the clients or services must provide JWT to identify itself to the Data Ecosystem API it is calling. This token should be provided in the Authorization header. Specifically, if service is calling another service that service must provide valid SAuth token for the service account it uses to identify itself to the Data Ecosystem API it is calling.
|
... | ... | |