-
Notifications
You must be signed in to change notification settings - Fork 2
Administration
The Core BB manages many administrative components of the system. There are several concepts and strategies that are used to handle these administrative users and features.
Admins are users who are granted additional privileges for use in Admin Authorization. There are several types of Admins defined within the Core BB.
Application Admins are users who are granted permissions to perform some administrative function(s) within a specific Standard Application. These Admins are restricted to perform actions within the Application/Organization that they are a member of. Administrative functions intended for these admins are exposed on the /services path of Services, indicating that they are intended to be called from a Standard Application, and protected with the relevant Permissions.
Organization Admins are users who are granted access to organizational administrative tools and functions available in Admin Applications. These admins will receive cross-application access to manage configurations and settings that impact the entire organization through APIs exposed on the /admin path by Services. These APIs will require that the user's Access Token contain the "admin" flag claim, as well as the relevant Permissions.
System Admins are users with the highest level of authorization in the Rokwire ecosystem. They are able to perform cross-organizational administrative actions to configure the settings of the Rokwire services. System Admins may also make use of tools in Admin Applications that are designed for this purpose. The APIs that allow such actions are exposed on the /system path by Services. These APIs will require that the user's Access Token contain the "system" flag claim, as well as the relevant Permissions.
Very few System Admins should exist at any given time since these users have the ability to perform many potentially dangerous actions. However, at least one System Admin must exist at all times. This ensures that there is always one user with the full administrative privileges necessary to perform initial system configuration, or make changes to any of these configurations at a later time.
When the Core BB is run initially, it will automatically create a "system" Organization, an initial "admin" Application, and an Account for the first System Admin. The following environment variables must be configured upon the initial run of the Core BB for this purpose. If this initial setup has been previously completed, these variables will be ignored.
- ROKWIRE_CORE_SYSTEM_APP_TYPE_IDENTIFIER - The Application Type Identifier for the new System admin app to be created.
- ROKWIRE_CORE_SYSTEM_APP_TYPE_NAME - The name of the Application Type for the new System admin app to be created.
- ROKWIRE_CORE_SYSTEM_API_KEY - The API Key to be associated with the new System admin app to be created.
- ROKWIRE_CORE_SYSTEM_ACCOUNT_EMAIL - The email address to be used for Email Authentication for the new System Admin Account.
- ROKWIRE_CORE_SYSTEM_ACCOUNT_PASSWORD - The password to be used for Email Authentication for the new System Admin Account.
Upon successfully completing this initial setup, the identifiers for the new system components will be printed to the logs. Aside from the environment variables provided above, the System Organization ID will need to be retrieved from these logs to sign in.