Common Uses

of
WISE-PaaS SSO

2018 09 28
Wenwen Zhou
WISE-PaaS SRE
Agenda
 Tenant creates a user
 Tenant manages a user’s role
 Tenant manages the SRP scope of a user
 Tenant invites the users of another Tenant
 User statuses
 Tenant disables or enables a user
SSO user roles
 admin
– An admin has the highest level of privilege, authorized to manage all
organizations, tenants, and developers. But to safeguard tenants’
resources, the admin is not allowed to access their apps.

 tenant
– A tenant manages at least one organization, as well as the user
accounts, apps, and services of the organization.

 developer
– The main task of a developer is to build apps. This role is created by a
tenant and can manage services within authorized spaces.
 SSO user roles (cont.)
 srpUser
– This role is created for and managed by apps. An app uses srpUsers to manage the
identities of all WISE-PaaS users and assigns the users its scope to grant them
access.

 To log in to an app, a user must obtain its scope.

 A tenant, developer, or srpUser can be given a scope.

 A scope applies across different organizations. As long as a user has

the scopes of apps across organizations, the user can log in to the
apps.

The following SSO usage scenarios occur in the Management

and involve a user who has logged in as a tenant.
 Permission table
– Admin can execute all
the operations listed.

– srpUser cannot execute

all the operations listed

– Tenant and developer

differ in the range of
operations they are
authorized to execute.
(See the table)
Tenant creates a user

 Log in to Management Portal as a tenant

 Accounts->Users->+

 Enter a valid email as the username and

– Assign a Tenant or Developer role

– Assign to an organization managed by the tenant

 A default password will then be sent to the email

of the user. Use that password to log in to
Management Portal.
Tenant manages a user’s permission
 Log in to Management Portal as a tenant

 Accounts->Users-> Enter the user name in Fuzzy Search -> Edit

 Add or Remove a role and permission as needed, and

– Assign the Tenant or Developer role

– Assign to an organization managed by the tenant

 Typical scenarios：

– Add or delete a developer-managed scope

– Change a developer to a tenant, or vice versa

In both scenarios, permission changes are made only to an

organization. Remove a permission setting and add a different
one
Tenant manages a user’s scope

 Log in to Management Portal

 Accounts->Users-> Enter the user name in Fuzzy

Search ->Edit

 Click [Edit] next to Scope, select Org, Space, or Srp,

and add or remove a permission setting as needed.
– Assign to an organization managed by the tenant
Tenant invites a user from another tenant

 Log in to Management Portal as a tenant

 Accounts->Users->+

 Enter the user’s email, and a notification will pop

up saying “User already exists. Would you like to
invite this user to your org?” Click “sure”
User statuses

 active = The user has been created and its role

successfully assigned.

 processing = A role is being assigned to the user. If the

role is successfully assigned, the user’s status will
change to “active.”

 failed = A role cannot be assigned to the user. The

tenant can revive this assignment process.
Tenant disables or enables a user

 Log in to Management Portal as a tenant

 Accounts->Users-> Enter the user name in Fuzzy

Search -> Edit

 Click “Disable” or “Enable” as needed