...
To integrate, host of egov-user should be overwritten in helm chart.
Use
/citizen/_createendpoint for creating users into the system. This endpoint requires the user to validate his mobile Number using otp. First otp will be send to his mobile number and then that otp will be send asotpReferencein the request bodyUse
/v1/_searchand/_searchendpoints to search users in the system depending on various search parametersUse
/profile/_updatefor updating the user profile. The user will be validated (either by otp based validation or password validation) when this API is called/users/_createnovalidateand/users/_updatenovalidateare endpoints to create user data into the system without any validations (no otp or password required). They should be strictly used only for creating/updating user’s internally and should not be exposed outsideForgot password: In case the user forgets password it can be reset by first calling
/user-otp/v1/_sendwhich will generate and send otp on employee’s mobile number, the password can then be updated using this otp by calling API/password/nologin/_updatein which new password along with the otp has to be sendUse
/password/_updateto update existing password by logging in. In request body both old and new password has to be sent. Details of the API can be found in the attached swagger documentationUse
/user/oauth/tokenfor generating token,/_logoutfor logout and/_detailsfor getting user information from his tokenMulti Tenant User : The Multi tenant User functionality allows an user to perform actions across multiple ULB’s. For example an employee belonging to Amritsar can perform an role of say Trade License Approver for Jalandhar by assigning a tenant level role of tenantId pb.jalandhar to him. Following is an example of such user:
Code Block { "id": 24226, "uuid": "11t0e02b-0145-4de2-bc42-c97b96264807", "userName": "xyz", "name": "abc", "mobileNumber": "9999999999", "emailId": "abc@gmail.com", "locale": null, "type": "EMPLOYEE", "roles": [ { "name": "Employee", "code": "EMPLOYEE", "tenantId": "pb.amritsar" }, { "name": "TL Approver", "code": "TL_APPROVER", "tenantId": "pb.jalandhar" } ], "active": true, "tenantId": "pb.amritsar" }
If an employee has a role with stateleveltenantIdhe can perform actions corresponding to that role across all tenantsRefresh Token : Whenever the
/user/oauth/tokenis called to generate theaccess_token, along with theaccess_tokenone more token is generated calledrefresh_token. The refresh token is used to generate newaccess_tokenwhenever the existing one expires. Till the time the refresh token is valid the user won’t have to login even if hisaccess_tokenget’s expired, as it will be generated usingrefresh_token. The validity time of the refresh token is configurable and can be configured using the property:refresh.token.validity.in.minutes
User Data Privacy
Mdms configuration for security policy
| Code Block |
|---|
{
"tenantId": "pb",
"moduleName": "DataSecurity",
"SecurityPolicy": [
{
"model": "User",
"uniqueIdentifier": {
"name": "uuid",
"jsonPath": "uuid"
},
"attributes": [
{
"name": "name",
"jsonPath": "name",
"patternId": "002",
"defaultVisibility": "PLAIN"
},
{
"name": "mobileNumber",
"jsonPath": "mobileNumber",
"patternId": "001",
"defaultVisibility": "PLAIN"
},
{
"name": "emailId",
"jsonPath": "emailId",
"patternId": "004",
"defaultVisibility": "PLAIN"
},
{
"name": "username",
"jsonPath": "username",
"patternId": "002",
"defaultVisibility": "PLAIN"
},
{
"name": "altContactNumber",
"jsonPath": "altContactNumber",
"patternId": "001",
"defaultVisibility": "PLAIN"
},
{
"name": "alternatemobilenumber",
"jsonPath": "alternatemobilenumber",
"patternId": "001",
"defaultVisibility": "PLAIN"
},
{
"name": "pan",
"jsonPath": "pan",
"patternId": "001",
"defaultVisibility": "PLAIN"
},
{
"name": "aadhaarNumber",
"jsonPath": "aadhaarNumber",
"patternId": "001",
"defaultVisibility": "PLAIN"
},
{
"name": "guardian",
"jsonPath": "guardian",
"patternId": "002",
"defaultVisibility": "PLAIN"
},
{
"name": "permanentAddress",
"jsonPath": "permanentAddress/address",
"patternId": "003",
"defaultVisibility": "PLAIN"
},
{
"name": "correspondenceAddress",
"jsonPath": "correspondenceAddress/address",
"patternId": "003",
"defaultVisibility": "PLAIN"
},
{
"name": "fatherOrHusbandName",
"jsonPath": "fatherOrHusbandName",
"patternId": "002",
"defaultVisibility": "PLAIN"
},
{
"name": "searchUsername",
"jsonPath": "userName",
"patternId": "002",
"defaultVisibility": "PLAIN"
}
],
"roleBasedDecryptionPolicy": [
{
"roles": [
"PGR_LME",
"GRO"
],
"attributeAccessList": [
{
"attribute": "name",
"firstLevelVisibility": "MASKED",
"secondLevelVisibility": "PLAIN"
},
{
"attribute": "mobileNumber",
"firstLevelVisibility": "MASKED",
"secondLevelVisibility": "PLAIN"
},
{
"attribute": "username",
"firstLevelVisibility": "MASKED",
"secondLevelVisibility": "PLAIN"
},
{
"attribute": "permanentAddress",
"firstLevelVisibility": "MASKED",
"secondLevelVisibility": "PLAIN"
}
]
},
{
"roles": [
"TLCEMP"
],
"attributeAccessList": [
{
"attribute": "mobileNumber",
"firstLevelVisibility": "MASKED",
"secondLevelVisibility": "PLAIN"
}
]
}
]
},
{
"model": "UserSelf",
"uniqueIdentifier": {
"name": "uuid",
"jsonPath": "uuid"
},
"attributes": [
{
"name": "name",
"jsonPath": "name",
"patternId": null,
"defaultVisibility": "PLAIN"
},
{
"name": "mobileNumber",
"jsonPath": "mobileNumber",
"patternId": null,
"defaultVisibility": "PLAIN"
},
{
"name": "emailId",
"jsonPath": "emailId",
"patternId": null,
"defaultVisibility": "PLAIN"
},
{
"name": "username",
"jsonPath": "username",
"patternId": null,
"defaultVisibility": "PLAIN"
},
{
"name": "altContactNumber",
"jsonPath": "altContactNumber",
"patternId": null,
"defaultVisibility": "PLAIN"
},
{
"name": "alternatemobilenumber",
"jsonPath": "alternatemobilenumber",
"patternId": null,
"defaultVisibility": "PLAIN"
},
{
"name": "pan",
"jsonPath": "pan",
"patternId": null,
"defaultVisibility": "PLAIN"
},
{
"name": "aadhaarNumber",
"jsonPath": "aadhaarNumber",
"patternId": null,
"defaultVisibility": "PLAIN"
},
{
"name": "guardian",
"jsonPath": "guardian",
"patternId": null,
"defaultVisibility": "PLAIN"
},
{
"name": "permanentAddress",
"jsonPath": "permanentAddress/address",
"patternId": null,
"defaultVisibility": "PLAIN"
},
{
"name": "correspondenceAddress",
"jsonPath": "correspondenceAddress/address",
"patternId": null,
"defaultVisibility": "PLAIN"
},
{
"name": "fatherOrHusbandName",
"jsonPath": "fatherOrHusbandName",
"patternId": null,
"defaultVisibility": "PLAIN"
}
],
"roleBasedDecryptionPolicy": []
}
]
} |
There are two security policy model for user data, User and UserSelf.
In model User, under field attributescontains list of fields from the User object that needs to be secured and field roleBasedDecryptionPolicy is an attribute-level role-based policy. It will define visibility for each attribute.
UserSelf model contains the same structure of security policy, but User security model is used for Search API response and UserSelf is used for Create / Update API response.
Visibility of the PII data is based on the above mdms configuration. There are three type of visibility mentioned in the config.
PLAIN - Show text in plain form.
MASKED - The returned text will contain masked data. The masking pattern will be applied as defined in the Masking Patterns master data.
NONE - The returned text will not contain any data. It would contain string like “Confidential Information”.
Plain Access Request
| Code Block |
|---|
{
"RequestInfo": {
"plainAccessRequest": {
"recordId": "d5ee3d45-13a1-4aa5-bd86-9b8dae34b900"
"fields": [ "name", "mobileNumber" ]
}
}
}
|
Any user will be able to get plain access to the secured data(citizen’s PII) by requesting through the plainAccessRequest parameter. It takes the following parameters:
recordId- It is the unique identifier of the record that is requested for plain access.fields- It defines a list of attributes that are requested for plain access.
To know more about the encryption policy, refer to document Encryption Service mentioned in Reference Docs.
Reference Docs
Doc Links
Title | Link |
User Data encryption promotion details | |
Encryption Service |
...