IAM. Shopping Cart. IAM Description PM OM CM IF. Common Web CMS Reporting CE SC Review & Share. Omnichannel Frontend...

Transcription

1 PM OM CM IF IAM Common Web CMS Reporting CE SC Review & Share IAM Description The identity & access management (IAM) provides functions such as account information management, role permission management, access control management, and log management. The business enabling system (BES) utilizes the IAM to obtain diversified account & identity management, sign-in, authorization, and authentication capabilities that can be opened and shared. Shopping Cart Omnichannel Frontend...

2 1. Overview 1.1 Typical Scenario Configuring an Employee Mr. Lee is a newly recruited operator of company A. The system administrator needs to configure an operator's account for him. The system administrator creates an employee account first and then assigns the operator role to the account. Configure account information for a new employee Customer name: Mr. Lee Account: Lee001 Role: operator... Got my account. I will start working right away. Mr. Lee System administrator Account and Password Authentication When an operator signs in to the system, the IAM authenticates the operator's account to ensure system security. The authentication includes whether the password is correct, whether the account is normal, and whether the IP address of the operator's computer is within the specified range. The IAM authenticates the account, password, IP address, and MAC address. x Retail Shop URL: Operator Sign-in success Account: Jack001 Password: ****** Sign In

3 1.2 Advantages 1. Support multiple tenants and multiple time zones for solutions. The multi-tenant scheme implements resource sharing and isolation between multiple tenants. The IAM sets up relationships between tenants and BEs to lay the foundation for the multi-tenant architecture construction. The IAM supports multiple tenants and time zones. The time zone of a BE is determined by the region to which the BE belongs. In addition, the IAM also supports BE hierarchy definition, isolation between data and business, and various personalized requirements through configuration. Not to mention, data such as system parameters and menus can be instantiated by BE to ensure that each BE can have personalized system parameters and menus. Resource side UI Business logic Table object... Business side Data isolated by BE SaaS layer resource Time zone Currency Container JVM ZooKeeper JetMQ DCS BPM Service bus... BE: 1001 Associate PaaS layer resource Tenant 1 BE: 100 Host Storage Operating system... OU BE: 1002 Operator Associate Tenant 2 Tips Language BE: 200 BE: 1003 User data... Various business data IaaS layer resource The construction of a system involves the resources of various layers (IaaS, PaaS, and SaaS). The collection of all resources involved in the construction of a system is a tenant. A tenant is a concept defining the resources required for building a system. 2. Provide a customizable and configurable portal framework for embedded third-party systems. The IAM provides a customizable and configurable portal framework for defining personalized page layouts based on the operators' habits. An operator can switch the theme or skin of the entire system. For embedded third-party systems, the IAM provides the single sign-on (SSO) function. Tips SSO is a property of access control over multiple related but independent application systems. With this property, a user signs in once and gains access to all systems that trust each other without being prompted to sign in again at each of them. 3. Provide a flexible data synchronization framework. The IAM enables data synchronization subscription through mere configuration instead of coding to synchronize business and configuration data of suites to third-party systems. Third-party system BES IAM Synchronize DB

4 Some sites may have a great service volume and a single database cannot meet the storage requirements. In this case, multiple nodes will be deployed, between which the data synchronization framework will implement data synchronization. Subscribe Node 1 Node 2 x x Configure new data Display new data Sync Synchronize DB 1 DB 2 4. Provide project-based online data configuration capabilities. The IAM can manage data configured or customized for businesses by project to resolve issues including the archiving of data changed for related s and the separation of the baseline and customization versions. The IAM provides functions of archiving business data, auditing data, and managing configuration permissions to enable instantiation personnel to effectively and efficiently configure and manage data. 5. Authorization and authentication for innumerable users and support for flexible third-party authorization capabilities The IAM provides end-to-end functions such as identity management and access control for the BES. The IAM also integrates third-party authentication capabilities such as the Windows Active Directories (Windows AD) for client security management and Oracle access manager (OAM). The IAM uses methods such as expending database tables and adding servers to provide unified identity management and authorization functions for hundreds of millions of users, covering operators, partners, and end users. Hundreds of millions of users Operator Partner End user Sign-in authorization Access control Authentication IAM Windows AD OAM... Third-party authorization system Identity mgmt

5 2. Core Concepts The following figure shows the IAM OU and employee conceptual model. Range, in which n and m are variables. 0..n Tree structures in which an entity contains itself. BE type Currency unit 1..n OU type n n BE 0..n Address format n n 0..n OU n Exchange rate 1..1 Channel type Currency 0..n Two entities map each other. 0..n 0..n Region 0..n 0..n Employee n Time zone DST Core concepts include: Administrative region BE Administrative region Country A BE OU Employee OU Country B... Branch in country A Customer Service Dept Employee 1 Employee Employee 2 Branch in country B Inventory Dept Employee 3 Employee 4... E-Care Work team

6 2.1 Administrative Region Administrative region Administrative region of a country or region. The IAM supports the definition of an administrative region hierarchy that involves levels such as country, state/province, city, and county. The time zone of a BE is determined based on the administrative region. 2.2 BE BE A BE refers to any entity that can independently sustain operation, for example, enterprises, limited liability companies, and carriers. BEs are structured hierarchically. An upper-level BE can manage the basic information and organization data of lower-level BEs. A lower-level BE can inherit the information and organization data of the upper-level BE. Data is isolated between BEs of the same level. E.g. E.g. Tips Mobile network services provided by telecom carrier A cover multiple countries, including countries B, C, and D. Telecom carrier A is a mobile virtual network enabler (MVNE) who has established branches and built a mobile network in all these countries. Each branch is a mobile virtual network operator (MVNO) and rents the mobile network from telecom carrier A to provide mobile network services. Each MVNO can configure its own market operation strategies. Data is isolated between the branches. These branches can share public resources provided by telecom carrier A and telecom carrier A can manage the branches. MVNE: a company that provides mobile virtual network carriers with support such as billing, NE provision, administration, operations, base station subsystems and operations support systems, and backend NE provision, to mobile network services like mobile phone connectivity. MVNO: a wireless communications services provider who does not own the wireless network infrastructure over which the MVNO provides services for its customers.

7 BE MVNE Telecom carrier A Manage information Share resources MVNO MVNO MVNO Telecom carrier in country B Telecom carrier in country B Telecom carrier in country C Data isolation Data isolation 2.3 OU OU An OU belongs to a BE and the OU type can be department, channel, partner, work team, or others. The sub-ou types under an OU vary depending on the OU type. E.g. E.g. Telecom carrier A creates a BE for the branch in city N. Under the BE, OUs such as departments, channels, and work teams need to be set up. Employees of the branch are assigned to these OUs. Branch in city N Department Financial Dept Customer Service Dept Channel Store E-Care Partner Supplier Other Complaint dealing organization Work team Business circle Customer service team 1 Knowledge mgmt

8 2.4 Employee Employee Employees in the IAM include carrier operators, system administrators, and employees under OUs. Employee information includes individual basic information, role, supervisor, and home OU. The following figure shows the IAM role and permission conceptual model. Normal General role Common role Status Role template Role exclusion Unassignable Role inheritance Permission exclusion Function permission Permission Excluded permission Employee Partner User Unavailable N:N Customer Role Role assignable permission Resource + operation Menu Visible Type 1:N Role use permission Button Visible... Readonly Data source metadata definition Data permission Format definition Role A role is a set of related permissions. When a role is assigned to an employee, the employee will have all permissions defined for the role. The permissions of employees can be managed through role management. For example, to delete the permission of a type of employees, the permission information can be modified for the role of the employee type. Function permission A function permission controls the access to specified graphical user interface (GUI) resources, for example, add, delete, modify, and query menus and buttons. An employee can perform such operations only when the corresponding function permissions are assigned to the role of the employee.

9 Data permission A data permission controls access to dynamically instantiated resources, for example, add, delete, modify, and query database table information and data dictionaries. An employee can perform operations on specified data only when the role with the corresponding permission is assigned to the employee. E.g. E.g. A department administrator role is created. The role must have function permissions over the menus of business entities (BEs) and organization units (OUs) commonly accessed by a department administrator, as well as data permission over the OU table recording the data of all OUs. As such, an employee with this role can perform operations on these menus and maintain data in the OU table. Employee Individual basic info Role: department administrator Function permission Data permission BE menu OU menu... DB OU table

10 3 Architecture 3.1 Functional Architecture The functional architecture of the IAM is as follows. Web sign-in framework OU and employee Sign-in page Sign-in log Site mgmt System menu System bulletin Third-party page integration Administrative region Employee Project Project data log Task mgmt Construction log Deployment log OU Currency mgmt Holiday Project-based config framework Config item mgmt BE Address mgmt Measurement unit Data synchronization framework Subscriber mgmt Subscription mgmt Synchronization status Operation log framework Operation log Authentication management Authorization management Role Function permission Data permission Group/User role mgmt Authentication service Permission comparison Employee role log Role permission log Authorization service Verification code service Sign-in service SSO server Distributed session mgmt Account authorization interface mgmt Authorization log Sign-in and sign-out log Authentication failure log 360-degree permission view Identity mgmt User mgmt Group mgmt Account binding Password mgmt Account/Password rule User info change log

11 OU and employee Administrative region Maintains basic administrative region information, including the address format, time zone, daylight saving time (DST), and IP address segment. BE Maintains basic BE information, including configuring information such the default currency and address format based on BE attributes. Each BE is an independent entity that can create OUs in itself. OU Maintains basic OU information, including changing the supervisor and adding or deleting employees in an OU, and disabling an OU in the system. Employee Maintains basic employee account information, including changing the supervisor of an employee, restricting the IP addresses and MAC addresses that employees can use to sign in, disabling employee accounts, locking or forcing out abnormal employee accounts, and maintaining employee accounts in batches by importing and exporting employee account information. Currency management Maintains currency information, including adding a currency type and configuring the currency display format, standard measurement unit and minimum measurement unit, and rules of converting between the standard measurement unit and a non-standard measurement unit. If the currency for payments is different from the currency for settlement between businesses, a currency exchange rate needs to be configured to ensure normal business settlement. E.g. Minimum measurement unit: cent Type CNY10, Display format Exchange rate Standard measurement unit US$ 65, Address management Maintains the content and display format of addresses. For example, the address containing province, city, district, and street information is displayed in two lines. Holiday Maintains holiday information. The holidays can vary depending on the region. A region can inherit the holiday configuration data of its upper-level region. Measurement unit Maintains measurement unit information. Measurement units under the same system of measurement can be converted between each other based on the conversion rate. E.g. Measurement type Weight Measurement unit Metric system: kilometer; English unit: mile Kilometer:Mile 1:1.6 Conversion rate

12 Web sign-in framework Sign-in page Provides personalized settings for the sign-in page. Different themes can be displayed for different BEs or sites. Sign-in log Generates employee sign-in/sign-out logs by invoking the sign-in/sign-out/exit log service provided by the IAM. The logs contain information such as the sign-in/sign-out time and IP address. Site management Provides a main web framework where layouts (including the main workspace, navigation bar, personal information bar, and toolbar parts) can be customized. System menu Maintains the menus of all suites, determines the positions for placing shortcut menus, and specifies data such as the allowed sign-in duration and URLs. System bulletin Maintains bulletin information, including publishing specified bulletins to specified OUs. Published bulletins will be played in rotation at the upper left corner of the portal. E.g. E.g. x Bulletin Title My Workspace Sitemap Bulletin Maintenance Third-party page integration Provides a framework for connecting to the identity & access management (IAM) or a third-party SSO system to integrate third-party web pages through the SSO system. Project-based configuration framework Configuration item management Maintains configuration items by configuration project, covering configuration item name, business data sources, and package paths. Project Maintains configuration project basic information and executes project-related operations such as create, modify, activate, lock/close, export/import, and deploy a project. The change details of each project will be displayed. Project data log Provides information such as the project code, operation type, and modification time. Task management Provides the function for viewing project construction and deployment task execution. Construction log Provides information such as execution time, status, and details of project construction. Deployment log Enables the download of task deployment rollback files and supports the viewing of information such as the deployment time, deployment status, and details.

13 Data synchronization framework Subscriber Maintains subscriber information including the subscriber ID, subscriber's address, and user name and password for sending data synchronization authorization requests to subscribers. Subscription management Maintains the subscriptions between subscribers and data synchronization objects to specify the subscribers to whom data synchronization objects need to synchronize data. Synchronization status Provides synchronization task information such as the execution status, time, and synchronization object and enables manual synchronization of failed tasks. Operation log framework Operation log Enables operation log query by employee ID, operation time, or operation object. Authentication management Role Maintains role basic information, for example, delete or permanently disable invalid roles. A system administrator can configure the function and data permissions of roles, add role inheritance so that a role can inherit the configuration of another role, configure shortcut menus for a role, and view associated role templates. The system administrator can also copy a role directly to add a new role. The role copy has the same configuration as the copied role. Function permission Maintains function permission basic information. To describe function permissions in detail, an attachment can be uploaded for reference. If a role cannot have two permissions (for example, offering creation and offering review permission) at the same time in specific scenarios, the function permissions can be configured as mutually exclusive. Data permission Manages data permission basic information, for example, deleting expired data permission. Group/User role management Provides interfaces for querying and maintaining roles and employees. This function does not provide a GUI. Authentication service Provides interfaces for verifying function permissions and data permissions of employee accounts. Permission comparison Enables system administrators to quickly view the permission difference between two employees or roles for whom multiple function permissions have been configured. Employee role log Queries employee role change history by account, customer name, role code, role name, or time segment. Role permission log Queries the permission change history of a role by role code, role name, permission code, permission name, and time segment. Authentication failure log Queries user authentication failure records by account, authentication object, and time segment. 360-degree permission view Provides menus for the role-permission, employee-permission, permission-employee, and permission-role views, displaying the relationships between employee, role, and permission from various perspectives.

14 Authorization mgmt Authorization service Provides identity authorization services that support process orchestration and supports authorization modes such as static password, SMS verification code, and the combination of the two. Verification code service Provides generation and verification services for graphic verification code and SMS verification code. Sign-in service Provides account sign-in services that support process orchestration. After an account successfully signs in, the system automatically creates a session and generates logs. SSO server Provides the single sign-on (SSO) server for the system and integrates third-party SSO systems to enable the SSO function. Distributed session mgmt Provides distributed session management for signed-in accounts, including online user session locking and destruction. Account authorization token mgmt Manages tokens for verified accounts. The token validity period can be set and extended as required. An account can be directly authorized through a token within the validity period. Authorization log Records backend log information such as the channel, method, result, and time for authorizing a user. Sign-in log Records users' sign-in and sign-out information, including the operation time, sign-in channel, server IP address, and client IP address, and provides such information for display in the unified system management (IAM). Identity management User management Provides the interface for maintaining system user basic information and life cycle status such as Created, Enabled, Suspended, and Discarded. Group management Provides the interface for querying and maintaining user group basic information and relationships between users and groups. A user group can be the OU of an employee or the segment to which a customer belongs. Account binding Provides the interface for binding, unbinding, and querying sign-in accounts of various types. Password management Provides the interface for changing and resetting an account, using the old password or a dynamic verification code, visiting a specified URL, or answering security questions. Account and password rule Supports the configuration of password and account rules specifying the requirements for account and password complexity to ensure system security. Rules can be configured through regular expressions or using the rule engine. User info change log Records and queries user information changes by account, name, or time segment.

15 3.2 Layered Architecture A business suite is composed of the foundation, extension, and corresponding predefined business configuration data. Foundation: provides cross-field basic business capabilities (including data models shared across fields) and is composed of related s. Extension: capability extended based on the foundation to meet the capability requirements of a specified field (such as the telecom) or product. Extension is expressed by new s (extension BC) and foundation extension plug-ins. Predefined configuration data: It can be copied, modified, and replaced to form business configuration data released by products. Account/ Password rule Site Basic suite layer UI module Plug-in Business configuration Authorization process (to implement) Menu Field extension layer Business config IAM Component View Business Sign-in process (to implement) Third-party authorization Web framework layout Data subscription N/A Account mgmt Sign-in authorization Permission mgmt Party Verification code Web framework Common web sign-in Common project-based config Common data sync Common data sync Common operation log Operation log Party OU employee Common sign-in Common project-based config Common authentication

16 Function config Layer Configuration Capability/Component Function Site info config Maintains site themes, menus, and layouts. Menu info config Maintains system menus. Web framework layout config Provides the graphical user interface (GUI) configuration function for the web sign-in framework. Data sync subscription config Provides the functions for configuring data synchronization subscriptions between two systems and querying data synchronization status. Common web sign-in Provides functions such as sign-in authentication, session management, and permission validation when other suites integratesthe web sign-in framework of the IAM. Common data synchronization Provides a common library for data synchronization, intercepting service requests from suites, parsing request data, capturing data changes based on the data synchronization configuration, and generating synchronization tasks. Basic layer Common project-based Intercepts services requests from suites, parses the requests, and configuration captures data changes based on the parsed information and project-based configuration information. Common operation log Intercepts services requests from suites, parses the requests, and records operation logs in the predefined format. OU employee Manages OU information such as BEs, administrative regions, employees, and addresses, as well as related attributes such as currency, measurement units, address format, and holiday information. Party Provides functions for querying and maintaining basic party and contact information. Operation log Provides functions including operation log configuration management, log query, and log generation. Provides an operation management web sign-in framework that supports multiple themes. The framework consists of the sign-in page, main work Web sign-in framework, navigation tree, to-do list, system bulletin, and internal message s. Project-based config Provides a project-based configuration to implement the following functions by deploying projects: data archiving, data transfer, data export/import, data loading, and data rollback. Data sync Provides a unified data synchronization framework externally to synchronize data changes based on the configuration item and subscription information. Common sign-in Provides distributed cache capability and web SSO service for other suites to embed. Common authentication Provides authentication services through RESTful interfaces for other suites to embed. Identity mgmt Manages accounts and passwords. Sign-in authorization Provides services such as sign-in authorization and session management. Permission mgmt Provides maintenance and authentication services for information such as roles, function permissions, and data permissions. Party Common library, which provides the functions for querying and maintaining party basic information and contact information. Verification code Provides generation and verification services for graphic verification code and SMS verification code.

17 4. Key Technologies and Capabilities 4.1 Web Sign-in Framework The web sign-in framework consists of the sign-in page framework and home page framework. The IAM provides a unified web sign-in framework for other suites. The sign-in page and main framework can be customized as required by a carrier or based on operators' habits. The following is a sign-in page example. 1. Logo 2. Title 3. Sign-in area 5. Instructions and frequently used URLs 4. Multi-language options The main framework after successful sign-in is as follows. BES 1. Navigation 2. Logo 3. Title tree 4. Shortcut menus 7. Workspace 5. Tools 6. Personal panel

18 The IAM provides a web sign-in framework for operator sign-in and menu integration and display. This facilitates the display of personalized menus and home page layout by site, BE, or role, and supports multiple themes, and enables users to customize the page layout. The access URL, theme style, sign-in page, and main framework support differentiated configuration by BE. An operator visits the sign-in page URL. The IAM queries the theme ID from the database based on the BE ID in the URL information. The mapping between BE IDs and theme IDs is stored in the database. The system administrator configures the theme for the BE. Theme styles are stored on the web server. Sign-in page The IAM maps content from the web server based on the theme ID and displays the content. Sign-in page Logo Frequently used URL... Title Main framework after sign-in Shortcut menu Toolbar After an operator signs in, the IAM queries the theme ID from the database based on the BE ID in the account information of the operator. Main framework The IAM maps content from the web server based on the theme ID and displays the content.... Workspace layout

19 4.2 Data Synchronization Framework If the system is deployed on multiple nodes or data needs to be synchronized to third-party systems, the data synchronization framework can implement data synchronization between multiple nodes or to third-party systems. The IAM provides a unified data synchronization framework for the BES. In the framework, the subscription by a third-party system to the BES can be configured so that when the distributed service framework (DSF) service captures any data changes from data synchronization objects, the framework can send the data changes to corresponding third-party systems. The framework uses a WebService interface based on the subscription information. Subscriber: system that uses data, that is, the recipient of synchronized data. Any system or suite that needs to use the subscription service can be registered as a subscriber. Data synchronization object: object that can be synchronized to third-party systems. Currently, the data obtaining mode of data synchronization objects is the metadata mode (based on the database table structure). No page is provided for data synchronization object configuration. As a result, a data synchronization object can only be configured through system customization. Subscription: relationship between a subscriber and a data synchronization object. When data changes, the changes will be sent only to subscribers. The relationships between data synchronization objects, subscriptions, and subscribers are as follows. Data sync object Subscribe Subscriber Offering data CBS subscriber User data CM subscriber XX data System XX subscriber Register with IAM CBS CM suite System XX

20 The relationships between data synchronization objects, subscriptions, and subscribers are as follows. Data sync object Sync scheduled task Sync thread Data sync object ID Task ID Data sync object ID Task ID Task ID Data sync object content Object sync task table Object sync status table Object sync task content table Task ID Data sync object ID Subscriber ID Subscription Object sync status details table Subscriber 1. Write data changes into tables and set data status to To initiate. 2. Scan data at scheduled times. 3. Obtain data in To initiate state. 4. Synchronize records in To initiate state to tables. 5. Synchronize content in To initiate state to tables. 6. Generate a synchronization record in To synchronize state for each subscriber based on subscriber information in database. 7. Trigger synchronization thread. 8. Scan tables in real time to obtain records in To synchronize state. 9. Return records in To synchronize state. 10. Obtain content to be synchronized based on returned result. 11. Synchronize data changes to subscriber through WebService interface. 12. Synchronization is successful and object status changes to Synchronized.

21 4.3 Project-based Configuration Framework The IAM provides online project-based configuration data management capabilities to capture data changes and generate data change records based on service requests. Operation & maintenance (O&M) personnel configure data in the test environment based on requirements for verification. After the verification is successful, the O&M personnel can export change records into a PAR package and import the package to the production environment. This implements functions such as data archiving, synchronization between test data and production data, and quick data configuration. The following uses offering data in the product management (PM) as an example to illustrate project-based configuration functions. Business configuration page 1 Create an offering. DSF 3 Asynchronously invoke the callback service of the project-based configuration. 2 Invoke the offering creation service. IAM Offering Product mgmt mgmt Project-based configuration PM Project export Project import Change recording service 6 The project-based configuration exports the change history from a project into a PAR file. 4 Send an object change message. *.PAR JetMQ 7 The project-based configuration imports the exported project to the target system. 5 The project-based configuration consumes the object change message and records the change.

22 The configuration process involving the source system and target system is as follows. Administrator Configure data object original model file Configure DSF interception Create source system project Specify the project as current project Configure business data Create an original model file for each data object for which changes need to be collected. An original model file defines the unique ID, table information, data source, and data packaging location for each data object. Data changes are recorded based on the original model file for generating a PAR package that can be imported to the target system. Configure the DSF as intercepting specified data. Once the data changes, the DSF will intercept the data changes for recording. Create a project in the source system, configure the data source, and specify the operator for the project. Sign in and specify the preceding project as the current project. Configure business data. The project will capture these data changes through DSF interception. Lock project Lock the product before building a project. Build project Build a project. The project adds collected data changes to a PAR package. Generate PAR package Create or modify data object original model file Administrator Target system Administrator Operator Source system Start Create target system project Import PAR package Deploy project End Download the PAR package from the source system. Create or modify the original model file for each data object to be collected in the target system. The original model file in the target system must be the same as that in the source system so that the PAR package exported from the source system can be correctly imported to the target system based on the original model file configuration. Create a project in the target system to make preparations for PAR package import. Import the PAR package to the target system. Deploy the project. Data can be rolled back by project.

23 4.4 Multi-language Operation Log Framework In the multi-language environment, the language of operation logs must be the same as the current system language. In the multi-language operation log framework, operations for which logs need to be generated can be configured. In addition, the log description template can be configured in multiple languages. The IAM provides a unified operation log recording framework. Each suite only needs to configure the services for which logs need to be generated and log description template (i18n resource file: supports internationalization and dynamic parameters). Then the framework will intercept service requests and extracts required parameters. The IAM needs to invoke the backend capability provided by the IAM to generate logs. When the administrator queries and audits operation logs, the IAM will invoke the description template of the current system language and fills in parameters in the template to display highly readable logs. Start A suite configures operation log generation DSF service and description template. IAM reads DSF service for which logs need to be generated from configuration file. No IAM detects triggered DSF service. Operation log generation configured for identified DSF service? Yes IAM extracts parameters required by DSF service as configured, encapsulates extracted data into log events based on the description template, and sends events to the event platform of Common. The operation log service of the IAM subscribes to operation log events and records logs to table sys_operlog in database. End

24 4.5 Distributed Session Traditionally, sign-in sessions are stored on web nodes. Once the connected web node changes or the session is missing, a user needs to sign in again. The IAM uses the distributed session framework to automatically obtain sessions. In this way, the user does not need to sign in again for performing operations. Browser Distributed cache Web node 1. Visit a URL and enter the account and password. 4. Sign-in success. Backend 2. Send an account and password verification request. 3. Generate a unique key after verification success. 5. Create a session and store the session in the distributed cache. 6. Send a new access request. 7. Query the session by key value. 8. Matched successfully. 9. Set up the connection again without sign-in. 4.6 Role-based Access Control Model All function and data permissions are assigned to a user or user group by assigning a corresponding role. Hierarchical authorization and role-based permission inheritance are supported. Permission management framework centering on users and roles: Users' function and data permissions are managed by a role. A role is the standard method for defining the responsibilities of users and controlling resource access. Function permissions are not directly assigned to employees. Hierarchical authorization management: An employee of a BE can gain permissions by inheriting the role of an employee belonging to the upper-level BE (direct inheritance). This implements hierarchical authorization management. In addition, hierarchical authorization management prevents the situation that a user has too many function permissions and ensures that a user has the required permissions. Tips An employee can only inherit the role configured by the employee s direct supervisor.

25 Permission 1 Department Common role A Permission 2 Employees under the department inherit common role A and therefore have permissions 1 and 2. Employee Permission 1 Permission 2 Employee Permission 1... (administrator) Permission 2 Employee Permission 1 Permission 2 The administrator creates a sub-department and assigns permission 1 to common role B. Employees under the sub-department inherit common role B and therefore have permission 1. Sub-department Employee Permission 1 Common role B Employee Permission 1... Permission 1 Employee Permission Sign-in Authorization Process Orchestration The sign-in authorization process provided in the baseline version can be modified based on the actual situation through the Digital Studio tool. The following is a process orchestration example: Start Obtain sign-in context (such as language and IP address) End Validate account and password Check account validity period Check home BE for account 2. Orchestrate the process again. Validate graphical verification code 1. Customize new process nodes using Groovy scripts. Generate sign-in logs

26 5. Core Processes 5.1 OU Configuration Process The system administrator needs to configure the OU information for a customer's new branch. The following figure shows the configuration process. Start Configure address Province/City/District display format. Configure address. Configure administrative region. Configure OU structure. Bra h in c nc Store A ity Configure BE. City A in province J Financial Dept Configure employees. Jack End Basic information Default currency type Address Contact Lucy

27 5.2 SSO Authorization Process Singe sign-on (SSO) is a property of access control over multiple related but independent application systems. With this property, a user signs in once and gains access to all systems that trust each other without being prompted to sign in again at each of them. A third-party system menu entrance is mapped to the portal of the IAM. When a user successfully signs in to the IAM and accesses the third-party menu, the IAM sends an authorization ticket to the third-party system. If the authorization is successful, the user can access the third-party system again without signing in. The following figure shows the SSO authorization process. Operator IAM web node IAM application cluster IAM DB IAM (SSO client ) (SSO server) Third-party system 1. Enter account and password. 2. Send authorization request. 3. Send back authorization success. 4. Generate session and store session in database. 5. Sign-in success. 6. Send registration request to SSO server. 7. Return authorization ticket after registration success. 8. Apply to access third-party menu. 9. Send access request to third-party menu and transfer authorization ticket. 10. Query operator info by authorization ticket. 11. Send back operator info. 12. Verify operator info and set up session. 13. Accessed successfully.

28 5.3 Unified Sign-in Sign-in Process The IAM provides a unified user sign-in and authorization framework for the BES to verify the sign-in information of accounts. Start 1. Visit page of BES. 2. Obtain the IAM authorization service. No Authorization successful? Yes 3. Invoke authorization interface. No Authorization successful? Yes 4. Invoke domain session service to construct a session. 11. Invoke authorization failure extended interface. 5. Create session cookie. 12. Generate logs. 6. Create context info (such as language and time zone). 13. Return sign-in failure message. Password change notification upon password expiration 7. Invoke authorization success extended interface. Password change notification when password is about to expire 8. Obtain password authorization rules and verify password. Password change notification at first sign-in 9. Generate sign-in logs. 10. Jump to the requested page. End

29 1. An operator enters the account and password on the sign-in page of BES and clicks Sign In. 2. The system invokes the authorization service of the IAM to verify the account, password, and account status based on the password verification logic. 3. The IAM invokes the authorization interface of other suites. Then other suites do further authorization based on the authorization logic such as check whether the status of a partner account is normal. 4. The IAM invokes the domain session service to construct a session to identify the authorization request sent from other suites and sustain the connection. The IAM sets up a user session and stores the addition information, cache information, and user data of the session in the database. 5. The IAM creates a session cookie to sustain the session. 6. The IAM creates context information (such as language and time zone) based on the session cookie for other suites to invoke to query and identify accounts. 7. The IAM invokes thes authorization extended interface to instruct other suites or the third-party system to do internal processing such as create an internal session cookie in other suites and sustain the session connection. 8. The IAM verifies the password. The verification includes: Whether the password is about to expire or has expired. If yes, the system instructs the operator to change the password. Whether the sign-in is the first sign-in. If yes, the system asks the operator to change the password. 9. The IAM generates sign-in success logs. 10. The system obtains the success message from the IAM and jumps to the requested page. 11. The IAM invokes the authorization failure extended interface to instruct other suites to do internal processing, such as delete the session cookie and end the invoking. 12. The IAM generates sign-in failure logs. 13. The system obtains the failure message from the IAM and displays an error message on the sign-in page of other suites.

30 5.4 Unified Sign-in Authorization Process The following figure shows the authorization process in the unified sign-in process. Start 1. Other suites invoke IAM authorization service. 2. The IAM follows the following steps to perform authorization. (The step sequence can be customized.) Identify verification code Identify account Verify password Verify status Verify IP/MAC address Verify one-off SMS verification code No Authorization successful? 4. Processing after authorization failure. Accumulate authentication failures within a cycle Yes 3. Processing after authentication success. Clear authentication failures Unlock account Lock account Send back user account object (such as account info and account binding info) End 1. Ohter suites invoke the authorization service of the IAM to verify the sign-in information of an account. 2. The IAM provides an authorization process to verify account information in an orchestrated sequence. The verification fails as long as any authorization item fails. Even though the entire authorization fails, the system will continue the execution of the remaining authorization items and return the authorization result. 3. The IAM clears the authorization failure records. After the account is unlocked, the IAM returns the account information and account binding information (such as the account, password, and home BE) to other suites. 4. The IAM locks an account if the accumulated number of authorization failure times of the account reaches a specified value.

31 5.5 Authentication Process The IAM provides a unified customer number authentication function for the BES, supporting customer number authentication by password and ID card. Start 1. Retailshop invokes IAM authentication service to authenticate service number. 2. The IAM follows the following steps to perform authentication. (The step sequence can be customized.) Check user existence Check validity of authentication mode Unlock expired account automatically locked by system Check customer locking status Verify customer password Verify customer certificate info No 4. Processing after authentication failure. Update authentication Send back failure times failure message Authentication successful? 3. Processing after authentication success. Clear authentication failure times to Retailshop No Yes Exceeded maximum authentication failure times? Send back customer info to Retailshop Yes Lock service number End 1. Retailshop invokes the customer authentication service of the IAM to send a sign-in authentication request for a service number and transfers the service number, authentication mode, and authentication information including password and certificate number to the IAM. 2. The IAM provides an authentication process for authenticating a service number in an orchestrated process. The authentication fails if any authentication item fails. Even though the entire authentication fails, the system will continue the execution of the remaining authentication items and return the authentication result.

32 3. The IAM sends the obtained customer information to the Retailshop. 4. If the authentication items for checking the customer password and customer certification information fail, the number of authentication failure times will be updated and compared with the maximum limit. If the number exceeds the maximum limit, the customer number will be locked. If other authentication items fail, the IAM returns an authentication failure message to the Retailshop. 5.6 HTTP Request Authentication Process The IAM provides a complete HTTP request authentication function for the BES. For example, the Role menu has a high security level and only operators with the permission for the menu can access the menu. When an operator accesses the menu by clicking the menu URL, the IAM checks whether the sign-in of the operator has timed out and whether the operator has the permission on the menu. The following figure shows the HTTP request authentication process. Start 1. Send HTTP request 2. Sign-in free on authentication page? Yes No 3. Obtain session Yes 4. Authentication timed out? No 5. Parse URL and match permission Jump to sign-in page 6. Authentication successful? Yes 7. Generate access success logs 8. Jump to business page End No Show authentication failure page

33 5.7 Role Permission Configuration Process The system administrator needs to add an inventory administrator role. To configure an inventory administrator role, the system administrator must understand the responsibilities of an inventory administrator, determine the required function permissions and data permissions based on the responsibilities, and assign the permissions to the inventory administrator role. The following figure shows the configuration process. Start Preparations for configuration An inventory administrator's daily work includes stock-in, stock-out, and transfer. An inventory administrator must have the permissions for inventory-related menus and system data. Determine responsibilities of role to be configured Match permissions for responsibilities Configure role End Role: inventory administrator Function permission Data permission

34 6. Core Interface 6.1 Internal Interface Relationship The IAM interacts with internal interface through the distributed service framework (DSF). IAM DSF Retail Shop OM CM PM INV... Interaction Object Interaction Description Retail Shop/CM/ OM/PM/INV... Retail Shop Common CM The IAM provides functions such as employee sign-in authorization, customer authorization and authentication, session authorization, and service authentication for peer suites through interfaces.deleting, modifying, and querying business data such as OUs, BEs, employees, currencies, and charge codes through an interface. The IAM provides sign-in-related RESTful services for the Retail Shop through an interface. The Common encapsulates the bottom-layer framework to provide unified cache management, system parameter, data dictionary, and dynamic attribute interfaces for the IAM. The customer management (CM) provides interfaces related to parties (such customers and employees) for the unified system management (IAM). 6.2 Interaction with Other Systems The IAM interacts with other systems through the integration framework (IF), which provides protocol conversion between different systems.

35 CBS BES IAM IPCC Windows AD IF Third-party authentication system Third-party SSO system Peer System Convergent billing system/ip call center CBS/IPCC Windows AD Interaction Description The IAM synchronizes role permission data to the third-party system, plans to synchronize various system data such as OUs, employees, currencies, and measurement units to third-party systems. The IAM obtains domain account authentication and synchronization information from a third-party system to complete the synchronization and authentication of Windows domain accounts on the IAM side. The IAM sends an account authentication and synchronization request to the third-party unified authentication system for authentication. The IAM Third-party unified synchronizes information such as OUs and employees from third-party authentication system unified authentication systems to ensure data consistency inside a carrier. The protocol used during the process depends on the actual third-party unified authentication system. Third-party SSO system The IAM integrates the SSO capability of the third-party SSO system for the BES.The IAM functions as the SSO client and invokes the SSO system to implement unified identity authentication or SSO function. The protocol used during the process depends on the actual implementation mode of the SSO system. 6.3 API Description The IAM provides the following types of APIs. For details, see the IAM SDK API Reference. API Classification Description Authorization interface Queries, maintains, and verifies user data. Authentication interface Maintains and queries data, such as role and permission data. General interface Maintains and queries data such as currencies, menus, and modules. OU and employee interface Maintains and queries data such as BEs, OUs, employees, and administrative regions. Operation log interface Creates and queries operation logs.