PM OM CM IF IAM CE SC USM Common Web CMS Reporting IAM Description The identity & access management (IAM) provides functions such as account information management, role permission management, access control management, and log management. The business enabling system (BES) utilizes the IAM to obtain diversified account & identity management, sign-in, authorization, and authentication capabilities that can be opened and shared. Review & Share Shopping Cart Omnichannel Frontend...
View of BES Engagement & Experience Omnichannel Frontend Communication Engine Experience Monitor & Optimizer Search Center Web CMS Personalization Engine Review & Share Customer Segment Shopping Cart Live Help Social Media listening&engagement Enterprise Mobility Mgmt Mobile APP Unified Interaction Hub Business Orchestration Identity & Access Mgmt Business Orchestrator Operation Openness Integration Framework Operation& Management Product Mgmt Customer Mgmt Order Mgmt Inventory Mgmt Promotion Partner Mgmt Unified System Mgmt Content Mgmt Sales Mgmt Document Mgmt Reporting Campaign Mgmt Loyalty Mgmt Knowledge Base Complaint & Problem Handling Commission CPQ MRM Activity Mgmt implemented Service Mgmt Do not implement
1. Overview 1.1 Typical Scenario Account and Password Authentication When an operator signs in to the system, the IAM authenticates the operator's account to ensure system security. The authentication includes whether the password is correct, whether the account is normal, and whether the IP address of the operator's computer is within the specified range. The IAM authenticates the account, password, IP address, and MAC address. x Retail Shop URL: www.bes.com Sign-in success Operator Account: Jack001 Password: ****** Sign In 1.2 Advantages Authorization and authentication for innumerable users and support for flexible third-party authorization capabilities The IAM provides end-to-end functions such as identity management and access control for the BES. The IAM also integrates third-party authentication capabilities such as the Windows Active Directories (Windows AD) for client security management and Oracle access manager (OAM). The IAM uses methods such as expending database tables and adding servers to provide unified identity management and authorization functions for hundreds of millions of users, covering operators, partners, and end users. Hundreds of millions of users Operator Partner End user Sign-in authorization Access control Authentication IAM Windows AD OAM Third-party authorization system Identity mgmt
2. Core Concepts 2.1 IAM-related Concepts Core concepts in the IAM include role, function permission, data permission. The following figure is the core concept model. Normal General role Common role Role exclusion Role inheritance User Unavailable Unassignable Permission exclusion Employee Partner Status Role template N:N Customer Role Function permission Resource + operation Permission Menu Visible Excluded permission Button Visible Role assignable permission Type 1:N Role use permission... Readonly...... Data source metadata definition Data permission Format definition Role A role is a set of related permissions. When a role is assigned to an employee, the employee will have all permissions defined for the role. The permissions of employees can be managed through role management. For example, to delete the permission of a type of employees, the permission information can be modified for the role of the employee type. Function permission A function permission controls the access to specified graphical user interface (GUI) resources, for example, add, delete, modify, and query menus and buttons. An employee can perform such operations only when the corresponding function permissions are assigned to the role of the employee.
Data permission A data permission controls access to dynamically instantiated resources, for example, add, delete, modify, and query database table information and data dictionaries. An employee can perform operations on specified data only when the role with the corresponding permission is assigned to the employee. E.g. E.g. A department administrator role is created. The role must have function permissions over the menus of business entities (BEs) and organization units (OUs) commonly accessed by a department administrator, as well as data permission over the OU table recording the data of all OUs. As such, an employee with this role can perform operations on these menus and maintain data in the OU table. Employee Individual basic info Role: department administrator Function permission Data permission BE menu OU menu... DB OU table
3 Architecture 3.1 Functional Architecture Authentication management Authorization management Role Function permission Data permission Group/User role mgmt Authentication service Permission comparison Employee role log Authentication failure log Authorization service Verification code service Sign-in service SSO server Role permission log Distributed session mgmt Account authorization interface mgmt 360-degree permission view Authorization log Sign-in and sign-out log Identity mgmt User mgmt Group mgmt Account binding Password mgmt Account/Password rule User info change log Authentication management Role Maintains role basic information, for example, delete or permanently disable invalid roles. A system administrator can configure the function and data permissions of roles, add role inheritance so that a role can inherit the configuration of another role, configure shortcut menus for a role, and view associated role templates. The system administrator can also copy a role directly to add a new role. The role copy has the same configuration as the copied role. Function permission Maintains function permission basic information. To describe function permissions in detail, an attachment can be uploaded for reference. If a role cannot have two permissions (for example, offering creation and offering review permission) at the same time in specific scenarios, the function permissions can be configured as mutually exclusive. Data permission Manages data permission basic information, for example, deleting expired data permission. Group/User role management Authentication service Permission comparison Employee role log Provides interfaces for querying and maintaining roles and employees. This function does not provide a GUI. Provides interfaces for verifying function permissions and data permissions of employee accounts. Enables system administrators to quickly view the permission difference between two employees or roles for whom multiple function permissions have been configured. Queries employee role change history by account, customer name, role code, role name, or time segment.
Role permission log Queries the permission change history of a role by role code, role name, permission code, permission name, and time segment. Authentication failure log Queries user authentication failure records by account, authentication object, and time segment. 360-degree permission view Provides menus for the role-permission, employee-permission, permission-employee, and permission-role views, displaying the relationships between employee, role, and permission from various perspectives. Authorization mgmt Authorization service Provides identity authorization services that support process orchestration and supports authorization modes such as static password, SMS verification code, and the combination of the two. Provides generation and verification services for graphic verification code and SMS verification code. Sign-in service Provides account sign-in services that support process orchestration. After an account successfully signs in, the system automatically creates a session and generates logs. Verification code service SSO server Provides the single sign-on (SSO) server for the system and integrates third-party SSO systems to enable the SSO function. Provides distributed session management for signed-in accounts, including online user session locking and destruction. Account authorization token mgmt Manages tokens for verified accounts. The token validity period can be set and extended as required. An account can be directly authorized through a token within the validity period. Records backend log information such as the channel, method, result, and Authorization log time for authorizing a user. Distributed session mgmt Sign-in log Records users' sign-in and sign-out information, including the operation time, sign-in channel, server IP address, and client IP address, and provides such information for display in the unified system management (USM). Identity management Provides the interface for maintaining system user basic information and life cycle status such as Created, Enabled, Suspended, and Discarded. Group management Provides the interface for querying and maintaining user group basic information and relationships between users and groups. A user group can be the OU of an employee or the segment to which a customer belongs. Account binding Provides the interface for binding, unbinding, and querying sign-in accounts of various types. User management Password management Provides the interface for changing and resetting an account, using the old password or a dynamic verification code, visiting a specified URL, or answering security questions. Supports the configuration of password and account rules specifying the requirements for account and password complexity to ensure system security. Rules can be configured through regular expressions or using the rule engine. Records and queries user information changes by account, name, or time segment. Account and password rule User info change log
3.2 Layered Architecture A business suite is composed of the foundation, extension, and corresponding predefined business configuration data. Foundation: provides cross-field basic business capabilities (including data models shared across fields) and is composed of related s. Extension: capability extended based on the foundation to meet the capability requirements of a specified field (such as the telecom) or product. Extension is expressed by new s (extension BC) and foundation extension plug-ins. Predefined configuration data: It can be copied, modified, and replaced to form business configuration data released by products. Basic suite layer Field extension Configuration layer IAM Component View Layer Business UI module Plug-in Business configuration Business configuration Account/ Password rule Authorization process (to implement) Sign-in process (to implement) Third-party authorization N/A Verification code Common sign-in Common authentication Account mgmt Sign-in authorization Permission mgmt Component/ Extension Name Common sign-in Party Function Provides distributed cache capability and web SSO service for other suites to embed. Basic suite layer Common authentication Provides authentication services through RESTful interfaces for other suites to embed. Identity mgmt Manages accounts and passwords. Sign-in authorization Provides services such as sign-in authorization and session management. Permission mgmt Provides maintenance and authentication services for information such as roles, function permissions, and data permissions. Party Common library, which provides the functions for querying and maintaining party basic information and contact information. Verification code Provides generation and verification services for graphic verification code and SMS verification code.
4. Key Technologies and Capabilities 4.1 Distributed Session Traditionally, sign-in sessions are stored on web nodes. Once the connected web node changes or the session is missing, a user needs to sign in again. The IAM uses the distributed session framework to automatically obtain sessions. In this way, the user does not need to sign in again for performing operations. Browser Distributed cache Web node 1. Visit a URL and enter the account and password. 4. Sign-in success. Backend 2. Send an account and password verification request. 3. Generate a unique key after verification success. 5. Create a session and store the session in the distributed cache. 6. Send a new access request. 7. Query the session by key value. 8. Matched successfully. 9. Set up the connection again without sign-in. 4.2 Role-based Access Control Model All function and data permissions are assigned to a user or user group by assigning a corresponding role. Hierarchical authorization and role-based permission inheritance are supported. Permission management framework centering on users and roles: Users' function and data permissions are managed by a role. A role is the standard method for defining the responsibilities of users and controlling resource access. Function permissions are not directly assigned to employees. Hierarchical authorization management: An employee of a BE can gain permissions by inheriting the role of an employee belonging to the upper-level BE (direct inheritance). This implements hierarchical authorization management. In addition, hierarchical authorization management prevents the situation that a user has too many function permissions and ensures that a user has the required permissions. Tips An employee can only inherit the role configured by the employee s direct supervisor.
Permission 1 Department Common role A Permission 2 Employees under the department inherit common role A and therefore have permissions 1 and 2. Employee Permission 1 Permission 2 Employee Permission 1... (administrator) Permission 2 Employee Permission 1 Permission 2 The administrator creates a sub-department and assigns permission 1 to common role B. Employees under the sub-department inherit common role B and therefore have permission 1. Sub-department Employee Permission 1 Common role B Employee Permission 1... Permission 1 Employee Permission 1 4.3 Sign-in Authorization Process Orchestration The sign-in authorization process provided in the baseline version can be modified based on the actual situation through the Digital Studio tool. The following is a process orchestration example: Start Obtain sign-in context (such as language and IP address) End Validate account and password Check account validity period Check home BE for account 2. Orchestrate the process again. Validate graphical verification code 1. Customize new process nodes using Groovy scripts. Generate sign-in logs
5. Core Processes 5.1 SSO Authorization Process Singe sign-on (SSO) is a property of access control over multiple related but independent application systems. With this property, a user signs in once and gains access to all systems that trust each other without being prompted to sign in again at each of them. A third-party system menu entrance is mapped to the portal of the USM. When a user successfully signs in to the USM and accesses the third-party menu, the USM sends an authorization ticket to the third-party system. If the authorization is successful, the user can access the third-party system again without signing in. The following figure shows the SSO authorization process. Operator USM web node USM application cluster USM DB IAM (SSO server) Third-party system 1. Enter account and password. 2. Send authorization request. 3. Send back authorization success. 4. Generate session and store session in database. 5. Sign-in success. 6. Send registration request to SSO server. 7. Return authorization ticket after registration success. 8. Apply to access third-party menu. 9. Send access request to third-party menu and transfer authorization ticket. 10. Query operator info by authorization ticket. 11. Send back operator info. 12. Verify operator info and set up session. 13. Accessed successfully.
5.2 Unified Sign-in Sign-in Process The IAM provides a unified user sign-in and authorization framework for the BES to verify the sign-in information of accounts. Start 1. Visit page of BES. 2. Obtain the IAM authorization service. No Authorization successful? Yes 3. Invoke authorization interface. No Authorization successful? Yes 4. Invoke domain session service to construct a session. 11. Invoke authorization failure extended interface. 5. Create session cookie. 12. Generate logs. 6. Create context info (such as language and time zone). 13. Return sign-in failure message. Password change notification upon password expiration 7. Invoke authorization success extended interface. Password change notification when password is about to expire 8. Obtain password authorization rules and verify password. Password change notification at first sign-in 9. Generate sign-in logs. 10. Jump to the requested page. End
1. An operator enters the account and password on the sign-in page of BES and clicks Sign In. 2. The system invokes the authorization service of the IAM to verify the account, password, and account status based on the password verification logic. 3. The IAM invokes the authorization interface of other suites. Then other suites do further authorization based on the authorization logic such as check whether the status of a partner account is normal. 4. The IAM invokes the domain session service to construct a session to identify the authorization request sent from other suites and sustain the connection. The IAM sets up a user session and stores the addition information, cache information, and user data of the session in the database. 5. The IAM creates a session cookie to sustain the session. 6. The IAM creates context information (such as language and time zone) based on the session cookie for other suites to invoke to query and identify accounts. 7. The IAM invokes thes authorization extended interface to instruct other suites or the third-party system to do internal processing such as create an internal session cookie in other suites and sustain the session connection. 8. The IAM verifies the password. The verification includes: Whether the password is about to expire or has expired. If yes, the system instructs the operator to change the password. Whether the sign-in is the first sign-in. If yes, the system asks the operator to change the password. 9. The IAM generates sign-in success logs. 10. The system obtains the success message from the IAM and jumps to the requested page. 11. The IAM invokes the authorization failure extended interface to instruct other suites to do internal processing, such as delete the session cookie and end the invoking. 12. The IAM generates sign-in failure logs. 13. The system obtains the failure message from the IAM and displays an error message on the sign-in page of other suites.
5.3 Unified Sign-in Authorization Process The following figure shows the authorization process in the unified sign-in process. Start 1. Other suites invoke IAM authorization service. 2. The IAM follows the following steps to perform authorization. (The step sequence can be customized.) Identify verification code Identify account Verify password Verify status Verify IP/MAC address Verify one-off SMS verification code No Authorization successful? 4. Processing after authorization failure. Accumulate authentication failures within a cycle Yes 3. Processing after authentication success. Clear authentication failures Unlock account Lock account Send back user account object (such as account info and account binding info) End 1. Ohter suites invoke the authorization service of the IAM to verify the sign-in information of an account. 2. The IAM provides an authorization process to verify account information in an orchestrated sequence. The verification fails as long as any authorization item fails. Even though the entire authorization fails, the system will continue the execution of the remaining authorization items and return the authorization result. 3. The IAM clears the authorization failure records. After the account is unlocked, the IAM returns the account information and account binding information (such as the account, password, and home BE) to other suites. 4. The IAM locks an account if the accumulated number of authorization failure times of the account reaches a specified value.
5.4 Authentication Process The IAM provides a unified customer number authentication function for the BES, supporting customer number authentication by password and ID card. Start 1. Retailshop invokes IAM authentication service to authenticate service number. 2. The IAM follows the following steps to perform authentication. (The step sequence can be customized.) Check user existence Check validity of authentication mode Unlock expired account automatically locked by system Check customer locking status Verify customer password Verify customer certificate info No 4. Processing after authentication failure. Update authentication Send back failure times failure message Authentication successful? 3. Processing after authentication success. Clear authentication failure times to Retailshop No Yes Exceeded maximum authentication failure times? Send back customer info to Retailshop Yes Lock service number End 1. Retailshop invokes the customer authentication service of the IAM to send a sign-in authentication request for a service number and transfers the service number, authentication mode, and authentication information including password and certificate number to the IAM. 2. The IAM provides an authentication process for authenticating a service number in an orchestrated process. The authentication fails if any authentication item fails. Even though the entire authentication fails, the system will continue the execution of the remaining authentication items and return the authentication result.
3. The IAM sends the obtained customer information to the Retailshop. 4. If the authentication items for checking the customer password and customer certification information fail, the number of authentication failure times will be updated and compared with the maximum limit. If the number exceeds the maximum limit, the customer number will be locked. If other authentication items fail, the IAM returns an authentication failure message to the Retailshop. 5.5 HTTP Request Authentication Process The IAM provides a complete HTTP request authentication function for the BES. For example, the Role menu has a high security level and only operators with the permission for the menu can access the menu. When an operator accesses the menu by clicking the menu URL, the IAM checks whether the sign-in of the operator has timed out and whether the operator has the permission on the menu. The following figure shows the HTTP request authentication process. Start 1. Send HTTP request 2. Sign-in free on authentication page? Yes No 3. Obtain session Yes 4. Authentication timed out? No 5. Parse URL and match permission Jump to sign-in page 6. Authentication successful? Yes 7. Generate access success logs 8. Jump to business page End No Show authentication failure page
5.6 Role Permission Configuration Process The system administrator needs to add an inventory administrator role. To configure an inventory administrator role, the system administrator must understand the responsibilities of an inventory administrator, determine the required function permissions and data permissions based on the responsibilities, and assign the permissions to the inventory administrator role. The following figure shows the configuration process. Start Preparations for configuration An inventory administrator's daily work includes stock-in, stock-out, and transfer. An inventory administrator must have the permissions for inventory-related menus and system data. Determine responsibilities of role to be configured Match permissions for responsibilities Configure role End Role: inventory administrator Function permission Data permission
6. Core Interface 6.1 Internal Interface Relationship The IAM interacts with internal interface through the distributed service framework (DSF). IAM DSF Omnichannel OM CM PM... INV USM Interaction Description Interaction Object Omnichannel/CM/ OM/PM/INV... The IAM provides functions such as employee sign-in authorization, customer authorization and authentication, session authorization, and service authentication for peer suites through interfaces. USM The IAM provides employee sign-in information, employee sign-in authentication information, employee role permission information, and functions such as authentication service and session authentication interface for the USM. 6.2 Interaction with Other Systems The IAM interacts with other systems through the integration framework (IF), which provides protocol conversion between different systems. CBS BES IAM IPCC IF Windows AD Third-party authentication system
Peer System Interaction Description Convergent billing system/ip call center CBS/IPCC The IAM synchronizes role permission data to the third-party system. Windows AD The IAM obtains domain account authentication and synchronization information from a third-party system to complete the synchronization and authentication of Windows domain accounts on the IAM side. Third-party unified The IAM sends an account authentication and synchronization request to authentication system the third-party unified authentication system for authentication. 6.3 API Description The IAM provides the following types of APIs. For details, see the IAM SDK API Reference. API Classification Description Authorization interface Queries, maintains, and verifies user data. Authentication interface Maintains and queries data, such as role and permission data.
More Details For details about the common operations and related concepts of the IAM, see the IAM Operation Guide. For details about the configuration process and method of the IAM, see the IAM Configuration Guide. For details about the secondary development capability and method of the IAM, see the IAM Development Guide.
Copyright Huawei Technologies Co., Ltd. All rights reserved.