Business Administration
This section gives some additional information to the Business Administrators of the Digital Transformation Toolkit with regard to Service Manager implementation and use.
Service Manager
Service Manager seeks to provide a consistent platform level user management experience for
- UI Admin –
- Admin Users – e.g., Service User
- Portal Users – e.g., PanelUser
- UI Public –
- Portal Users – e.g. PublicServiceUser
- Subscriber Management – eg PublicServiceAdmin
- Subscriber Users – eg PublicServiceUser
Service Manager will not be retrofitted into existing services, but Product Owners/BA can decide whether to enable Service Manager functionality for work requested on services moving forward.
Service Manager functionality will be applied at platform level, so service specific functionality is considered out of scope, unless it can re-used for existing services or services requested. Any additional Service Manager functionality over and above that in this scope should be costed as part of the project scope requesting it, therefore should be called out in scoping documents, added to the backlog and costed as part of the delivery.
Currently the following architectures exist
- PARENT/CHILD - Funding Forms Org Portal is a separate service instance as a child the TEO Service. Organisations can administer other users; FF Admin can administer organisation users.
- PORTAL – Public Apps(PA) portal which is part of the PA service on the admin side – Portal users are a mixture of NICS users and external users (eg outlook.com, gmail).
- PORTAL - CAFRE RSPB portal is a separate service instance on the public side – Users are all public users and no existing Identity client authentication can be used for these external users.
- SUBSCRIBER - HIA Solicitors– which is a separate application instance on the public side. Authentication is via NIDA. HIA Solicitors are subscribers. HIA Solicitors cannot manage their own users, but the HIA service maps the user email domain to the subscriber on NIDA registration (this domain mapping functionality is service specific and not reused anywhere else and therefore considered out of scope for ServiceManager)
- SUBSCRIBER - Jobs Online Employers - which is a separate application instance (TBC) on the public side.
- Employers register (2 flows) and have access to an Employers portal. Employer Public Admins can provision other employer users. Currently there is no way for Jobs Admin to provision other Employer Admins.
- JobSeekers and have access to a JobSeekers portal. Jobs Admin or Employers cannot administer JobSeekers. Job Seekers do not have any domain service roles, just authenticated users.
Service Manager can be enabled using ServiceProperty configuration within Global Key Value pairs (See Appendix A) It will by default be OFF. When configured on, it will be accessible through the existing Associate User functionality on the Service Dashboard.
Service Manager Dashboard
The Service Manager dashboard is contextual to the service it is being launched from
The options available on the menu are dependent on the owning service. Manage Admin users will always be available, Manage {Subscriber} Users and Manage Portal user options are service dependent and will be discussed in greater detail below. The Service Manager within the owning service 'knows' the user management services it should provide to the service admin. For example, CAFRE above manages
- UIAdmin – Internal Users
- UIPublic –
- Portal Users for a separate service instance 'RSPB Portal'
- Registration of Subscribers of type 'School'
- Management Subscriber Users
Whereas DFC below does not have a separate public portal service instance – Employer portals are managed as Subscribers and subscribers and subscriber users register externally.
USER MANAGEMENT
Service Manager supports user management flows for
- Admin Users
- Portal Users – Internal and External
- Subscriber Users
There is a service configuration item (See Appendix B) that indicates if Service should display the option to register password user as a separate button alongside register user.
Register User Button – Registers AD Internal users - users that can be authenticated using an existing Identity AD Client
Register Password User Button – Registers external Password users – users that cannot be authenticated using an existing Identity AD client and therefore will use Password (and potentially 2FA ) authentication.
From service review 17/10/23
An additional config item will be provisioned that will enable the public registration of ADUsers (can be authenticated using an existing AD client). The default for this will be false.
User Flow 1 - External Users - Registering a Password Users (Users who cannot be authenticated using an existing Identity AD client)
External roles accessible to users are defined by what has configured for the service in Portal Admin
Users can be managed by Service Administrator (if service manage toggle on) through Associate User on the service
Adding a User will create the user with the Default public role enabled for the service in Portal Admin
As this is an External user, the search for the user will be on Email only.
If the user exists – the admin can associate the existing user to the service.
Adding a User will create the user with the Default public role enabled for the service in Portal Admin
Hitting a toggle applies the role immediately. No need to save.
On successful association, this will issue an email to the user
ExistingUserRegistrationTemplate
If New user (ie user not found on search when adding User)
Admin will be required to enter the user details (email to be carried forward and disabled)
There are 2 config options at play here (See Appendix A for Service manager configuration)
PhoneNumberRequired (Y/N)
2FA Enabled (Y/N)
Logic based on the configuration is represented in the table below
Eg – Service below has Phone = N – 2FA will be via Email
There is a web job running on the background so you may not see created users on the Users list immediately.
When the user is created successfully, the user will be added to the users list with the default public role. From this point admin can assign other public roles if required.
An email will be issued to the user
NewUserRegistrationTemplate (domain 0 template can be overwritten for tenant level)
Wording should include the link in plain text with instructions to copy and paste as some email clients can block these links.
The Register Your Account link in the email above will
- bring the user through 2FA (phone/email) if enabled.
- Allow the user to set and confirm the password
On confirmation will bring the user into the service.
The link
- Is valid for 48 hours only
- Once the user has confirmed their password, the same link will bring them to the login page
Possible Public User Registration Outcomes
Admin ReIssue Link
Service Admin can reissue an expired link from the Users List
If the user has not previously confirmed their password it generates a link with a new 48 hour token and reissues the NewUserRegistration Email. If the user has previously confirmed their password (potentially in another service), they will be issued the ExistingUserTemplate email. This should be considered when looking at the text of these emails – that they need to work for both the initial issue and any subsequent reissues.
User Flow 2 - Registering an AD User – user who can be authenticated using an existing Identity AD client
Registering a User who can be authenticated using an existing identity AD client
Works in a similar way to Service Admin administering other internal Admin users..
When adding these users – you can search for the user by username/ (eg staffidstaffed) or Email or part thereof
The service below has the configuration item to allowRegisterPasswordUsers=true, therefore 2 options will be displayed
Register Password user will follow the Register External User flow described above
Register User will follow the Register Admin flow (Service Admin).
Portal Users
Portals are service instances which are linked to the 'owning' service. For example, the RSPB portal is a separate service but linked to its owing service 'CAFRE'
| Service Instance | Link to Owning Service (Tenant.Service) |
|---|---|
 |
 ) |
It is the case that a portal can be accessed by a mixture of Internal and External users.
Portals use the same user flows described above but in the context of their own service and are subject to the same service property config for the logic of which user registration flows to allowenable for the service.
Register User Button – Registers Internal users for the Portal
Register Password User Button – Registers external users for the Portal
Currently Service Manager does not support
- The management of multiple portals to a single Owning service
- The management of portal subscribers. Subscribers are managed on the Owning service only.
Subscriber Users
A Subscriber can be many things depending on the Owner service
For Example
| Business | Subscriber Type |
|---|---|
| CAFRE | Schools |
| Jobs | Employers |
| TEO Funding Forms | Organisations |
| HIA/VPS | Solicitors/Representatives |
CREATING/AMEND SUBSCRIBERS
Subscribers can be linked to the owning service in 2 ways
- Register via public service
- Onboarded/Added by Service Admin
Service Manager does not support the creation (or association) of subscribers as each service will require specific information about their Subscriber Type, therefore this should be managed within the service itself. All Subscribers are tenants/domains in the DTT platform, therefore an api has been exposed through the PlatformAPI shared library that can be utilised by the owning service to create the tenant. All additional information about the tenant should be managed by the service.
Service Manager will expose an api that can be called on creation/amend of subscribers which triggers a 2FA flow (dependent on service config). This will enable 'new' subscribers to validate via 2fa before their registration submission. It will be the responsibility of the service implementing the creation of subscribers to call this API and manage the response.
DELETE SUBSCRIBERS
Again, as a subscriber represents more than just the tenant to the service (i.e additional data/DTOs etc will be stored against for a subscriber in the service), Service Manager does not support the deletion (or dissociation) of subscribers.
MANAGING SUBSCRIBER USERS
Service Manager will understand the Subscriber Type (eg Employer) for a service and will contextualise the navigation for this.
Manage {Subscriber} users will display a list of tenant subscribers for the Owning service.
There will be the ability to
- Search for a specific subscriber by tenant display name
- Select a particular subscriber to navigate to administer subscriber users
ADMINISTER SUBSCRIBER USERS
From this screen a Service administrator can
- Add a subscriber user -
- Edit an existing user
- Dissociate an existing user from the subscriber tenant
- Reissue registration link –
- Internal
- Issue ExistingUserTemplate (TBC)
- External
- For existing users – Issue the ExistingUserEmail Template
- For new users - Issue the RegisterUserEmailTemplate
Administer admin users
This functionality replaces the Associate User functionality for internal users (eg Service Admin, Service Users) and follows the same flow as Internal Portal Users described above.
Register Anonymous Users
A number of services require the ability to register anonymous users.
The registration
There is a module in a shared library currently being used by Secure Messaging which will bring users on a verification flow (Email/SMS). Should services wish to use this to verify users before creation of the user accounts or any subsequent user DTOs, they should use
An email will be issued to the user, the email will contain a secure link that will be active for 48 hours, but no password. The link will contain a redirect url which will tell the identity the service to redirect the user back to on successful registration.
TemplateName TBC
Disposal of User accounts
A scheduled job will be created that will look for users which have no domain service connections, if the password change date for the user is >=48 hours and the ChangePasswordNextLogin flag is still 1, an email will be sent to the user to tell them that their registration has expired as it has not been activated – and should be advised to re-register. (Template to be confirmed)
This will apply to all users (eg. Admin, Portal, Subscriber)
The user will then be marked for deletion .
(TBC - marked needs to mean taking them out of the Aspnet users table so they can't be matched again by the multitude of matching options scattered in the platform)
I am aware that this could leave orphan JobSeeker DTO's in Jobs. Jobs could consider implementing similar logic against a JobSeekerDTO with a created date <= 48 hours and a blank LastActiveDate in order to cleanse orphan JobSeekers DTO's. This is considered out of scope for the Service Manager functionality.
Service Manager Roadmap
Core
Services should be moved to the Service Manager as they are worked on in the backlog. Core services could (TBC) remove user manager and replace move to service manager as part of the Vue3 migrations workstream (this however was not in scope when Core work was planned for the remainder of this financial year so will not take priority over existing Core work)
Projects
The movement to Service Manager will change how service administrators currently manage their users so the movement to Service Manager should form part of any projects work package scoping moving forward. Exceptions to this include the following end of life services
HIA (TBC) – use a different subscriber model and service is end dated for 2025
VPS (TBC )– need to understand if a movement to service manager would impact their existing
The impact of these changes should be analysed on a service by service basis with the appropriate level of support for the business area costed for as part of the work package therefore the implementation of Service Manager into each project services is outside the scope of this specification.
Service Manager for Business/Portal admin
Analysis pending
Business and Portal Admin allow the user to navigate to the context of a tenant to see a list of services enabled.
Portal/Business admin will be extended to allow further navigation into tenant service. When within the tenant service, the service management configuration for that tenant service should apply. Further analysis is on-going to determine flow changes to enable the service manager user flows described above.
APPENDIX A - Configuration of Service Manager
Login to Portal Admin
Select Global Key Value Pairs
Select the Tenant and Service and EntityType ServiceProperty, if ServiceProprty is not in the list of entityType, select the "Add new global key value pair" button (see Adding a New Service Property below)
Adding a New Service Property
Click the "Add New Service Property" or the "Add new global key value pair" if there are no Service Properties for the service.
This will display a modal allowing you to add properties to the global key value pairs.
Field Definition
| Field | Description |
|---|---|
| Key | The name of the property |
| Value | A json object representing the property |
| List Name | Not required for Service property |
Service Property Examples:
| Json Value | Purpose |
|---|---|
| {"useServiceManager":true} | Configures the "Associate User" button in the service list to use service manager instead of user manager. |
| {"adminRegisterPasswordUser":false} | Disables the Register Password User option when adding admin users. |
| {"adminRequireMFA":false} | Disables TwoFactorAuthentication for admin password users |
| {"portalRequireMFA":false} | Disables TwoFactorAuthentication for public portal users |
| {"subscriberRequireMFA": false} | Disables TwoFactorAuthentication for subscriber users |
| {"subscriberRequirePhoneNumber": false} | Disables the requirement to capture a phone number, if MFA is enabled the verification code will be sent via email. |
APPENDIX B – Registration Error Page
Text can be configured for this page in the Global key value pairs table at a Platform level (no service specific data should be added)
