Allow managed technical users to be accessible by the service provider / BPDM operator only

[Sebastian-Wurm]

Description

As a BPDM architect, I want that the managed technical users for Portal roles "BPDM Sharing Input Manager", "BPDM Sharing Output Consumer", which are created automatically when a company admin subscribes to the BPDM Sharing service, are accessible by the BPDM operator only, so that a) the BPDM operator can create the corresponding EDC assets for the BPDM Gates of each BPDM Sharing Member. b) no other company or user has access to the service accounts for the assets, which ensures data sovereignty and prevents security leaks

Same applies for the BPDM Golden Record service and the technical user for Portal role "BPDM Pool Consumer" and the corresponding asset.

Acceptance Criteria

• [ ] it MUST be possible to configure per each role for automatic creation of (managed) technical users,
  • that the managed technical user MUST be accessible to the service provider
  • and, consequently, that the managed technical user MUST NOT be shown in the "Technical User Management" of the company admin
• [ ] it MUST not be possible to create roles configured in this way manually by the company admin
• [ ] "BPDM Sharing Input Manager" and "BPDM Sharing Output Consumer" MUST be configured in that way
• [ ] "BPDM Pool Consumer" MUST be configured in that way

Additional Information

• see also #175

Out of Scope

• the same could also apply for BPDM value-added services that connect to BPDM Gate and Pool via the EDC
• this is an additional requirement which needs to be filed against portal-iam from each BPDM value-added service separately

[evegufy]

Hi @Sebastian-Wurm what you describe is not related to https://github.com/eclipse-tractusx/sig-release/issues/751, so please remove the link.

If I understand this correctly, I assume this functionality is already in place, at least for the biggest part and this issue is more the result of a misunderstanding in regards to processes.

I suggest you setup a call for clarification.

cc: @MaximilianHauer

[nicoprow]

Hi @Sebastian-Wurm what you describe is not related to eclipse-tractusx/sig-release#751, so please remove the link.

If I understand this correctly, I assume this functionality is already in place, at least for the biggest part and this issue is more the result of a misunderstanding in regards to processes.

I suggest you setup a call for clarification.

cc: @MaximilianHauer

@Sebastian-Wurm I agree here with @evegufy that there is no additional functionality needed for setting up a new BPDM marketplace service to obtain a user that has the rights of "BPDM Sharing Output Consumer". This is something the operator can already do in the Portal and belongs to an initial setup process, described here: https://github.com/eclipse-tractusx/bpdm/blob/main/INSTALL.md#portal-configuration

However, the other requirements generally still stand as these are gaps between BPDM and the current Portal process:

1. We need multiple technical users with different roles for one app/service subscription
2. The created technical users of our BPDM subscription should not visible to the subscribing company, only to the BPDM operating company
3. In general, BPDM technical users should not be creatable for any companies that are not the BPDM operator

Unless we tackle these gaps somehow, a BPDM operator can only do workarounds with the current process.

In any case, I believe these requirements should put in a sig-release issue as they constitute bigger requirements that will affect at least Portal behaviour.

[evegufy]

close with WON'T DO as explained in https://github.com/eclipse-tractusx/portal-iam/issues/168#issuecomment-2274771504

[Sebastian-Wurm]

@evegufy : Let's leave this open until the three separate requirements have been created, as agreed in our meeting.

[MaximilianHauer]

moving it to NEW USER REQUEST that it is not in the scope of devs.

[MaximilianHauer]

@nicoprow / @Sebastian-Wurm can you provide us the feedback what BPN would be associated with the technical user. the operator bpn or the company that subscribed

[nicoprow]

@nicoprow / @Sebastian-Wurm can you provide us the feedback what BPN would be associated with the technical user. the operator bpn or the company that subscribed

The technical user BPN should be that of the subscribing company.

This is the reason why we rely on service subscription - as this is the only way at the moment for the BPDM operator to obtain a technical user with the BPN identity of the sharing member over the Portal. The reason why technical users should have the BPN of sharing members and not the operator's is two-fold:

1. The BPDM Gate's service logic and authentication mechanism works with the BPN found in the bearer token. Gates can be assigned to specific sharing members and therefore specific BPNs. If the technical user does not have the correct BPN the logic of the golden record process can not be implemented as designed.
2. For auditing purpose the used technical users should have the sharing members BPN. This makes it easier which company accessed which services including the BPDM Pool

[Sebastian-Wurm]

moving it to NEW USER REQUEST that it is not in the scope of devs.

@MaximilianHauer: Can you please get this into the 25.03 planning?

[MaximilianHauer]

@Sebastian-Wurm we had a team internal workshop for this topic last week and every solution we find does result in an ugly implementation or does destroy out data souvereignity of the service process and idea. i had a call with @maximilianong and we aligned to have a follow-up call to talk about the "business case" and a proper solution that does not resolve in putting bpdm in the service flow of the portal as it does not provide the expectations both teams have.