The Sign & Encrypt functionality includes an effective user and access management for fine-grained definition of roles and permissions on application and device configuration level.

Table of contents:

Bosch.IdM token flow

Here is the token flow all the way from Bosch IdM to the Sign & Encrypt service:

images/confluence/download/attachments/2667393931/SandE-token-translation-version-2-modificationdate-1674468849000-api-v2.png

Access Control Lists

Authorization within the Sign & Encrypt service is accomplished and enforced through Access Control Lists (ACLs).

ACL rules define a set of permissions for specific roles attached to specific entities. The goal is to bind ACLs with roles instead of users, while users can be then defined in an external user and role management.

For detailed information on ACLs see S&E Access Control Lists.

The Admin user

Sign & Encrypt does not provide an admin group, but a set of ACL rules that are specified together with other tenant-level configurations, which combined constitute the initial admin role.

The ACL rules of the initial admin role cannot be modified or deleted. In order to change them you need to create a support ticket.

The admin role can configure IdM roles for resources.

Click here to view an example of initial rules, which grant administrative rights on the ACLs:

Example of initial rules, which grant administrative rights on the ACLs:

initialAcl:
  edit:
    - subject: "GROUP:idm2bcd_SigningEncrypt_QA_Admin"
      resource: "RESOURCE_TYPE:ACL"
  create:
    - subject: "GROUP:idm2bcd_SigningEncrypt_QA_Admin"
      resource: "RESOURCE_TYPE:ACL"