LCS - Configuration of Manifest groups for application role mapping

Per UW's policy and as mentioned in the Low Code Solutions Terms of Service, any application that is capturing data or contains non-public data, must use NetIDs for each user and utilize single sign on via Manifest groups to manage access. This document explains how to set Manifest groups up per user role for each application.

Prerequisites

  • The application is configured for SSO (this process takes 4-6 days from the request being submitted to the Service Team) 
  • Access to Manifest with sufficient access to create subfolders or groups 
  • The client_id that was provided by the Service Team

In Application configuration

  1. Access the roles and permissions section from the applications Tools button.
    screenshot of tools menu with roles and permissions highlighted
  2. Once on the Roles and Permissions screen, inspect the applications role names. There should be at minimum the following roles: 
    • admin (this is a system created role and cannot be altered) 
    • public (this is a system created role and cannot be altered) 
    • During SSO configuration the Service team asked for a default user role, this will be the third role. 
    • Any additional roles that have been created for the application.
      screenshot of roles within BB of admin, webuser, public and add button
  3. Roles should follow manifest group naming conventions as the names chosen for roles will need to mirror the names set in Manifest groups as the role is 1:1 mapped to the name of the manifest group, continue reading for further explanation. 

Manifest configuration 

Inside the Manifest application:

  1. Select or create a new subfolder for the application. (If new to Manifest groups, learn more here).
  2. Then create a new group; the manifest group’s name must exactly match the name of the application role.
    • Example:  
      • Manifest Group Name: “uw:org:lowcode_nocode:user_agreement:admin” 
      • Application Role Name: “admin”
        screenshot of manifest group details
      • In this example the Manifest group named “admin” inside the “user_agreement” folder matches the default role admin from the application.
  3. Once saved in the group details page in the upper right corner select the drop down and select the “edit connection/delivery options” option. In the field marked SAML2 EntityID enter the client_id the service team provided after SSO configuration and click save. 
    screenshot of adding members to the manifest group
  4. Repeat these instructions at minimum for the default admin role and any custom role created for the application, the public role does not need users mapped to it as that role does not require authentication.  
  5. Note: Currently a user can only have one role per application. The role is assigned and reassigned at login. 


Keywords:
SSO, single sign on, NetID, shibboleth, SAML 
Doc ID:
133108
Owned by:
Jeanne H. in Low Code Solutions
Created:
2023-11-30
Updated:
2024-07-15
Sites:
DoIT Enterprise Business Systems - Low Code Solutions