LCS - Configuration of Manifest groups for application role mapping
Per UW's policy and as mentioned in the Low Code Solutions Terms of Service, any application that is capturing data or contains non-public data, must use NetIDs for each user and utilize single sign on via Manifest groups to manage access. This document explains how to set Manifest groups up per user role for each application.
Prerequisites
- The application is configured for SSO (this process takes 4-6 days from the request being submitted to the Service Team)
- Access to Manifest with sufficient access to create subfolders or groups
- The client_id that was provided by the Service Team
In Application configuration
- Access the roles and permissions section from the applications Tools button.
- Once on the Roles and Permissions screen, inspect the applications role names. There should be at minimum the following roles:
- admin (this is a system created role and cannot be altered)
- public (this is a system created role and cannot be altered)
- During SSO configuration the Service team asked for a default user role, this will be the third role.
- Any additional roles that have been created for the application.
- Roles should follow manifest group naming conventions as the names chosen for roles will need to mirror the names set in Manifest groups as the role is 1:1 mapped to the name of the manifest group, continue reading for further explanation.
Manifest configuration
Inside the Manifest application:
- Select or create a new subfolder for the application. (If new to Manifest groups, learn more here).
- Then create a new group; the manifest group’s name must exactly match the name of the application role.
- Example:
- Manifest Group Name: “uw:org:lowcode_nocode:user_agreement:admin”
- Application Role Name: “admin”
- In this example the Manifest group named “admin” inside the “user_agreement” folder matches the default role admin from the application.
- Example:
- Once saved in the group details page in the upper right corner select the drop down and select the “edit connection/delivery options” option. In the field marked SAML2 EntityID enter the client_id the service team provided after SSO configuration and click save.
- Repeat these instructions at minimum for the default admin role and any custom role created for the application, the public role does not need users mapped to it as that role does not require authentication.
- Note: Currently a user can only have one role per application. The role is assigned and reassigned at login.