Admin Portal Use Cases ============================================================================= In this article, you will learn how to use the |imapi|_ to create, access, and update the |orgs|, |tms|, |service| instances, and |usrs| in the system. The |imapi|_ provides access to the different entities that represent customers of Envase. These entities are |orgs|, registered |tms| for those |orgs|, registered |service| for those |orgs|, and the |usrs| that belong to the |org|. The |imapi|_ also represents the associations between those entities. There are certain assumptions being made about those associations that apply to the current implementation of the system, but the requirements might (and most likely will) change in the future. The design of the |imapi|_ has taken into account these future requirements to avoid breaking changes where possible. There are some design decisions that might seem awkward at the beginning, but that will prevent breaking changes in the future. The following section provides an overview of the entities and their relationships, so you can understand how the |imapi|_ works as a system. System Entities and Relationships Overview ----------------------------------------------------------------------------- The first entity in the system that you need to understand is the |org|. |orgs| represent |env|_ customers. Each |env|_ customer company will have its own |org|. |orgs| are the central hub to manage all other entities; therefore, it is the first entity that needs to be created when registering a new customer account. Within an |org|, a |tms| entity can be created and associated. A |tms| represents an actual |tms| application that a customer is using, and it's associated with its |org|. Currently, |pt|_ is a supported |tms|. This means that a |tms| entity can be created pointing to a specific instance of |pt|_. The final entity supported is the |usr|. |usrs| can be associated with one and only one |org|. They can also be associated with a |tms|. For now, it is important to maintain a one to one relationship between a |usr| and a |tms| until multiple |tms| support is added. There are two types of |usrs| in the system: |susrs| and |ousrs|. |usrs| have a role and this role will dictate their level of access to the system. Let's take a look at these roles. |susrs| are |env| employees that interact with the |imapi|_ for many different reasons. They all, however, have the same role of |sas|. |sas| are not associated with any organization, but they can create, access, modify, and delete any entities in the system. |sas| can be |env|_ techs or support engineers that setup new systems and register new customer accounts. They can also be developers that need to fix problems with the system or identify and fix bad data. |susrs| must be part of the |env| organization, and we should never provide that level of access to external |usrs|. |ousrs| belong to an |org|. These are customer's employees that need access to our system. They might have different roles, and these roles might be expanded in the future. Currently, these are the |ousrs| roles supported: * |oas| (``ORG_ADMIN``): They are the administrators for a specific |org|. They can manage their own |tms| instances and their own |usrs|. * |usrs| (``USER``): |usrs| represent employees of |env|_ customers. They can access certain services and APIs, but they don't have access to the |imapi|_. * |drvs| (``DRIVER``): They represent |drvs| that work for an |env|_ customer. They have access to some services and APIs, but like |usrs|, they don't have access to the |imapi|_. .. important:: Only |sas| and |oas| have access to the |imapi|_. They should be the only type of users that can access the admin console application. .. _create-sa: Creating A System Administrator Account ----------------------------------------------------------------------------- Creating a |sa| account is a process outside of the |imapi|_. Only internal |env|_ employees should have the power to create and invite |sas|. To that effect, we created an |lambda| function that allows someone with access to |aws| and appropriate permissions to execute the function right from the |lambda| console. The following steps describe the process to create a |sa| account: * Navigate to |lambda| in the |env| |aws| account. .. image:: /_static/lambda-functions.png * Click on the |lambda| function defined for the environment to which you want to add the account. Currently, there are three environments defined with a function for each: ``enim-dev`` for the **Development** environment, ``enim-stg`` for the **Staging** environment, and ``enim-prd`` for the **Production** environment. * Select the **** tab. .. image:: /_static/create-system-admin-lambda.jpg * In the test tab, select the **** radio button and select **CreateSystemAdminAccount** from the drop down. * In the editor, enter the information about the |sa| account you want to create in the following format: .. code-block:: json { "command": "SVC.functions.create_system_admin", "name": "John Smith", "email": "jsmith@envasetechnologies.com" } All the parameters to the event are required. The ``command`` parameter is the full qualified name of the function to execute as shown in the example. The ``name`` parameter should be the person's name. The ``email`` is a valid email address for the user. * Click the **** button to execute the function. The function will create the |cognito| identity and all the necessary entries in the |imapi|_ as a |sa|. The function will insure a temporary password is generated for the user, and an invitation email will be sent to the specified address. The user will have to click on the link provided in the invitation email to confirm the account and to change the provided temporary password to a valid password to log into the system. Registering A New Account ----------------------------------------------------------------------------- |sas| need to create new accounts for |env| customers. This is one of the first use cases addressed by the |ap|. To help the |ap| implement this feature, the |imapi|_ exposes an ``accounts`` service that will create all the necessary entities for a new customer. The ``accounts`` service can only be invoked by |sas|, and you can try it with your |sa| account: .. code-block:: POST https://core.envaseconnect.cloud/identity/accounts The request must provide the ``X-Api-Key`` header with the key issued for your application, as well as the |cognito| id token for the user in the ``Authorization`` header. .. tip:: You might have used authenticated requests against other services, and they usually prefix the token with the token type. For example, a bearer token is specified as ``Bearer `` in the authorization header. This is not the case for the |cognito| authorizer. The ``Authorization`` header should be set to the id token part returned by |cognito| with no prefixes:````. The body of the request has the following structure: .. code-block:: json { "organizationName": "Fast Transportation", "tmsName": "Fast Transportation TMS", "tmsType": "PROFITTOOLS", "tmsUrl": "https://api.fasttransportation.com", "adminName": "John Smith", "adminEmail": "jsmith@fasttransportation.com" } All the properties in the request payload are required. Any missing parameters will generate a ``400 BAD REQUEST`` response. The ``organizationName`` should be set to the name of the new customer company, and it will be used to create a new organization. The ``tmsName``, ``tmsType``, and ``tmsUrl`` are parameters to register the |tms| instance for the customer. At this time, it's required to register a |tms| for the customer. The ``adminName`` and ``adminEmail`` are parameters to create the |oa| user for the account. Those parameters are used to create the |cognito| identity, which will trigger an invitation email with a temporary password, and the |usr| information in the |imapi|_. .. important:: The ``accounts`` service doesn't support a ``role`` property for the user because it assumes that the first user created for a new account will be the |oa|. The ``accounts`` service can also return ``401 UNAUTHORIZED`` when the authorization header is missing, or ``403 FORBIDDEN`` when the user sending the request is not a |sa|. The response will have the following structure: .. code-block:: json { "id": "1d49b8c1-b988-4014-bf5b-bef304abc79b", "self": "/identity/accounts/1d49b8c1-b988-4014-bf5b-bef304abc79b", "organization": { "name": "Fast Transportation", "id": "1d49b8c1-b988-4014-bf5b-bef304abc79b", "href": "/identity/organizations/1d49b8c1-b988-4014-bf5b-bef304abc79b" }, "tms": { "id": "1d49b8c1-b988-4014-bf5b-bef304abc79b", "href": "/identity/organizations/1d49b8c1-b988-4014-bf5b-bef304abc79b/tms/be4a9165-97a0-4740-bcf9-f8a3850b1418", "name": "Fast Transportation TMS" }, "user": { "id": "b746d763-6666-4002-b7bb-b76f8052f4e5", "href": "/identity/users/b746d763-6666-4002-b7bb-b76f8052f4e5", "cognitoId": "b746d763-6666-4002-b7bb-b76f8052f4e5", "name": "John Smith", "email": "jsmith@fasttransportation.com", "role": "ORG_ADMIN", "organizationId": "1d49b8c1-b988-4014-bf5b-bef304abc79b" } } The response includes information about the |org|, |tms|, and |oa| user that has been created. Adding Users to An Organization ----------------------------------------------------------------------------- At some point, an |oa| will want to invite users to its |org| and provide them with access to the |tms| they will be working on. This process involves a couple of operations against the |imapi|_: the user account has to be created, and the user has to be associated with the |tms| to provide access. The following services are exposed in the |imapi|_ that allow |oas| create |usr| accounts: Creating the User Account ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The |imapi|_ provides a |usrs| service to create a new user: .. code-block:: POST https://core.envaseconnect.cloud/identity/users This service, like all |imapi|_ services, requires the ``X-Api-Key`` and ``Authorization`` headers. The payload for that service has the following structure: .. code-block:: json { "name": "Travis Chase", "email": "tchase@fasttransportation.com", "role": "DRIVER", "organizationId": "1d49b8c1-b988-4014-bf5b-bef304abc79b" } The request payload requires the ``name`` and ``email`` for the user. It will use the ``email`` information to create a new |cognito| identity for the user and save the information in the |imapi|_. The ``role`` property indicates the role of the user within the |org|. The property should be set to one of the supported roles for |org| |usrs|: ``ORG_ADMIN``, ``USER``, or ``DRIVER`` (driver is deprecated currently, you can use user instead). .. warning:: The |sa| role (``SYS_ADMIN``) should never be specified through this service. |sa| accounts should be created, as specified in :ref:`create-sa`. The ``organizationId`` represents the |org| to which the user will be added. .. important:: This service can only be called by |sas| and |oas|. |sas| can add |usrs| to any |org|, but the |org| id must be retrieved to populate the ``organizationId``. |oas| can only add |usrs| to their own |org|. Trying to add the |usr| to a different |org| will cause a ``403 FORBIDDEN`` response. The response from the service will be the representation of the added |usr|: .. code-block:: json { "cognitoId": "b746d763-6666-4002-b7bb-b76f8052f4e5", "name": "Travis Chase", "email": "tchase@fasttransportation.com", "role": "DRIVER", "organizationId": "1d49b8c1-b988-4014-bf5b-bef304abc79b", "id": "b746d763-6666-4002-b7bb-b76f8052f4e5", "self": "/identity/users/b746d763-6666-4002-b7bb-b76f8052f4e5", "tms": { }, "organization": { "id": "1d49b8c1-b988-4014-bf5b-bef304abc79b", "href": "/identity/organizations/1d49b8c1-b988-4014-bf5b-bef304abc79b" } } Notice how the representation of the |tms| reference is empty. This is because you haven't associated the user with a specific |tms|. The |usr| representation provides the ``organizationId`` property containing the id of the |org| to which the user has been added. It also provides a reference to the |org| in the ``organization`` property. Providing the User With Access To A TMS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Once the user is created, you need to associate him with a TMS. To do that, you need to first identify that user within the actual |tms| instance. The |coreapi|_ provides the services to identify users within an instance. .. important:: At the moment, only drivers are exposed in |coreapi|_ because the initial use cases are to allow drivers to use the |ma|. You can use the ``drivers`` service in the |coreapi|_ to query for users that will have a ``DRIVER`` role: .. code-block:: GET https://core.envaseconnect.cloud/drivers?email= The request queries the |tms| instance for a driver that matches the ``email`` property of the user we want to correlate. You can also remove the ``email`` query parameter to retrieve all the available drivers. The response from the service will have the following structure: .. code-block:: json { "self": "/drivers", "items": [ { "id": "12345", "self": "/drivers/100", "email": "tchase@fasttransportation.com", "firstName": "Travis", "middleName": "Peter", "lastName": "Chase", "ref": "D100", "status": "ACTIVE", "type": "company-driver", "medicalExpiration": "2029-12-31", "licenseExpiration": "2029-10-15", "hazmatCertified": true, "hazmatExpiration": "2029-05-26" } ] } Notice the response represents a collection of drivers. Because we filtered the response by ``email``, only one driver (item) is returned. If the driver was not found, the collection will be empty. .. important:: This is consistent for all services that return a collection of resources/entities. Instead of returning ``404 NOT FOUND`` when there are no matches, an empty collection is returned. The ``id`` property from the driver representation is the |tms| internal id for the driver. This value should be used in all the calls the user makes to the |coreapi|_, and it should be stored in |imapi|_ so applications can request it. Once, we have identified the user within the |tms| instance, we need to create an association in |imapi|_. The |imapi|_ provides a service to create the association: .. code-block:: POST https://core.envaseconnect.cloud/identity/users/:userId:/tms The request payload has the following structure: .. code-block:: json { "tmsId": "1d49b8c1-b988-4014-bf5b-bef304abc79b", "role": "DRIVER", "tmsInternalId": "100235" } All the properties in the payload are required. The ``tmsId`` should be set to the ``id`` of the |tms| that was created with the account. The ``role`` is one of the currently supported roles ``ORG_ADMIN``, ``USER``, or ``DRIVER``. .. important:: A user has a default ``role`` established when the user account is created. The ``role`` in the |tms| association is a potential override for that |usr| within the specified |tms|. Currently, the override is not supported, so it is a good practice to use the same ``role`` that was used when creating the |usr| account. .. important:: For now, we only have support for importing ``DRIVER`` users, so that will be the role used. The ``tmsInternalId`` represents the ``id`` within the |tms| instance. It should be set to the ``id`` retrieved in the previous request. The response from the service will have the following structure: .. code-block:: json { "tmsId": "be4a9165-97a0-4740-bcf9-f8a3850b1418", "role": "DRIVER", "tmsInternalId": "100235", "id": "be4a9165-97a0-4740-bcf9-f8a3850b1418", "self": "/identity/users/b746d763-6666-4002-b7bb-b76f8052f4e5/tms/be4a9165-97a0-4740-bcf9-f8a3850b1418", "url": "https://api.fasttransportation.com" } The response represents a |usr| and |tms| association. It provides information about the |tms|, |usr| role within the |tms|, and the internal ``id`` for the user in the |tms| instance. It also provides the URL of the |tms|. Conclusion ----------------------------------------------------------------------------- At this point, you've seen how to create a |sas| account to allow internal |env| employees to register new customer accounts. You've also seen how to register a customer account. You've also seen the services exposed in |imapi|_ and in |coreapi|_ to create new |usr| accounts and provide them access to their |org| |tms|. You can send your questions and feedback to the Profit Tools development team through the `Envase Mobile Admin Console `_ in the Microsoft Teams Envase account.