Onboarding a user
Individuals who would like to access the Composer or GraphQL API at / will need to be granted access via VO enterprise application user roles.
The name of the VO platform application in Azure AD is available in the Composer configuration.
We recommend creating Microsoft Entra ID groups mapped to each VO user role. Users can then be added to one or more groups, according to the tasks they would like to carry out on the platform.
- Reader
- Issuer
- Credential admin
- Partner admin
- Presentation flow admin
- OIDC admin
- Instance admin
- Support agent
A tenant administrator can set up group-to-role mapping and add/remove users from the groups.
Reader
User role: VerifiableCredential.Reader
Permissions:
- view templates
- view credentials
- view issuances
- view presentations
- view identities
- view partners
- view authentication clients
Issuer
User role: VerifiableCredential.Issuer
Permissions:
- all the permissions of Reader role, and
- create identity
- update identity
- issue credential
- create remote issuances
- view and filter the list of remote issuances
- view remote issuance details
- update contact details for pending remote issuances
- resend remote issuance notifications
- cancel pending remote issuances
- upload CSV files to create remote issuances
Credential admin
User role: VerifiableCredential.CredentialAdmin
Permissions:
- all the permissions of Reader role, and
- create template
- edit template
- delete template
- create contract
- edit contract
- delete contract
- publish contract
- deprecate contract
- create identity
- update identity
- revoke issuances
Partner admin
User role: VerifiableCredential.PartnerAdmin
Permissions:
- all the permissions of Reader role, and
- find authorities / issuers in verifiable credentials network
- find contracts / credentials in verifiable credentials network
- add partner
- edit partner
Presentation flow admin
User roles: presentationFlow.create, presentationFlow.read, presentationFlow.cancel
Permissions:
- create presentation flows
- view and filter the list of presentation flows
- view presentation flow details including actioned data
- cancel pending presentation flows
Additional template management roles are available: presentationFlow.template.create, presentationFlow.template.read, presentationFlow.template.update, presentationFlow.template.delete.
Refer to the Presentation flows guide for more information.
OIDC admin
User role: VerifiableCredential.OidcAdmin
Permissions:
- all the permissions of Reader role, and
- add, edit and delete authentication clients
- add, edit and delete authentication resources
Instance admin
User role: VerifiableCredential.InstanceAdmin
Permissions:
- all the permissions of Reader role, and
- view, create, update, suspend and resume identity stores
- view and modify Concierge branding
- view and modify Concierge client branding
- view and modify application label configurations
- view and modify CORS origin configurations
- view and modify email sender configuration
Support agent
User role: VerifiableCredential.SupportAgent
Permissions:
- view remote issuance contact details
- update contact details for pending remote issuances
- resend remote issuance notifications
- cancel pending remote issuances
- view background job events
- view communications