Onboarding a user
Individuals who would like to access the Composer or GraphQL API at / will need to be granted access via VO enterprise application user roles.
The name of the VO platform application in Azure AD is available in the Composer configuration.
We recommend creating Microsoft Entra ID groups mapped to each VO user role. Users can then be added to one or more groups, according to the tasks they would like to carry out on the platform.
- Reader
- Issuer
- Credential admin
- Partner admin
- Approval request admin
- OIDC admin
- Instance admin
- Support agent
A tenant administrator can set up group-to-role mapping and add/remove users from the groups.
Reader
User role: VerifiableCredential.Reader
Permissions:
- view templates
- view credentials
- view issuances
- view presentations
- view identities
- view partners
- view authentication clients
Issuer
User role: VerifiableCredential.Issuer
Permissions:
- all the permissions of Reader role, and
- create identity
- update identity
- issue credential
- create remote issuances
- view and filter the list of remote issuances
- view remote issuance details
- update contact details for pending remote issuances
- resend remote issuance notifications
- cancel pending remote issuances
- upload CSV files to create remote issuances
Credential admin
User role: VerifiableCredential.CredentialAdmin
Permissions:
- all the permissions of Reader role, and
- create template
- edit template
- delete template
- create contract
- edit contract
- delete contract
- publish contract
- deprecate contract
- create identity
- update identity
- revoke issuances
Partner admin
User role: VerifiableCredential.PartnerAdmin
Permissions:
- all the permissions of Reader role, and
- find authorities / issuers in verifiable credentials network
- find contracts / credentials in verifiable credentials network
- add partner
- edit partner
Approval request admin
User role: VerifiableCredential.ApprovalRequestAdmin
Permissions:
- all the permissions of Reader role, and
- view and filter the list of approval requests
- view approval request details including actioned approval data
- cancel pending approval requests
OIDC admin
User role: VerifiableCredential.OidcAdmin
Permissions:
- all the permissions of Reader role, and
- add, edit and delete authentication clients
- add, edit and delete authentication resources
Instance admin
User role: VerifiableCredential.InstanceAdmin
Permissions:
- all the permissions of Reader role, and
- view, create, update, suspend and resume identity stores
- view and modify Concierge branding
- view and modify Concierge client branding
- view and modify application label configurations
- view and modify CORS origin configurations
- view and modify email sender configuration
Support agent
User role: VerifiableCredential.SupportAgent
Permissions:
- view remote issuance contact details
- update contact details for pending remote issuances
- resend remote issuance notifications
- cancel pending remote issuances
- view background job events
- view communications