Configuring access to job types for external account holders

By default, RestV1JobTypesConfigurationPlugin provides external account holders access to the following jobs types with the Cloud API for PolicyCenter:
  • Submission
  • Renewal
  • Policy Change
  • Cancellation

You can configure external account holders to have access to additional job types.

Provide account holders access to additional job types

Complete the following steps to provide external account holders access to a customized list of job types. The examples in this topic provide external account holders access to the issuance job.
After reading this topic, you'll be able to:
  • Create a custom class that extends RestV1JobTypesConfigurationPluginImpl
  • Add additional endpoint access for account holders
  • Add additional resource access for account holders
  • Add additional permissions to proxy user external_user

Instructions

Step 1: Create a custom class that extends RestV1JobTypesConfigurationPluginImpl

About this task
Create a custom plugin implementation class RestV1JobTypesConfigurationPluginCustomImpl to configure the types of jobs that external account holders can access.
Procedure
  1. Create a custom plugin implementation class that extends the RestV1JobTypesConfigurationPluginImpl implementation.
    For example, create the class named RestV1JobTypesConfigurationPluginCustomImpl.gs that extends RestV1JobTypesConfigurationPluginImpl.
    package mycompany.plugins.rest.ext.pc.security.v1

uses gw.rest.core.pc.security.v1.RestV1JobTypesConfigurationPlugin

class RestV1JobTypesConfigurationPluginCustomImpl extends RestV1JobTypesConfigurationPluginImpl {
  override property get AccessibleJobTypesForAccountHolder() : Set<typekey.Job> {
    // TC_ISSUANCE is added for custom configuration
    // the default supported job types are TC_CANCELLATION, TC_POLICYCHANGE, TC_RENEWAL, TC_SUBMISSION
    return {TC_CANCELLATION, TC_ISSUANCE, TC_POLICYCHANGE, TC_RENEWAL, TC_SUBMISSION}
  }
}
    This code provides external account holders access to the issuance job type in addition to the jobs they have access to by default.
  2. Update RestV1JobTypesConfigurationPlugin.gwp to reference the new implementation class.
    For example, update RestV1JobTypesConfigurationPlugin.gwp with the following code: 
    <?xml version="1.0"?>
...
<plugin
  interface="RestV1JobTypesConfigurationPlugin"
  name="RestV1JobTypesConfigurationPlugin">
  <plugin-gosu
    gosuclass="gw.rest.ext.pc.security.v1.RestV1JobTypesConfigurationPluginCustomImpl"/>
</plugin>
...

Step 2: Update the endpoint access for account holders

About this task
Update the Account_Holder.role.yaml file to provide external account holders access to the additional endpoints. In this case, provide account holders access to issue a policy.
Procedure
  1. Open the Account_Holder.role.yaml file.
  2. Add the following code: 
    - endpoint: "/policy/v1/policies/*/issue"
  methods:
  - POST

Step 3: Update resource access for account holders

About this task
The accountholder_ext-1.0.access.yaml defines the resources available to account holders. In this case, update this file to provide account holder access to additional policy information.
Procedure
Update the config/authorization/gw/core/pc/shared/v1/accountholder_ext-1.0.access.yaml file with the following code: 
Issuance:
  permissions:
    view: __inherit
    create: "gw.rest.core.pc.security.v1.AccountHolderSecurityUtil.canAccessPolicy(resource.Parent.Policy)"

Step 4: Update the permissions provided to proxy user external_user

About this task
The roleprivileges.csv file includes the permissions associated with each PolicyCenter role. In this case, when you provide an account holder access to issuance jobs, you might need to provide the proxy user permissions to issue a policy, quote and bind the Issuance job.
Procedure
  1. Open roleprivileges.csv and add the following additional items at the end of the file: 
    RolePrivilege,0,sample_data:1698,advanceissuance,external_user
RolePrivilege,0,sample_data:1699,bindissuance,external_user
RolePrivilege,0,sample_data:1700,createissuance,external_user
RolePrivilege,0,sample_data:1701,editissuance,external_user
  2. Verify that the entityid values associated with each item are unique and make any updates as needed. For example, if the last item in roleprivileges.csv has an entityid of sample_data:1697, define the next new row with an entityid of sample_data:1698.
  3. Use the import-tools command to update the permissions. For more information, see the Administration Guide.