The User Manager is an application for managing users, groups, applications, roles, certificates, group and role assignments.
Required peripheral systems are: OpenLDAP, proNEXT IdP, Registration Manager, AuditManagerService. Interfaces called from the User Manager are: HTTPS(REST) (IdP, RM, AMS) and LDAP(StartTLS) (LDAP).
The creation of the central infrastructure component for the management of users, user roles and organizational structures avoids the duplication of such information in specialized systems and consequently reduces the administrative effort required. In addition, the UM concept provides precise specifications for its internal authorization structure and thus allows fine granular administration which can be defined for different user groups. The known user / role data structure is extended by a new group entity, which enables the logical combination of users and allows the definition of administration areas through a hierarchical structure.
Furthermore, groups allow to give a user different roles in the context of his current group membership. Asymmetric key material (in the form of public certificates and private keys) can be stored with users as well as in groups.
In addition to the ability to authenticate directly (active and passive authentication), the UM concept handles the secure passing of authentication information between background services without requiring user interaction again. This eliminates the need for technical "superusers" which often pose a significant security risk due to their liberal legal model.
All read and write access is controlled via central components. Direct access to the attribute store (in this concept an LDAP system) is technically not possible. This is to prevent (erroneous) third party accesses from posing a threat to the data integrity of the user administration.