Authorization
About Users & Concepts
Last updated
Was this helpful?
About Users & Concepts
Last updated
Was this helpful?
Please refer to the section to learn more about that. Have fun!
In order to access any data within fulfillmenttools you need to possess valid credentials in the form of a username and a corresponding password. Our Auth Provider provides a in exchange for such credentials, which needs to be sent along every issued request to any of the provided APIs.
In the fulfillmenttools platform there is a simple yet effective rights & permissions system in place. It grants access to data, that the user is allowed to see while it hides data from users, that are authenticated but not authorized to view data. The role also has impact on active features in API, backoffice or mobile clients.
Currently there is a fixed set of roles a user can take within the platform:
FULFILLER
yes
The Fulfiller is the role that takes care of the operative workflow, such as picking, packing and sending an order on the way. Therefore users of this role have primarily access to operatively needed parts of the system.
SUPERVISOR
yes
The Supervisor is allowed to configure the settings of certain facilities. Therefore a user of this role will primarily use the Backoffice Application as well as potentially other clients. The Supervisor role extends the role of the Fulfiller.
ADMINISTRATOR
no
The Administrator of a fulfillmenttools system is allowed to access all the functionality.
A user always has to have a known role in order to interact with the clients or via the API. This information is provided to the Identity-Provider and will be reflected in the JWTs, that is issued to the user.
In order to prevents user of specific roles to read out data that they are not allowed to see (for GDPR reasons for instance) some roles are only assignable together with a mandatory reference to a facility.
Currently the list of available roles is fixed and cannot be extended by the client.
The following calls are allowed to the following roles: SUPERVISOR, ADMINISTRATOR
When a user is deleted all currently active JWT Tokens of said user are invalidated. The user will not be able to use an issued token anymore.
The JWT Token itself is signed & contains your username, your role and your potential facility affiliation (). It has a Lifetime of 60 minutes and can be refreshed using the refresh token which comes with the response from the Auth Provider.