User Management
User Registration
A user must have an existing OIPA user account identified by username and password to log into the OIPA application. An OIPA administrator uses the Rules Palette to create a new OIPA user account. The OIPA administrator's Rules Palette credentials must be associated with a security group that allows for the management of security. With the proper security rights, the administrator may use the Rules Palette to add, edit and delete OIPA user accounts. The administrator can also add and edit Security Groups that determine what features and authorizations are available to the users that belong to each Security Group. When creating a new user account, an administrator enters or selects the following information:
- User's login name and password
- Basic information about user – first and last name, email, gender, etc.
- User's primary company
- Locale
- Security groups to which the user belongs
This information is persisted in the OIPA database, with the encrypted password digest stored as discussed in the User Authentication section of this document.
There are no pre-existing or default user accounts or security groups in the OIPA application that need to be disabled after the system is deployed. The OIPA application user interface may be accessed only after at least one user account is created through the Rules Palette.
User Privileges and Group-Based Access Control
The OIPA user privileges and access restrictions implementation is based on the role-based access control (RBAC) model. According to the model, user permissions are assigned to specific groups or roles that are created for various job functions. A user who is assigned to a particular group gains permissions through those groups to perform particular system functions. If a user is assigned to multiple groups, the user will have access to all resources authorized for all of those groups.
For example, users that are assigned to the CSR group (or role) may not be able to execute such activities as issuing a policy or paying a death benefit. By contrast, a user in an Underwriter group should be able to issue a policy. A user in an administrator group is usually allowed access to all resources.
The following figure shows what application resources are protected by OIPA security.
Figure 3. Hierarchy of User Authorizations
By default, a newly created user account does not have authorizations to access any of the application restricted resources. Authorizations have to be explicitly granted by an OIPA security administrator. When setting up the user groups, an administrator needs to be careful to include only the minimum set of permissions that allow users of a particular group to perform their job functions.
For more information on how to create security groups and manage user accounts please refer to the Rules Palette Help.