4 User Management
Blockchain Platform Manager uses an integrated OpenLDAP server for initial Identity and Access Management (IAM) during installation. This OpenLDAP server manages user credentials and enforces Role-Based Access Control (RBAC) using preconfigured groups. All user information such as credentials and group memberships is stored on this OpenLDAP server.
In addition to LDAP-based authentication, Blockchain Platform Manager supports integration with external Identity Management systems (IdMs) via OpenID Connect (OIDC). This enables the use of industry-standard authentication protocols for enhanced interoperability.
LDAP Configuration Management
Blockchain Platform Manager provides a dedicated configuration page for managing LDAP servers. The following actions are supported:
- Add New: Configure an external LDAP server for Blockchain Platform Manager, as an alternative to the built-in OpenLDAP server.
- Save: Save a new or updated LDAP server configuration.
- Set Active: Designate an existing LDAP configuration as active.
- Save and Set Active: Save changes and immediately set the updated configuration as active.
- Test Configuration: Verify connectivity and accessibility to the specified LDAP server from Blockchain Platform Manager.
Group Creation and Management
For each Blockchain Platform Manager instance that is created, the following groups are provisioned in the OpenLDAP server:
| User Role | LDAP Group Name | Description |
|---|---|---|
| Platform Management | OBP_Blockchain Platform Manager<id>_CP_ADMIN |
Users in this group can provision an instance, configure existing instances, set the LDAP configuration, and complete life cycle operations on instances.
A user must be a member of this group to be able to log in to Blockchain Platform Manager or create an instance. |
| Instance Administrator | BESU_ADMIN_<instance_uuid> |
Users in this group can manage instances by using the console UI. |
| Instance Operator | BESU_OPERATOR_<instance_uuid> |
Operators are read-only users. Operators do not have access to the Accounts page in the service console. |
| RPC Proxy Client | BESU_RPC_GW_<instance_uuid> |
RPC proxy users are typically client applications. |
All users provisioned through Blockchain Platform Manager are automatically added to all four groups.
Token Issuance and Group Membership Propagation
When a new instance is created, Blockchain Platform Manager configures the authentication server to enable token issuance with required claims, including user identity and relevant client/party information. Each token includes group membership information, encapsulated in a payload claim. Instance components use these claims to authorize or block external access to workload pods.
You can add users directly to the OpenLDAP server by using OpenLDAP browsers such as jXplorer. Blockchain Platform Manager administrators can use the administrator user name and password that was provided during installation to connect to openldap.<cp-name>.<cp-domain>:443 with SSL enabled. Once connected, administrators can then add users and assign or modify groups to give the appropriate access levels.