Context
The backoffice staff of SaFi will need to access BOFE and other related systems (Jira, Genesys, Meiro, …). Users are part of various teams that include, but are not limited to
Customer due diligence team
Payments team
Card operations team
Telesales team
Customer service team (aka call center agents)
What a user can see and do is limited by their role(s). Also Each user has 0-1 direct supervisors.
For related technical documentation see Access-control.
Adding/removing users
During user onboarding/offboarding
SSO
SSO will be used to log in to all BO systems.
Groups
Groups will be used to handle permissions of users. A role can limit what the user can see and what actions they can take.
A draft of the permissions is in the BOFE Access Matrix
Groups are managed by Okta, permissions are managed by backoffice-mananger.
Organizational structure
To be able to support the maker-checker flows we need to designate a supervisor (checker) for most of the users. Those supervisors may have their own supervisors.
Each user will be in one or more teams.
Each BO user will have exactly 0-1 supervisors. There are no known requirements for a more complex structure.
TODO: There is expected to be a HR system present post MVP. Nothing it’s known about it.
Requirements
Any existing user can have a supervisor assigned/updated by SaFi admin (using a UI preferably)
The assignment should be limited by role, e.g. a user with “Payments_checker” role can become the supervisor of any “Payments_maker” or “Payments_checker” user, but not of “CDD_maker” user.
The services can query the supervisor for any user
There is currently no known scenario to query all users supervised by somebody
Programmatic change of supervisor is not needed
Open questions
What system will manage this relationship? Doing it in our backend would be painful due to the need to sync with the source of users & roles (Okta)
Answer: The maker-checker relationship is stored in Okta
Can we model this in Okta using its features? Answer: Yes
If not can we as a last resort model it via role naming convnetions e.g. a user with a unique “Payments_checker_of_maker_1” role is a supervisor of all “Payments_maker_1” users (this brings obvious maintainability issues)
Attachments:
~drawio~5a71f1c4dca0242a1ca8297c~Untitled Diagram.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~5a71f1c4dca0242a1ca8297c~Untitled Diagram.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~5a71f1c4dca0242a1ca8297c~Untitled Diagram.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~5a71f1c4dca0242a1ca8297c~Untitled Diagram.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~5a71f1c4dca0242a1ca8297c~Untitled Diagram.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~5a71f1c4dca0242a1ca8297c~Untitled Diagram.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~5a71f1c4dca0242a1ca8297c~Untitled Diagram.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~5a71f1c4dca0242a1ca8297c~Untitled Diagram.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~5a71f1c4dca0242a1ca8297c~Untitled Diagram.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~5a71f1c4dca0242a1ca8297c~Untitled Diagram.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~5a71f1c4dca0242a1ca8297c~Untitled Diagram.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~5a71f1c4dca0242a1ca8297c~Untitled Diagram.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~5a71f1c4dca0242a1ca8297c~Untitled Diagram.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~5a71f1c4dca0242a1ca8297c~Untitled Diagram.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~5a71f1c4dca0242a1ca8297c~Untitled Diagram.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~5a71f1c4dca0242a1ca8297c~Untitled Diagram.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~5a71f1c4dca0242a1ca8297c~Untitled Diagram.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~5a71f1c4dca0242a1ca8297c~Untitled Diagram.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~5a71f1c4dca0242a1ca8297c~Untitled Diagram.drawio.tmp (application/vnd.jgraph.mxfile)
Untitled Diagram.drawio (application/vnd.jgraph.mxfile)
Untitled Diagram.drawio.png (image/png)
