Security

Security for the Form Service APIs is based on Keycloak, and there are two types of roles that users and clients need to consider when accessing forms: Form Definition roles, and ADSP roles.

Form Definition roles

Developers should assign access roles to each Form Definition within a tenant. The Form Service defines three types of users:

  • Applicant: For users that fill in forms and submit them for review.
  • Clerk: For GOA personnel that need to review a form and perhaps fill in missing detail.
  • Assessor: For GOA personnel who are able to assess the information, make decisions, and disposition the form as appropriate

In the Tenant-Management-Webapp developers can assign one or more these user types to one or more tenant-defined keycloak roles. Note: this security is important enough that this step is mandatory. If, when testing you find you are getting 403’s, make sure your test user has the right tenant-defined roles. You can assign user types to these roles via the Roles tab in the Form Definition editor:

ADSP roles

There are several roles that may be required for users to access the form service resources. These can be found under the form-service client in keycloak:

Applicants will need the form-admin and intake-application role to create and fill out forms, respectively. If the form requires files to be uploaded they will also need:

  • form-file-reader
  • form-file-uploader

Additional roles are available for form administrators. Clerks and assessors should have the form-support and form-file-reader roles.