Security
Security for the Form Service APIs is based on Keycloak, and there are two types of roles that users and clients need to consider when accessing forms: Form Definition roles, and ADSP roles.
Form Definition roles
Developers should assign access roles to each Form Definition within a tenant. The Form Service defines three types of users:
- Applicant: For users that fill in forms and submit them for review.
- Clerk: For GOA personnel that need to review a form and perhaps fill in missing detail.
- Assessor: For GOA personnel who are able to assess the information, make decisions, and disposition the form as appropriate
In the Tenant-Management-Webapp developers can assign one or more these user types to one or more tenant-defined keycloak roles. Note: this security is important enough that this step is mandatory. If, when testing you find you are getting 403’s, make sure your test user has the right tenant-defined roles. You can assign user types to these roles via the Roles tab in the Form Definition editor:
ADSP roles
There are several roles that may be required for users to access the form service resources. These can be found under the form-service client in keycloak:
Applicants will need the form-admin and intake-application role to create and fill out forms, respectively. If the form requires files to be uploaded they will also need:
- form-file-reader
- form-file-uploader
Additional roles are available for form administrators. Clerks and assessors should have the form-support and form-file-reader roles.