How to link two registry schema's

[shiva-rakshith]

We have two schema's(Organization and User), a few users may be admins who will have the special privileges to make changes to rest of the users. How can we link the users to Organization and validate that a particular user belongs to that organization?

cc: @vrayulu @maheshkumargangula

[gamemaker1]

Hi @shiva-rakshith,

A possible solution is to add two properties to the User schema: organization (which points to an existing Organization entity in the registry) and role. These fields can be pre-filled while creating the user (not sure how to do this) or entered by the user, and then attested by an existing User entity that is a part of the same organization and their role property is set to admin. Here is a schema that implements this:

Note: Please remove the comments before using the schema, comments are NOT valid JSON and will cause an error if used.

User Schema

File name: user.json

{
  // This must be at the top of all schemas. See http://json-schema.org/understanding-json-schema/reference/schema.html#schema
  "$schema": "http://json-schema.org/draft-07/schema",
  // This is a schema object...
  "type": "object",
  // ...that declares the User entity
  "properties": {
    "User": { "$ref": "#/definitions/User" }
  },
  "required": ["User"],
  "definitions": {
    // The actual definition of the User entity
    "User": {
      // The path to the declaration in the schema entity
      "$id": "#/definitions/User",
      // A User is an object...
      "type": "object",
      // ...with the `name`, `email`, `phone`, `organization` and `role` fields:
      "required": ["name", "email", "phone", "organization", "role"],
      "uniqueIndexFields": ["email"],
      "properties": {
        "name": { "type": "string" },
        "email": { "type": "string" },
        "phone": { "type": "string" },
        "organization": {
          // An organization is a link to an Organization entity in the registry
          "$ref": "organization.json/#/definitions/Organization"
        },
        "role": { "type": "string" }
      }
    }
  },
  "_osConfig": {
    // The following fields are used to create a corresponding user in Keycloak,
    // the authentication service used by Sunbird RC.
    "ownershipAttributes": [
      {
        // The path to the field to consider the email of the entity
        "email": "/email",
        // The path to the field to consider the phone number of the entity
        "mobile": "/phone",
        // The path to the field to consider as unique ID of the entity
        "userId": "/email"
      }
    ],
    // The `organization` and `role` fields must be attested before they can be considered valid
    "attestationAttributes": ["organization", "role"],
    "attestationPolicies": [
      {
        // The name of the field
        "property": "organization",
        // The path to the field (dot-separate fields if the field is nested, $
        // is the root of the entity)
        "paths": ["$.organization"],
        // The claim must be attested by a `User` entity manually
        "type": "MANUAL",
        "attestorEntity": "User",
        // The attesting entity must be in the same organization AND be an admin in that organization
        "conditions": "(ATTESTOR#$.organization#.contains(REQUESTER#$.organization#) && (ATTESTOR#$.role#.contains('admin'))"
      },
      {
        // The name of the field
        "property": "role",
        // The path to the field (dot-separate fields if the field is nested, $
        // is the root of the entity)
        "paths": ["$.role"],
        // The claim must be attested by a `User` entity manually
        "type": "MANUAL",
        "attestorEntity": "User",
        // The attesting entity must be in the same organization AND be an admin in that organization
        "conditions": "(ATTESTOR#$.organization#.contains(REQUESTER#$.organization#) && (ATTESTOR#$.role#.contains('admin'))"
      }
    ]
  }
}

Organization Schema

File name: organization.json

{
  // This must be at the top of all schemas. See http://json-schema.org/understanding-json-schema/reference/schema.html#schema
  "$schema": "http://json-schema.org/draft-07/schema",
  // This is a schema object...
  "type": "object",
  // ...that declares the Organization entity
  "properties": {
    "Organization": { "$ref": "#/definitions/Organization" }
  },
  "required": ["Organization"],
  "definitions": {
    // The actual definition of the Organization entity
    "Organization": {
      // The path to the declaration in the schema entity
      "$id": "#/definitions/Organization",
      // An Organization is an object...
      "type": "object",
      // ...with the `name` field:
      "required": ["name"],
      "properties": {
        "name": { "type": "string" }
      }
    }
  }
}

Also, take a look at this step by step guide on making API calls to retrieve and create entities as well as making and attesting claims.

Hope this helps.

[shiva-rakshith]

Hi @gamemaker1 - Thanks for the response. I have a query on providing user details. While creating users, I have provided the osid(of the organization I have created through /Organization/invite) for the organization property, but it is throwing an error and expecting JSON object. As users cannot enter all the organization data, what kind of data do we need to provide in user details to link it to an organization?
Thanks!

[gamemaker1]

Hi @shiva-rakshith,

I had wrongly assumed that $ref would link the organization to the user. It instead seems to refer to the schema as the type of the field.

I am not sure how to link two entites in a registry. @dileepbapat @tejash-jl @kesavanp123 might be able to help there.

As a workaround, you could store the organization ID in the organization field instead. So instead of:

"organization": {
  // An organization is a link to an Organization entity in the registry
  "$ref": "organization.json/#/definitions/Organization"
},

you would use:

// The organization ID
"organization": {
  "type": "string"
},

in the User entity's schema.

[shiva-rakshith]

Hi Team - We are blocked with this, Please provide your inputs. Thanks!

[parthlawate]

@dileepbapat could you help with this ?

[shiva-rakshith]

Hi @dileepbapat @tejash-jl @kesavanp123
Can you please provide your inputs on this?
Thanks!

[shiva-rakshith]

Hi @dileepbapat @tejash-jl @kesavanp123
Can we have a quick call tomorrow to better understand the use case and discuss on it? Please let me know your feasible timings.

[dileepbapat]

yes, in the schema there is owership attribute that allows setting owner field for the entity. I guess this is useful in this usecase.

take a look at:
https://github.com/Sunbird-RC/sunbird-rc-core/blob/988513204f7ac0a624dbbf10ebaefb84ed25ffd3/java/middleware/registry-middleware/workflow/src/main/resources/workflow/statetransitions.drl#L44

[shiva-rakshith]

We can define only schema specific attributes as ownership attributes. Can we point ownership attributes of one entity to other entity attributes? As in our case, there will be multiple organizations and users, different users will be linked to different organizations, how can we map them?

If we define the schema in the following way, Every time a user enters organization details, it will create a record in V_Organization table and the os-id will be linked to V_User table. But the expectation is the users will not be entering all the org details and will be providing only an org-id and the corresponding os-id of that organization should be liked to the User.

"User": {
      "$id": "#/definitions/User",
      "type": "object",
      "required": ["name", "email", "phone", "organization", "role"],
      "uniqueIndexFields": ["email"],
      "properties": {
        "name": { "type": "string" },
        "email": { "type": "string" },
        "phone": { "type": "string" },
        "organization": {
          // An organization is a link to an Organization entity in the registry
          "$ref": "organization.json/#/definitions/Organization"
        },
        "role": { "type": "string" }
      }
    }
  }

[pramodkvarma]

@dileepbapat if core framework doesn't handle, see if an extension written by adopters can solve such inter registry linkages and controls.

And maybe if designed well, we can bring back such contributions from the community back to core.

[gamemaker1]

Hi @kesavanp123,

I noticed that you can enforce the type of entity that can create a new type of entity in the registry (i.e.: Only a Teacher entity can create a Student entity). Is there any way to enforce which entity can modify another entity - this might help @shiva-rakshith.