Versions Compared

Old Version 26

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: changed to gender-neutral names

...

  • Super Admin: This is the WSO2 Open Banking provider that hosts and manages the overall functional aspects of the WSO2 Open Banking system, e.g., Bank infra/IT. A super admin is responsible for creating user roles in the system, assign them to users, managing databases, security, etc. 
  • Admin: An Admin manages the overall functional aspects of WSO2 Open Banking, e.g., Bank IT Manager. 

  • Manager: They are typically bank's decision makers and bank infrastructure (BI) staff.

  • API Creator: This is a technical role capable of understanding the technical aspects of the APIs, e.g., interfaces, documentation, and versions, and provisioning APIs. The API creators use the API Store to consult ratings and feedback provided by API users. An API creator can add APIs to the API Store, but cannot manage their lifecycles.

  • API Publisher: An API publisher manages a set of APIs across the enterprise or business unit and controls the API lifecycle, subscriptions, and monetization aspects, i.e., Bank API Publisher, Bank API Product Manager. The API publisher is also interested in usage patterns for APIs and has access to all API statistics. 
  • API Consumer: This is an API subscriber that uses the API Store to discover APIs, read the documentation and forums, rate/comment on the APIs, subscribes to APIs, obtain access tokens, and invoke the APIs, i.e., PISP App Developer, AISP App Developer, Fintech App Developer).
  • End User: These are typically retail and corporate PSUs. 
  • Observer: These are typically regulators interested in performance and/or compliance aspects. 
  • App Admin: These are TPP decision makers, AISPs, and  PISPs.

TPP Onboarding

Third-Party Providers (TPPs) can create third-party applications to facilitate banking services exposed via banking APIs. A TPP can play the role of a PISP/AISP/CBPII or a combination of those roles.

The TPPs are subject to thorough verification before connecting them with the banks/ASPSPs. This verification includes a comprehensive sign-up process at the API Store; the developer portal of WSO2 Open Banking. For a TPP to start providing open banking services, it has to be registered under a Competent Authority, which is a regulatory body that authorizes and supervises the open banking services delivered by the TPP.

Consent Management

Multiexcerpt
MultiExcerptNameConsent

Consent management ensures that the following scenarios take place with the consent of the respective PSU:

  • Accessing the PSU's account and transaction data by AISPs
  • Processing online payments on behalf of PSUs by PISPs

...

  • There is an API with the following resources:
    • GET: This is attached to the payment_read scope.
    • POST: This is attached to the payment_write scope.
  • There are two user roles: Manager and Front Desk.
  • The Manager role is linked to both the payment_read and payment_write scopes, while the Front Desk role is only linked to the payment_read scope.
  • The Manager role is assigned only to JohnCharlie, while the Front Desk role is assigned to both Tom Alex and JohnCharlie.

  • Tom Alex requests a token through the Token API as grantAPI as grant_type=password&username=tomalex&password=xxxx&scope=payment_read payment_write. However, as Tom Alex is not in the Manager role, he will the user will only be granted a token bearing the payment_read scope.

    Code Block
    "scope":"payment_read","token_type":"bearer","expires_in":3299, "refresh_token":"8579facb65d1d3eba74a395a2e78dd6", "access_token":"eb51eff0b4d85cda1eb1d312c5b6a3b8"


    • Next,

    John

    • Charlie requests a

    token as grant

    • token as grant_type=password&username=

    john

    • charlie&password=

    john123

    • charlie123&scope=payment_read payment_write. As

    John has

    • Charlie has both the roles assigned, the token will bear both requested scopes.

      Code Block
      "scope":"payment_read payment_write", "token_type":"bearer", "expires_in":3299, "refresh_token":"4ca244fb321bd555bd3d555df39315", "access_token":"42a377a0101877d1d9e29c5f30857e"

    • This means that

    Tom

    • Alex can only access the GET operation of the API, while

    John

    • Charlie can access both as

    he is

    • the scope is assigned to both the Manager and Front Desk user roles. If

    Tom

    • Alex tries to access the POST operation, there will be an HTTP 403 Forbidden error as follows:

      Code Block
      <ams:faultxmlns:ams="http://wso2.org/apimanager/security"> <ams:code>900910</ams:code> <ams:message>The access token does not allow you to access the requested resource</ams:message> <ams:description>Access failure for API: /orgnews, version: 1.0.0 with key: eb51eff0b4d85cda1eb1d312c5b6a3b8 </ams:description> </ams:fault>
Anchor
AccessTokens
AccessTokens
Access Tokens

...