Using Self-Service APIs to return accounts of only one client

[Ed Cable <ed...@mifos.org>]

Adi,

Can you give guidance to the community via the mailing list on how to
properly use the self-service APIs. The primary use case and what they were
designed for is for an individual client to authenticate his or herself and
only have access to his/her individual accounts.

Both Vishwajeet and a user on Gitter @AntuanC (see message below) have had
issues in using the API in such a manner whereby they return a list of
multiple clients and not just the accounts for that one client.


@AntuanC
"Hello everyone,
I want to create a user for customers, so they may login and check your
statements.
However I find no way to link a user to a specific customer, so that only
you can see their accounts and not those of all customers.
Can you help me?"


-- 
*Ed Cable*
Director of Community Programs, Mifos Initiative
edcable@mifos.org | Skype: edcable | Mobile: +1.484.477.8649

*Collectively Creating a World of 3 Billion Maries | *http://mifos.org
<http://facebook.com/mifos>  <http://www.twitter.com/mifos>

RE: Using Self-Service APIs to return accounts of only one client

[Adi Raju <ad...@confluxtechnologies.com>]

Self Service APIs were created not only with end customer in mind. These APIs are created to support agent banking, field staff and other scenarios as well. Basic idea is that the data and operations are restricted as compared to a bank staff.
Design decisions and the approach is documented here https://mifosforge.jira.com/wiki/display/MIFOSX/Customer+Self+Service , https://mifosforge.jira.com/wiki/display/MIFOSX/Customer+Self+Service+-+Phase+2


Gist of the document:
1. App user and roles/permissions is reused. A self-service user is created/managed using the user APIs, https://demo.openmf.org/api-docs/apiLive.htm#users_create, by passing additional params isSelfServiceUser and clients params while creating an app user.
2. A Self Service User would have access to all the clients' information that are provided as part of clients param. In case of agent banking scenario, there can be more than 1 client, who might be able to perform operations on behalf of a client. In case of individual client, the clients list would be only 1.
3. As part of user authentication response, if it is a self-service user, list of clients data is sent. If clients list contains only one client, then the end user app need not use /self/clients end point. They can start using the /self/clients/{clientId} directly. So the intelligence is expected in the self-service app, based on the scenario it would be used.

Regards,
Adi

-----Original Message-----
From: Ed Cable [mailto:edcable@mifos.org] 
Sent: 24 September 2016 04:44
To: dev@fineract.incubator.apache.org
Cc: Antuan Ariel Castillo; Vishwajeet Srivastava
Subject: Using Self-Service APIs to return accounts of only one client

Adi,

Can you give guidance to the community via the mailing list on how to properly use the self-service APIs. The primary use case and what they were designed for is for an individual client to authenticate his or herself and only have access to his/her individual accounts.

Both Vishwajeet and a user on Gitter @AntuanC (see message below) have had issues in using the API in such a manner whereby they return a list of multiple clients and not just the accounts for that one client.


@AntuanC
"Hello everyone,
I want to create a user for customers, so they may login and check your statements.
However I find no way to link a user to a specific customer, so that only you can see their accounts and not those of all customers.
Can you help me?"


--
*Ed Cable*
Director of Community Programs, Mifos Initiative edcable@mifos.org | Skype: edcable | Mobile: +1.484.477.8649

*Collectively Creating a World of 3 Billion Maries | *http://mifos.org <http://facebook.com/mifos>  <http://www.twitter.com/mifos>