User profile lifecycle
User profile lifecycle
Overview
There are two major sources for user profiles:
- Hii Retail IAM
- Relevate CRM
User profile from IAM
The base user profile will be created or updated when a user authenticates with Hii Retail IAM. The IAM should update the profile on every authentication to make sure any changed user attributes are updated in the base profile.
If the IAM system want to access profile information it should use a system specific user profile. The system specific profile will inherit the base profile and offer additional API capabilities not available for base profiles.
A system specific user profile will be created when a user first accesses a system that requires a profile. The system user profile can only be created from a user's access token. This ensures that a user has accessed a service before it can establish a profile.
The system can now use the profile and reference it by its unique ID. All references to the user must always use the system profile ID and not any identifiers from the user token. User profiles use a predicable profile ID created from a hash consisting of the tenant ID and the subject, and the issuer from the user's Hii Retail IAM token.
SHA256 {subject}|{issuer}|{tenantId}
- The
tenantIdis the unique tenant identifier. - The
subjectis obtained fromsubclaim in the Hii Retail IAM token. - The
issueris obtained fromissclaim in the Hii Retail IAM token.
User profile from integrated CRM
Integrated CRM systems (e.g. Relevate CRM) can create base profiles that contains the personal data of its customers. The CRM system should also create the system specific user profiles for systems that the user have signed up for. This allows the CRM to manage consent and to onboard users in systems without depending on information being propagated through an identity token.
An integrated CRM system should, just like the IAM, always access profiles using a system specific user profile. The system specific profile will inherit the base profile and offer additional API capabilities not available for base profiles.
With CRM based user profile, we cannot know if the user profile can be from contents in the user authentication. Therefore services can find the user profile using a search query to locate the correct profile. If the user profile ID is known or can be calculated it should be used instead of a find query.
Accessing the system user profile
The system user profile can be accessed in three ways.
Get profile with user token
This method should be used whenever the service is accessed by the user. It is the same flow as when the profile was created and will seamlessy reuse any existing profile for the system.
Get profile by ID
When a system profile exists it can be accessed by its ID. An example use case could be some asynchronous batch processing that needs access to something in the user profile. For those scenarios, the service should have stored a reference to the profile ID and fetch the profile attributes it needs from the User Profile Service.
Find profile by query
A system user profile can be located using a find query. This query will only find a single user profile that matches the search criteria. It can be used both to lookup a user's own profile based on information provided by the user, or in administrative, user management use cases.
Removal of user profile
The user can request to be forgotten in individual systems or in all systems.
- Remove the system user profile to be forgotten in an individual system
- Remove the base user profile to be completely forgotten in all systems
If a forgotten user revisits the system again, a new user profile with a new unique ID will be created. For all intents and purposes, this will be a completely new user in that service. However, the profile will still be backed by the same underlying base profile.