Data Flow

User flow

User accounts can be seen in Keycloak on the ‘users’ tab in the dev-portal realm.

Currently there is no distinction between ‘individual’ and ‘organization’ users. Each user account is tagged with an organizationType attribute when production access is requested, and if there are multiple individuals from an organization that want to share an account, they will need to share a user account.

We have set up custom user attributes that are visible and editable via the Keycloak UI on each user. These attributes are configured in realm settings > user profile. The attributes are populated or updated at registration, upon submittal of the production access forms, and manually by an internal 1up employee during manual vetting and approval for production access.

Registration

  • Users can self-register at (one of these links).

  • Our registration flow is built here and is configured in Keycloak in realm settings in the dev-portal realm.

  • Email verification is configured, meaning a user will receive an email with a verification link to complete registering.

  • Upon registration, a user is created in Keycloak in the dev-portal realm. This user account has many custom attributes on it, which are configured in realm settings > user profile tab, and which can be seen on the user in the Keycloak UI.

Sandbox Clients Tab

Upon registration, the user attribute accountStatus is set to sandbox, and the user has access to the sandbox clients tab in the Dev Portal at /1up-dev-portal/sandbox. Here they can create and manage sandbox clients.

Production Access Forms

  • To gain production access, a user must submit a multi-stage production access form at /1up-dev-portal/production/access.

  • Once a user submits this form, their user attribute accountStatus changes to prod_pending, and we send an internal notification email to the address configured in the AWS parameter store variable /1up-console/PRODUCTION_REQUEST_RECIPIENT_EMAIL. In prod, this should be prod-access@1up.health.

  • An internal 1up employee will then locate the user in Keycloak, review the information submitted, and if we want to grant production access, they will change the accountStatus attribute to prod. This turns on production access for the user.

Production Clients Tab

  • Once production access has been granted, the user has access to the production clients tab in the Dev Portal at /1up-dev-portal/production. Here they can create and manage production clients.

  • Another important user attribute is organizationType, which is captured in the production access request forms, and defines which client access types a user can create. Client access types represent different 0057 rule cases (Patient Access, Provider Access, etc).

  • The table below shows which client access types a user with each organization type can create:

More text ..................................................