Delegated auth rules for auth-client library to allow access to agents to their clients's data. Currently supports:
- PAYE (IR-PAYE)
- Self-Assessment (IR-SA)
- MTD Self-Assessment (MTDITID)
- MTD Value Added Tax (VAT)
- MTD Income Record Viewer (AFI)
- MTD Trusts (TERS)
- MTD Non-Taxable-Trusts (TERSNT)
- MTD Capital Gains (CGT)
- MTD Plastic Packaging Tax (PPT)
- Country by country reporting (CBC)
- Pillar2 (PILLAR2)
The rules for access control have changed with agent access groups. If an agency has opted to turn on access groups then the agent user will be granted access to a client if
- the client has a relationship with the agency
- the client and the agent user belong to the same access group or the client does not belong to any access group
If the agency has opted to turn off access groups then the agent user will be granted access provided the client has a relationship with the agency.
In Terminal, Run the following profile:
sm --start AGENT_AUTHORISATION -r
-
Log In as Agent
-
Create Relationship Via Curl using Agent Arn, Client Service and Identifier.
curl -v -X PUT -H 'Authorization: Bearer Token' http://localhost:9434/agent-client-relationships/agent/AARN0002908/service/HMRC-MTD-VAT/client/VRN/267729808
- Curl Agent Access Control To Test Relationship Exists. E.g:
curl -v -H'Authorization: Bearer Token' http://localhost:9431/agent-access-control/mtd-vat-auth/agent/9AK6XC1JX8NE/client/267729808
Alternatively create the relationship via UI (Please speak to team about this).
authorised(
Enrolment("IR-PAYE")
.withIdentifier("TaxOfficeNumber", "123")
.withIdentifier("TaxOfficeReference", "123")
.withDelegatedAuthRule("epaye-auth")) { /* your protected logic */ }
authorised(
Enrolment("IR-SA")
.withIdentifier("UTR", "123")
.withDelegatedAuthRule("sa-auth")) { /* your protected logic */ }
authorised(
Enrolment("HMRC-MTD-IT")
.withIdentifier("MTDITID", "123")
.withDelegatedAuthRule("mtd-it-auth")) { /* your protected logic */ }
authorised(
Enrolment("HMRC-MTD-IT-SUPP")
.withIdentifier("MTDITID", "123")
.withDelegatedAuthRule("mtd-it-auth-supp")) { /* your protected logic */ }
authorised(
Enrolment("HMRC-MTD-VAT")
.withIdentifier("VRN", "123")
.withDelegatedAuthRule("mtd-vat-auth")) { /* your protected logic */ }
authorised(
Enrolment("HMRC-NI")
.withIdentifier("NINO", "123")
.withDelegatedAuthRule("afi-auth")) { /* your protected logic */ }
authorised(
Enrolment("HMRC-TERS-ORG")
.withIdentifier("SAUTR", "123")
.withDelegatedAuthRule("trust-auth")) { /* your protected logic */ }
authorised(
Enrolment("HMRC-TERSNT-ORG")
.withIdentifier("URN", "123")
.withDelegatedAuthRule("trust-auth")) { /* your protected logic */ }
authorised(
Enrolment("HMRC-CGT-PD")
.withIdentifier("CGTPDRef", "123")
.withDelegatedAuthRule("cgt-auth")) { /* your protected logic */ }
authorised(
Enrolment("HMRC-PPT-ORG")
.withIdentifier("EtmpRegistrationNumber", "123")
.withDelegatedAuthRule("ppt-auth")) { /* your protected logic */ }
Note: POSTs function exactly the same.
authorised(
Enrolment("HMRC-CBC-ORG" /* or HMRC-CBC-NONUK-ORG */)
.withIdentifier("cbcId", "XYCBC1234567890")
.withDelegatedAuthRule("cbc-auth") { /* your protected logic */ }
)
authorised(
Enrolment("HMRC-PILLAR2")
.withIdentifier("PLRID", "XYPILLAR21234567890")
.withDelegatedAuthRule("pillar2-auth") { /* your protected logic */ }
)
Headers: need to contain a valid Authorization
header.
Each API Will Respond with the following:
code | scenario |
---|---|
200 | {client identifier} is assigned to logged in agent for {Supported Service} (Enrolment Store Proxy check) AND the logged in user's agency (agentCode) has a valid authorisation to act on behalf of {client identifier} for dealing with {Supported Service} (HODs check). |
401 | The conditions are not met. |
502 | In case of any error responses in downstream services. |
504 | In case of a timeout while querying downstream services. |
Always 200
with empty body.
Displays metrics as JSON.
Displays META-INF/MANIFEST.MF
as JSON.