System User
To start using system users you must complete a few administrative steps and adapt your own solution.
Below is a high-level checklist of the steps a service owner and an end-user system vendor must complete to start using system users.
Service owner
1 Create service
2 Choose authentication
Maskinporten is one of the foundational components that system users build on. It guarantees authenticity and lets the service owner perform coarse-grained access management through scopes. The Maskinporten token is also the carrier of system-user information, which enables the service owner to enforce access control through Altinn Authorization.
The service therefore has to support Maskinporten, and at least one scope must be configured on the service.
Follow the steps in the Samarbeidsportalen guide to enable Maskinporten for your service.
The Maskinporten token that contains system-user information does not reveal which end user performed an operation. When you need insight into the person performing an action, the service must also support ID-porten authentication.
3 Register resource
4 Integrate with Altinn Authorization
System vendor
Maskinporten onboarding
System users build on Maskinporten, which lets the service owner secure authentication and manage access to the service through scopes. The Maskinporten token also carries the system-user information used when Altinn Authorization evaluates access.
You need a Norwegian organisation number to get access to Maskinporten. See Maskinporten for details.
By signing the terms of use for Maskinporten and ID-porten you receive access to both the test and production environments.
- Connect to Maskinporten – follow the steps in Get started with Maskinporten.
- Create a Maskinporten client. You can do this in Samarbeidsportalen or via the API. Creating a client requires that the Maskinporten connection is in place. See the Maskinporten client guide.
Gain access to the System User APIs
By signing the terms of use for Altinn you gain access to both the test and production environments.
Fill in the registration form for end-user system vendors and tick off for system user to receive the required scopes:
- altinn:authentication/systemuser.request.read
- altinn:authentication/systemuser.request.write
- altinn:authentication/systemregister.write
If the enduser system will use client delegations API
- altinn:clientdelegations.read
- altinn:clientdelegations.write
Register the system in the System Registry
To consume services through your end-user system, the system must be registered in the Altinn System Registry.
Registration is done via the API. The system must be linked to the Maskinporten client created in step 3.
Which access packages and/or individual services you need depends on the service you plan to consume – see the service documentation for details.
The current Altinn roles will be replaced by access packages. See access packages for more information.
Request access to the service owner's APIs
Adapt the system for your customers
This step often takes some time because it involves your users. We recommend allocating sufficient time and involving users early.
A system user is defined by the access packages the end-user system vendor selects. The possible access packages are those that were configured when the system was registered in the System Registry. To know which access packages a system user requires, you have to map the tasks your users perform and the services they need.
See the system user guides for detailed scenarios.