User's Guide: Create, Update, Revoke Third-Party Groups

1.0 Introduction

Welcome to the Fortanix Confidential Computing Manager (CCM) User Guide. This document describes the steps to create, update, and revoke third-party groups in CCM.

A Fortanix CCM third-party group is an entity that is created when two groups from different Fortanix CCM accounts wish to collaborate. During collaboration, they can share the objects of each other’s groups.

2.0 Create Multi-Party Groups

A Fortanix CCM third-party group is an entity that is created when two groups from different accounts wish to collaborate. During collaboration, they can share the objects of each other’s groups.

2.1 Create Source Group

The following section describes an example to explain the collaboration between three CCM groups from different CCM accounts using a workflow where one group will be the Source group and the other two groups will be the Recipient groups.

The steps to create a third-party source group for workflow collaboration are:

  1. Log in to Fortanix CCM and create a new account, for example: DemoA or go to an existing account.
    For steps to log in and create a new Fortanix CCM account, refer to User’s Guide: Logging In.
  2. On the Groups page, click ADD GROUP on the top-right corner of the screen to create the source group.
    CreateGroup-CCM-Multiparty.png
    Figure 1: Create source group
  3. In the Create Group form, enter the Name of the source group, for example: DemoA-Group1.
  4. Click CREATE GROUP to create the source group.
    NewGroup-MultiParty.png
    Figure 2: Create source group
    The group is successfully created.
  5. Click the group to go to the detailed view of the source group.
  6. Now create a new application in the source group to participate in the workflow collaboration. Click the add button on the Applications tile.
    App-MultiParty.png
    Figure 3: Source group - detailed view
  7. Create an EDP or Enclave OS application in the source group.
    For steps to create an application, refer to the User’s Guide: Add and Edit an application.

2.2 Create Recipient Groups

To create the recipient groups to participate in a workflow collaboration, follow the steps outlined below.

NOTE
To collaborate with the resources in the source group, you need to create two new additional groups in different Fortanix CCM accounts.
  1. Create two new Fortanix CCM accounts, For example: DemoB and DemoC or log in to existing accounts if already present. For steps to log in and create a new Fortanix CCM account, refer to User’s Guide: Logging In
  2. Repeat Steps 2 to 4 in Section 2.1: Create Source Group, to create the two new recipient groups, for example: DemoB-Group2 and Democ-Group3.
  3. Now create a new dataset for the recipient groups to participate in the workflow collaboration.
    Go to the detailed view of the group: DemoB-Group2 and click the add button Plus-CCMDoc27.png on the Datasets tile.
  4. In the CREATE NEW DATASET form,
    1. Enter a Name for the dataset, for example: DatasetB.
    2. Enter a Description (optional) and attach one or more key-value labels to the dataset for the Labels field (optional).
    3. Select the group for the dataset, that is, DemoB-Group2.
    4. Enter the URL of where the dataset can be accessed in the Location field.
    5. In the Long Description field, enter the content in GitHub-flavoured Markdown file format. You can also use the Fetch Long Description button to get the Markdown file content from an external URL.
    6. Enter the Credentials needed to access the data.
    7. Click CREATE DATASET to create the dataset for the recipient group DemoB-Group2.
      Dataset-Multiparty.pngDataSet1-MultiParty.png
      Figure 4: Create dataset for the recipient group
      The dataset is created successfully.
  5. Repeat Steps 3 to 4 above to create a dataset, for example: DatasetC for the recipient group DemoC-Group3.
    DataSetC-MultiParty.pngDataSet1-MultiParty.png
    Figure 5: Create dataset for the recipient group

2.3 Share Participation Token

For a Fortanix CCM source group to request a Fortanix CCM recipient group for collaboration, the source group must prove itself to be an authenticated group. This can be achieved if the recipient groups create a 'group participation token', that can be used to identify themselves. When the source group requests a recipient group for collaboration, the recipient group provides the group participation token to identify itself. The recipient group verifies the participation token in the request and authenticates the source group.

To share the participation token:

  1. Go to the detailed view of DemoB-Group2 in the DemoB account and in the GENERAL tab, click the GENERATE TOKEN button in the “Participation Tokens” section to generate a new participation token.
    GenerateToken-MultiParty.png
    Figure 6: Generate Token
  2. Click the COPY icon to copy the participation token. This participation token must be shared with the source group for collaboration. How the token can be shared is out of the scope of this guide.
    CopyToken-MultiParty.png
    Figure 7: Copy participation token
  3. Similarly, go to the detailed view of DemoC-Group3 in the DemoC account and repeat Steps 1 to 2 above to copy the participation token of DemoC-Group3 and share it with the source group.
  4. You can also view the generated participation token by clicking the VIEW TOKENS button.
    ViewToken-MultiParty.png
    Figure 8: View token

2.4 Create Third-Party Shared Group

To create a third-party group for workflow collaboration, follow the steps outlined below:

  1. Go to the detailed view of the source group, that is, DemoA-Group1, in the account DemoA.
  2. Click the SHARE button on the top-right corner of the page.
    Share-MultiParty.png
    Figure 9: Share group
  3. In the TOKENS dialog box, paste the group participation token shared by the recipient group in Section 2.3: Share Participation Token.
  4. Click SHARE to create the third-party group.
    AddToken-MultiParty.png
    Figure 10: Enter participation token
  5. On the Groups page, click the THIRD PARTY GROUPS tab.
  6. On the Third Party Groups page, under the SOURCE ROLE tab, you will see that the source group DemoA-Group1 in the GROUP column is now associated with a recipient group DemoB-Group2 in the RECIPIENT GROUP column.
    Association-MultiParty.png
    Figure 11: Source group association
  7. In the STATUS column, you will see that the status of the third-party group creation is still in a Pending state.
    NOTE
    The recipient groups must accept the third-party group so that collaboration can begin between the respective source and the recipient groups
  8. Go to the recipient group DemoB-Group2 and click the THIRD PARTY GROUPS tab.
  9. Click the RECIPIENT ROLE tab. Observe that the recipient group DemoB-Group2 now shows an association with the source group DemoA-Group1.
    AssociationDemoB-MultiParty.png
    Figure 12: Recipient group association
  10. To approve the third-party group association, click the more option Overflow.png icon for the recipient group row and expand the UPDATE STATUS menu.
  11. Click APPROVE to approve the collaboration.
    ApproveAssociation-MultiParty.png
    Figure 13: Approve collaboration
  12. The status is now updated to Accepted in the recipient and source groups.
    ApprovedB-MultiParty.png
    Figure 14: Status accepted
  13. Go to the source group and observe that the status is now updated to Accepted.
    ApprovedA-MultiParty.png
    Figure 15: Status accepted
  14. Similarly, repeat Steps 1 to 13 above to create a third-party shared group between the source group DemoA-Group1 and the recipient group DemoC-Group3 using the participation token shared by the DemoC-Group3 group member with DemoA-Group1 group administrator.
    ApprovedAwithC-MultiParty.png
    Figure 16: Third party shared group

2.5 Create a Shared Workflow

The source group administrator will now initiate the collaboration between the source and recipient groups by creating a shared workflow. To create a shared workflow for workflow collaboration, the source group administrator will create placeholder nodes and assign these nodes to the group members of the recipient groups to update the node with a dataset or application for the collaboration.

To create a shared workflow, follow the steps outlined below. These steps must be performed by a source group administrator.

  1. In the DemoA account, click the Workflows menu item in the CCM UI left navigation bar.
  2. On the Workflows page, click +WORKFLOW to create a new workflow.
  3. In the CREATE NEW WORKFLOW form,
    1. Enter the workflow Name.
    2. In the Group field (optional), select the source group for the shared workflow. If no group is selected, the default group will be considered.
    3. Click CREATE WORKFLOW, to create the shared workflow.
      SharedWorkflowCreate-MultiParty.png
      Figure 17: Create shared workflow
  4. On the workflow graph, add an application that belongs to the source group DemoA-Group1.
    SelectApp-MultiParty.png
    Figure 18: Add application to workflow graph

    For more information on how to create a workflow graph, refer to User’s Guide: Create Workflow.
  5. Add a dataset placeholder node that will be assigned to the recipient group DemoB-Group2.
    AddDataset-MultiParty.png
    Figure 19: Add dataset
  6. Select the recipient group for the dataset.
    SelectGroupDataset-MultiParty.png
    Figure 20: Select recipient group
    SelectGroupDataset1-MultiParty.png
    Figure 21: Select recipient group
  7. Similarly, follow Steps 5 to 6 above to add a dataset placeholder node from DemoC-Group3 to the workflow graph.
    Workflow-MultiParty-new.png
    Figure 22: Dataset added from recipient group
  8. Make a connection between the application and the two datasets.
  9. Click SAVE AS DRAFT to save the workflow as a draft so that the members of the recipient groups will see the draft workflow in their respective accounts and fill the placeholder nodes.
    WorkflowConnect-MultiParty-new.png
    Figure 23: Connect the application and datasets

2.6 Fill the placeholder Nodes with Actual Data

The following steps must be performed by the recipient group members:

  1. As a group member of the recipient group DemoB-Group2 in the account DemoB, go to the Workflows page and click the Draft workflow tab.
  2. You will see the placeholder node that has been assigned to you by the group administrator of the source group DemoA-Group1.
    FillDatasetDemoB-MultiParty-new.png
    Figure 24: Fill placeholder nodes with data
  3. Click the placeholder node to add the dataset. In the ADD DATASET form, select the dataset that you created earlier in Section 2.2: Create Recipient Groups from the list.
    AddDatasetDemoB-MultiParty.png
    Figure 25: Select dataset
  4. After adding the dataset, click SAVE AS DRAFT to save the updated shared workflow.
    SaveDemoBDataset-MultiParty-new.png
    Figure 26: Save workflow draft
  5. As a group member of the recipient group DemoC-Group3, go to the DemoC account and repeat Steps 1 to 4 above to fill the placeholder node with the dataset that you created earlier in Section 2.2: Create Recipient Groups.
    SaveDemoCDataset-MultiParty-new.png
    Figure 27: Save workflow draft
  6. Now the workflow is complete with all the placeholder nodes filled by the respective recipient group members.

2.7 Request Approval to Create Approved Workflow

After a workflow with placeholder nodes is filled with the objects from the required recipient groups and is ready to go, each of the recipient groups should approve it.

NOTE
The source group cannot approve the request until all recipient groups approve it. This is to ensure that the recipient group members are confident about the data sharing.

After the shared workflow is approved by all participant groups, the shared workflow will be an approved workflow. To create an approved workflow, perform the steps outlined below:

  1. As a group administrator of the source group DemoA-Group1, go to the Draft workflow tab, and click the REQUEST APPROVAL button to request the recipient group members for workflow approval.
    RequestApprovalRecipient-MultiParty-new.png
    Figure 28: Request shared workflow approval
    The workflow is now pending approval from other recipient group members. Click the Pending tab to see the workflow in the pending approval state.
    PendingApprovalWorkflow-MultiParty-new.png
    Figure 29: Pending approval
  2. As group members from the recipient groups, you must approve the workflow. Go to the Workflows page in DemoB account, and in the Pending tab, click SHOW APPROVAL REQUEST to approve the workflow.
    ShowApprovalRequestDemoB-MultiParty-new.png
    Figure 30: Approve the workflow
  3. In the APPROVAL REQUEST – CREATE WORKFLOW dialog box, click APPROVE to approve the workflow.
    ApproveWorkflowDemoB-MultiParty-new.png
    Figure 31: Approve workflow
  4. As a group member of the recipient group DemoC-Group3, repeat Steps 2 to 3 above to approve the workflow.
    ApproveWorkflowDemoC-MultiParty-new.png
    Figure 32: Approve workflow
  5. After the recipient group members have approved the workflow, the group administrator of the source group must finally approve the workflow to complete the workflow approval process.
    ApproveWorkflowDemoA-MultiParty-new.png
    Figure 33: Approve workflow
  6. The shared workflow will now appear in the Approved tab.
    ApprovedWorkflow-MultiParty-new.png
    Figure 34: Workflow approved
NOTE
After a shared workflow is in the approved state, no further changes can be made to the workflow. If you want to make changes using the EDIT WORKFLOW option as described in User’s Guide: Create Workflow, a new version of the workflow will be created. After the new version of the workflow is approved, it supplants the first version of the workflow.

2.8 Run the Shared Workflow

A shared workflow can only be run by the owner of the workflow, that is, the source group administrator. The participants, that is, the recipient group members, cannot run the workflow.

2.9 Revoke Token

A “Group Participation Token” can be revoked by the recipient group member. Revoking a Group Participation Token does not affect the existing third-party group collaboration between the recipient group and the source group. The workflow collaboration will still work.
RevokeToken-MultiParty.png
Figure 35: Revoke token

2.10 Revoke Status

To revoke the collaboration with the recipient or source group, click the More options Overflow.png icon on the Third Party Groups page, and click REVOKE against the source or recipient group’s row to revoke or break the collaboration. The workflow collaboration will not work after this. The collaboration can be revoked from the source or recipient groups.
RevokeStatus-MultiParty.png
Figure 36: Revoke collaboration status

 

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful