<div class="gfmr-markdown-container"><div class="gfmr-markdown-source" style="display: none;"># Organization Onboarding Checklist
These steps should ensure a good user experience for organizations that are new
to the PDC. The intended audience is PDC administrators.
## In the PDC Keycloak
These steps require Keycloak PDC realm administrative access.
Use https://auth.philanthropydatacommons.org/admin to do these steps.
– [ ] Add a human from the organization to Keycloak users
– [ ] Add the organization to Keycloak organizations
– [ ] Follow existing naming conventions
– [ ] Note/copy the new organization UUID for use below
– [ ] If the organization has an IdP, do (./ORGANIZATION_IDP_INTEGRATION.md)
– [ ] If the organization will submit data using software, add a Keycloak client
– [ ] Follow the `pdc-[org short name]-data-ingest` naming convention
– [ ] Set "Client authentication" to "On"
– [ ] Check "service accounts roles"
– [ ] Uncheck all other Authentication flows
– [ ] Save, click the "Service accounts roles" tab
– [ ] Click the link following "To manage detail and group mappings, …"
– [ ] Set a First Name that includes the organization name
– [ ] Set a Last Name of "Service Account"
– [ ] Click "Save"
– [ ] Click the "Organizations" tab
– [ ] Join the service account user to the Keycloak organization
– [ ] Note/copy the new service account user UUID for use below
– [ ] Send the data integrator the client ID and secret
– [ ] Join at least one (human) Keycloak user to the Keycloak organization
## In the PDC service
These steps require membership in the `pdc-admin` group.
Use https://api.philanthropydatacommons.org to do these steps.
Use the organization UUID from above and follow existing naming conventions.
See [permissions documentation](../permissions) for how to grant permissions.
– [ ] If the organization is a funder, add a funder
– [ ] Grant the Keycloak organization `view` permission on the funder
– [ ] Grant a human from the organization `manage` permission on this
– [ ] If it exists, grant the Keycloak service account `edit` permission
– [ ] If the organization is a changemaker, add a changemaker
– [ ] Grant the Keycloak organization `view` permission on the changemaker
– [ ] Grant a human from the organization `manage` permission on this
– [ ] If it exists, grant the Keycloak service account `edit` permission
– [ ] If the organization is a data platform provider, add a data provider
– [ ] Grant the Keycloak organization `view` permission on the provider
– [ ] Grant a human from the organization `manage` permission on this
– [ ] If it exists, grant the Keycloak service account `edit` permission
– [ ] If the organization works with other organizations, grant more permissions
– [ ] Grant `view` permission to the organization for other funders
– [ ] Grant `view` permission to the organization for other changemakers
– [ ] Grant `view` permission to the organization for other data providers
</div><div class="gfmr-markdown-rendered" data-mermaid-bg-color="transparent" data-shiki-theme="github-dark"><h1>Organization Onboarding Checklist</h1>
<p>These steps should ensure a good user experience for organizations that are new<br>
to the PDC. The intended audience is PDC administrators.</p>
<h2>In the PDC Keycloak</h2>
<p>These steps require Keycloak PDC realm administrative access.</p>
<p>Use <a href="https://auth.philanthropydatacommons.org/admin">https://auth.philanthropydatacommons.org/admin</a> to do these steps.</p>
<ul>
<li>[ ] Add a human from the organization to Keycloak users</li>
<li>[ ] Add the organization to Keycloak organizations
<ul>
<li>[ ] Follow existing naming conventions</li>
<li>[ ] Note/copy the new organization UUID for use below</li>
</ul>
</li>
<li>[ ] If the organization has an IdP, do (./ORGANIZATION_IDP_INTEGRATION.md)</li>
<li>[ ] If the organization will submit data using software, add a Keycloak client
<ul>
<li>[ ] Follow the <code>pdc-[org short name]-data-ingest</code> naming convention</li>
<li>[ ] Set “Client authentication” to “On”</li>
<li>[ ] Check “service accounts roles”</li>
<li>[ ] Uncheck all other Authentication flows</li>
<li>[ ] Save, click the “Service accounts roles” tab</li>
<li>[ ] Click the link following “To manage detail and group mappings, …”</li>
<li>[ ] Set a First Name that includes the organization name</li>
<li>[ ] Set a Last Name of “Service Account”</li>
<li>[ ] Click “Save”</li>
<li>[ ] Click the “Organizations” tab</li>
<li>[ ] Join the service account user to the Keycloak organization</li>
<li>[ ] Note/copy the new service account user UUID for use below</li>
<li>[ ] Send the data integrator the client ID and secret</li>
</ul>
</li>
<li>[ ] Join at least one (human) Keycloak user to the Keycloak organization</li>
</ul>
<h2>In the PDC service</h2>
<p>These steps require membership in the <code>pdc-admin</code> group.</p>
<p>Use <a href="https://api.philanthropydatacommons.org">https://api.philanthropydatacommons.org</a> to do these steps.</p>
<p>Use the organization UUID from above and follow existing naming conventions.</p>
<p>See <a href="../permissions">permissions documentation</a> for how to grant permissions.</p>
<ul>
<li>[ ] If the organization is a funder, add a funder
<ul>
<li>[ ] Grant the Keycloak organization <code>view</code> permission on the funder</li>
<li>[ ] Grant a human from the organization <code>manage</code> permission on this</li>
<li>[ ] If it exists, grant the Keycloak service account <code>edit</code> permission</li>
</ul>
</li>
<li>[ ] If the organization is a changemaker, add a changemaker
<ul>
<li>[ ] Grant the Keycloak organization <code>view</code> permission on the changemaker</li>
<li>[ ] Grant a human from the organization <code>manage</code> permission on this</li>
<li>[ ] If it exists, grant the Keycloak service account <code>edit</code> permission</li>
</ul>
</li>
<li>[ ] If the organization is a data platform provider, add a data provider
<ul>
<li>[ ] Grant the Keycloak organization <code>view</code> permission on the provider</li>
<li>[ ] Grant a human from the organization <code>manage</code> permission on this</li>
<li>[ ] If it exists, grant the Keycloak service account <code>edit</code> permission</li>
</ul>
</li>
<li>[ ] If the organization works with other organizations, grant more permissions
<ul>
<li>[ ] Grant <code>view</code> permission to the organization for other funders</li>
<li>[ ] Grant <code>view</code> permission to the organization for other changemakers</li>
<li>[ ] Grant <code>view</code> permission to the organization for other data providers</li>
</ul>
</li>
</ul>
</div></div>
# Organization Onboarding Checklist
These steps should ensure a good user experience for organizations that are new
to the PDC. The intended audience is PDC administrators.
## In the PDC Keycloak
These steps require Keycloak PDC realm administrative access.
Use https://auth.philanthropydatacommons.org/admin to do these steps.
– [ ] Add a human from the organization to Keycloak users
– [ ] Add the organization to Keycloak organizations
– [ ] Follow existing naming conventions
– [ ] Note/copy the new organization UUID for use below
– [ ] If the organization has an IdP, do (./ORGANIZATION_IDP_INTEGRATION.md)
– [ ] If the organization will submit data using software, add a Keycloak client
– [ ] Follow the `pdc-[org short name]-data-ingest` naming convention
– [ ] Set "Client authentication" to "On"
– [ ] Check "service accounts roles"
– [ ] Uncheck all other Authentication flows
– [ ] Save, click the "Service accounts roles" tab
– [ ] Click the link following "To manage detail and group mappings, …"
– [ ] Set a First Name that includes the organization name
– [ ] Set a Last Name of "Service Account"
– [ ] Click "Save"
– [ ] Click the "Organizations" tab
– [ ] Join the service account user to the Keycloak organization
– [ ] Note/copy the new service account user UUID for use below
– [ ] Send the data integrator the client ID and secret
– [ ] Join at least one (human) Keycloak user to the Keycloak organization
## In the PDC service
These steps require membership in the `pdc-admin` group.
Use https://api.philanthropydatacommons.org to do these steps.
Use the organization UUID from above and follow existing naming conventions.
See [permissions documentation](../permissions) for how to grant permissions.
– [ ] If the organization is a funder, add a funder
– [ ] Grant the Keycloak organization `view` permission on the funder
– [ ] Grant a human from the organization `manage` permission on this
– [ ] If it exists, grant the Keycloak service account `edit` permission
– [ ] If the organization is a changemaker, add a changemaker
– [ ] Grant the Keycloak organization `view` permission on the changemaker
– [ ] Grant a human from the organization `manage` permission on this
– [ ] If it exists, grant the Keycloak service account `edit` permission
– [ ] If the organization is a data platform provider, add a data provider
– [ ] Grant the Keycloak organization `view` permission on the provider
– [ ] Grant a human from the organization `manage` permission on this
– [ ] If it exists, grant the Keycloak service account `edit` permission
– [ ] If the organization works with other organizations, grant more permissions
– [ ] Grant `view` permission to the organization for other funders
– [ ] Grant `view` permission to the organization for other changemakers
– [ ] Grant `view` permission to the organization for other data providers
Organization Onboarding Checklist
These steps should ensure a good user experience for organizations that are new
to the PDC. The intended audience is PDC administrators.
In the PDC Keycloak
These steps require Keycloak PDC realm administrative access.
Use https://auth.philanthropydatacommons.org/admin to do these steps.
- [ ] Add a human from the organization to Keycloak users
- [ ] Add the organization to Keycloak organizations
- [ ] Follow existing naming conventions
- [ ] Note/copy the new organization UUID for use below
- [ ] If the organization has an IdP, do (./ORGANIZATION_IDP_INTEGRATION.md)
- [ ] If the organization will submit data using software, add a Keycloak client
- [ ] Follow the
pdc-[org short name]-data-ingest naming convention
- [ ] Set “Client authentication” to “On”
- [ ] Check “service accounts roles”
- [ ] Uncheck all other Authentication flows
- [ ] Save, click the “Service accounts roles” tab
- [ ] Click the link following “To manage detail and group mappings, …”
- [ ] Set a First Name that includes the organization name
- [ ] Set a Last Name of “Service Account”
- [ ] Click “Save”
- [ ] Click the “Organizations” tab
- [ ] Join the service account user to the Keycloak organization
- [ ] Note/copy the new service account user UUID for use below
- [ ] Send the data integrator the client ID and secret
- [ ] Join at least one (human) Keycloak user to the Keycloak organization
In the PDC service
These steps require membership in the pdc-admin group.
Use https://api.philanthropydatacommons.org to do these steps.
Use the organization UUID from above and follow existing naming conventions.
See permissions documentation for how to grant permissions.
- [ ] If the organization is a funder, add a funder
- [ ] Grant the Keycloak organization
view permission on the funder
- [ ] Grant a human from the organization
manage permission on this
- [ ] If it exists, grant the Keycloak service account
edit permission
- [ ] If the organization is a changemaker, add a changemaker
- [ ] Grant the Keycloak organization
view permission on the changemaker
- [ ] Grant a human from the organization
manage permission on this
- [ ] If it exists, grant the Keycloak service account
edit permission
- [ ] If the organization is a data platform provider, add a data provider
- [ ] Grant the Keycloak organization
view permission on the provider
- [ ] Grant a human from the organization
manage permission on this
- [ ] If it exists, grant the Keycloak service account
edit permission
- [ ] If the organization works with other organizations, grant more permissions
- [ ] Grant
view permission to the organization for other funders
- [ ] Grant
view permission to the organization for other changemakers
- [ ] Grant
view permission to the organization for other data providers
