Southwest Power Pool, Inc. Name of Current Section (Optional)

I n t e g r a t e d M a r k e t p l a c e P o r t a l A u t h o r i z a t i o n S e r v i c e L S A U s e r s G u i d e

9/9/2014

Customer Relations Marketplace Portal LSA User Guide

Revision History

Date or Version Author Change Description Comments Number Version 1.0 Christopher Draft Thompson Version 1.1 Dawn-Marie Coggins Review and Updates Leann Poteet Alan Rainey Version 1.2 Portal Added details regarding certificates and dashes Version 1.3 Lorie Bailey Added details regarding Don Martin LSA to LSA Functionality

1 Marketplace Portal LSA User Guide

Table of Contents

Revision History 1 Introduction 4 Accessing the Portal 4 Login 4 Create and Maintain Users 5 A. Manage Users 6 B. Assign Roles 6 C. Request MCST Access Change 6 The “Manage Users” Screen 7 Adding a User 8 Editing a User 11 Deleting a User 13 A Note about Certificate Information 13 The “Assign Roles” Screen 14 Scope Types 14 Working with Roles 14 Working with Templates 20 The “Request MCST Access Change” Screen 22 The “External LSA Role Request” Screen 23 The “Review External LSA Requests” Screen 26 The “Reports” Screen 31 FAQ 33 How do I get started? 33 What is the “Certificate Information” screen? 33 What is the Authorization Service? 34 What are the Local Security Administration Pages? 34 2 Marketplace Portal LSA User Guide

What are Local Security Administrators? 34 Can roles differ per application? 34

Introduction

This document will serve as a guide for Local Security Administrators (LSAs). The LSA is responsible for the creation and maintenance of the user accounts for the Marketplace Portal. Users of this guide should read and understand polices associated with the LSA role.

This guide assumes that an individual has been registered as the LSA for a Market Participant. All activities related to the LSA registration process are outside the scope of this document.

Accessing the Portal

All LSAs and users must have a valid OATI digital certificate loaded on their machines in order to access the Marketplace Portal. Local Security Administrators will gain access by completing the LSA Registration process. Please contact your Customer Relations Representative with questions pertaining to LSA Registration. Individual users will be given access to the Portal by their designated LSA.

Login Once the required steps have been completed to be considered an LSA or general user, the SPP Marketplace Portal can be accessed by following these instructions:

1. Using an Internet Browser (Internet Explorer, Firefox, or Chrome), go to the applicable SPP Marketplace Portal link: Integrated Marketplace Portal PROD Link: https://marketplace.spp.org Integrated Marketplace Portal ITE Link: https://marketplace.itespp.org Integrated Marketplace Portal MTE Link: https://marketplace-mte.itespp.org 2. Select the digital certificate designated for Marketplace Portal use from the list (if more than one is on your machine) and click “OK”

3. The Marketplace Portal Welcome Screen is displayed

Create and Maintain Users

The Market Participant’s LSA is responsible for adding, updating, and coordinating all information associated with general users. You should see a link to the Local Security Administration Menu in the Integrated Marketplace Portal if you have been properly configured as a Local Security Administrator.

1. Click on the Administration link or Administration tab.

2. Click on the Local Security Administration link.

A. Manage Users The “Manage Users” screen allows for the addition, deletion, and modification of user accounts. B. Assign Roles The “Assign Roles” screen is used to assign users the individual permissions defined for the various applications that use the Authorization Service. For more information on the Authorization Service, see the FAQ section at the end of this document. C. Request MCST Access Change For Model Change Submission Tool user access, once role assignments are complete via the “Assign Roles” screen, go to “Request MCST Access Change” to initiate a request for MCST access. D. External LSA Role Request The “External LSA Role Request” screen is used to enable an LSA to request to add a role or request to revoke a role for a user at a company other than their own.

E. Review External LSA Requests The “Review External LSA Requests” screen allows an LSA to review the requests pending for approval or revocation submitted for users at a company other than their own.

F. Reports The “Reports” screen allows the LSA to access and download various LSA Reports: User Report; LSA Report; Assigned Roles for My Users Report; Assigned Roles for My Companies Report and Users with MCST Role Report. 5 Marketplace Portal LSA User Guide

The “Manage Users” Screen

The first step in working with a user in the Administration pages is to properly configure the user on the “Manage Users” screen.

From the Menu screen, click “Manage Users” to open the Manage users screen as shown in the following example.

Initially, there are only a few of the controls enabled (e.g, Add, Edit, Delete, and Return). The screen also displays a list of users for whom you are currently assigned as an LSA. This list may be sorted by clicking on any of the headers (Screen Name, First Name, etc), and you can filter them as well. To filter the entries, select a column heading to search by from the “Search by” dropdown box, and then enter a search term into the “Find” box. As you type, the entries in your summary of users will filter to match what you have entered. In order to restore the summary of users to its original state, simply clear the “Find” box and all the original entries will reappear.

An example of filtering the list by first name.

Also, there are four buttons enabled:  Add – Add a new user.

 Edit – Edit the currently-selected user.

 Delete – Delete the currently-selected user.

 Return – Return to the Local Security Administration menu.

Adding a User

To add a user, start by clicking the “Add” to display “User Detail” as shown in the following example:

The system supports a few different kinds of users, but the only ones that LSAs work with are called “Certificate Users”. So even though there is a control that says “Add method”, you will see that it cannot be changed. The “Screen Name” will be automatically generated by the system, so you cannot change that value either. The remainder of the fields are updatable, and required fields are marked with an asterisk (*).

Let’s talk about some of the fields that are not self-explanatory. First, we have the certificate information. This information will normally be sent via e-mail by your user, after visiting the “Certificate Information” screen mentioned in the FAQ at the end of this guide. This information is required in order to set up a user, and no two users may share the same certificate information. When entering the certificate serial number use only characters, and do not enter dashes.

The “Entity Type” and “Company” fields are where you set the new user’s company. This will normally be the same as your own entity type and company. However, if you happen to be an LSA over multiple companies, you must be sure to select the correct company from the dropdown boxes.

After entering the required and optional information, you can click “Save” to save your changes, or “Cancel” to abandon them.

For purposes of illustration, if we were to set up John Smith on this screen, it might appear as follows:

After clicking “Save”, we can see Mr. Smith has been added to our list of users:

Editing a User

To edit a user, highlight, by clicking, one of the users in the summary box, and click “Edit”. In the example below, user John Smith is highlighted and “Edit” was selected. User John Smith’s details are displayed in the “User Details” section.

Note that there is a system generated “Screen Name” value that cannot be changed. All other fields are editable to update the users’ information. Click “Save” to commit your changes, or “Cancel” to discard them.

Deleting a User

To delete a user, simply highlight the user in the summary box, and click the “Delete” button. The system will ask you to confirm the operation. Click “Yes” if you really want to delete the user and “No” if you don’t.

A Note about Certificate Information

The system requires that the combination of certificate serial and issuer is unique – it may be assigned to only one person. If, during the user add or edit process, a duplicate certificate serial and issuer is entered, the system will return the following message:

The “Assign Roles” Screen

The next step after creating a user is to assign roles to that user. This is accomplished with the “Assign Roles” screen.

Scope Types

Before we get started, let’s talk about the different scope types.  Market Participant

 Asset Owner

 Meter Agent

 Transmission Customer

 Transmission Owner

The Market Participant scope type applies to companies that are Market Participants. Meter Agent, Transmission Customer, and Transmission Owner work similarly. To assign an Asset Owner scope, one must first select a Market Participant, and then an Asset Owner under that Market Participant. Asset Owner scope types are the only ones that require prior selection of another scope. This will be illustrated in the following example.

Working with Roles

Click the “Assign Roles” button to begin the process of assigning roles.

Once this action is performed, the “Assign Roles” screen is displayed. An example is shown below:

Please note that this screen has sorting and filtering features that work identically to those found on the “Manage Users” screen.

To “Assign Roles” to a user, select a row by clicking on a row to highlight the user from the summary box, and click “Edit”. The screen will change as follows:

The four dropdowns on this screen correspond to “Application”, “Role”, “Scope”, and Scope (AO). The “Application” dropdown contains a list of all the application roles that can be assigned.

In the following example, the “Bilateral Settlement Schedules” application is used. Selecting a value in this dropdown will automatically populate the values in the “Role” field to the roles corresponding to that respective application.

The appearance of the screen can change slightly depending on which role is selected. For example, the “Contract Approve” role is selected below. That role is defined at the Market Participant level. Once selected, the next step is to select the respective Market Participant from the “Scope” dropdown. Clicking the “Add Role” button will temporarily store that role in the “Assigned Roles” section:

“Profile Submit” is an additional role that can be assigned to a user. This role is scoped at the AO (Asset Owner) level. It is not enough to select “BP ENERGY COMPANY” as the Scope. The user must select the MP, and then drill down one level further and select the AO. After clicking “Add Role” the screen will display the following:

Depending on the scope of the role, three or four dropdowns are displayed. In the “Assigned Roles” section, the pending new set of roles includes “Contract Approve” at the “MP: BP ENERGY COMPANY” level, and “ProfileSubmit” at the “AO: BP ENERGY COMPANY” level.

To remove one of the roles that have been assigned, simply highlight it in the “Assigned Roles” section, and click “Remove Selected Role”. Please note that only lines corresponding to assigned roles can be removed. Applications will be removed automatically in the “Assigned Roles” section when all of the user’s roles are removed.

At this point, you could click “Save” to commit your new set of role assignments, or “Cancel” to discard them.

Working with Templates Templates are optional for the LSA to create user roles that can be applied to other users as needed.

Additional “Assign Roles” functionality available is the Template (Load, Save, Delete) functionality. The set of roles just assigned to Mr. Smith happens to be a standard set that would be used for all users under a company. Using the Template functionality, name this template for quick reference in the future. In the example below, refer to John Smith’s record again. From the “Assign Roles” screen, select the user, and click “Edit”. The roles currently assigned are listed in the “Assigned Roles” section:

To save this set of roles as a template, click “Save To Template”. Create a name for the template, and click “OK”. The roles are now applied under the new template created.

To apply the roles to another user, simply edit that user (John Doe in this case):

Click “Load From Template”:

The dropdown will show you all the template names you have saved. Select the correct one and click “OK”.

The set of pre-defined roles has been temporarily cached in the “Assigned Roles” section. Click “Save” to commit the changes, or “Cancel” to discard them.

To delete a template, the “Delete Template” button will display a list of saved templates

Choose the one from the dropdown to delete, and click “OK. Otherwise, click “Cancel” to discard.

The “Request MCST Access Change” Screen

For the MCST application, additional setup work is required. This screen initiates emails to the appropriate group to complete the MCST access. MCST add, change, removal does not occur in real time.

This screen has the same sorting and filtering functions that appear on the “Manage Users” and “Assign Roles” screens. To use the screen, select a user from the summary box, and click the appropriate button. Before requesting MCST access, the user should have an MCST role assigned to them, and then click the “Request MCST Add” button. After the MCST access has been created, the user will be contacted by SPP. To update an existing MCST user, remove the current role and update to a new role, and then click the “Request MCST Change” button If all MCST application roles from a user’s record have been removed, then click the “Request MCST Remove” button. 22 Marketplace Portal LSA User Guide

The “External LSA Role Request” Screen

This screen is used to enable an LSA to request/approve and revoke roles added to users at a company other than their own. This screen initiates the request to the LSA of the other company.

From the Menu Screen, the LSA submitting the request clicks “External LSA Role Request” to open the External Role Request screen as shown in the following example.

Please note that this screen has sorting and filtering features that work identically to those found on the “Manage Users” screen.

To “Assign Roles” to a user, select a row by clicking on a row to highlight the user from the summary box, and click “Edit”. The screen will change as follows:

The LSA/Submitter should follow the previous steps noted in the “Assign Roles” section of this document as noted below with the addition of the “Submit” Button to complete the request:  Select the Application needed for the user

 Select the Role needed for the user  Select the applicable MP  Select the applicable Scope  Click the “Add Role” button  Click the “Submit” button to send your request to the Approving LSA Company or click “Cancel” to cancel the request. See example:

After clicking “Submit” the LSA will notice a confirmation of submission pop up. See example :

The “Review External LSA Requests”Screen Approve/Deny and Revoke

This screen allows an LSA to review the requests pending for approval or revocation submitted for users at a company other than their own.

From the Menu Screen, click “Review External LSA Requests” to open the External LSA Requests screen as shown in the following example:

The LSA submitting a request can search their requests submitted for approval using the “Search by” drop down with the following options: “Not Reviewed”, “Reviewed” and “All”. See example:

The Reviewer/Approver can search pending requests for approval using the “Search by” drop down with the following options: “Not Reviewed”, “Reviewed” and “All”. See example:

The “Status” column reflects the current state of the request: Pending, Approved, Denied or Revoked. Therefore, once the Reviewer/Approver has taken an action to “Approve”, “Deny” or “Revoke” a request, the status column will reflect the new state of the request when the Reviewer chooses the “Reviewed” option in the “Search by” drop down. See example:

To approve or deny a request, the Approving LSA will follow these steps: Go to Review External LSA Request /Choose Reviewer from the “Review As” drop down menu/Highlight the pending request/Click the Approve or Deny button. The Approving LSA will get a pop up confirmation based on the action taken. Click “Yes” to confirm approve or deny. See Examples:

Once approved or denied the Reviewing /Approving LSA can Click Details and will see the following pop up of additional information. See Example on Details for a Denied Request:

If the Requesting LSA would like to request a role be revoked for a user from their entity that was previously approved by the Approving LSA, theRequesting LSA will need to follow these steps: Go to the Review External LSA Request /Choose “Search by” as drop down menu/Find the approved request/ Click the Revoke Button/ Click “Yes” when pop up window appears to complete the request for revocation. See Example:

If the Approving LSA chooses to revoke a user’s role without the consent of the Requesting LSA, the Approving LSA will need to follow these steps: Click on Review External LSA Request/Reviewer should choose “Search by “ drop down menu/Highlight the applicable approved request /Click the Revoke Button. The LSA will get a pop up confirmation based on the action taken. Click “Yes” to complete revocation of the applicable role.

The “Reports” Screen

This screen allows the LSA to access and download various LSA Reports.

From the Menu Screen, click “Reports” to open the Reports screen. Click on the Report to be viewed or downloaded. See Example:

Once you have selected a specific Report by clicking on the button for that Report, you will see a pop up with the option to “Open”, “Save” or “Cancel”:

Reports are generated as an Excel file. See Example: 31 Marketplace Portal LSA User Guide

How do I get started? The Local Security Administration Pages are housed in the Integrated Marketplace Portal. Once properly set up as an LSA, a link called “Local Security Administration” will be visible under Administration.

What is the “Certificate Information” screen? When new users attempt to sign in to the Portal, they will see a link to the “Certificate Information” screen. Upon clicking that link, they will be taken to a special screen that captures the certificate information for that user, and provides a handy facility for sending that information to that user’s LSA. This will be the most common way that an LSA will receive the necessary information for setting up a user in the Local Security Administration pages.

What is the Authorization Service? The Authorization Service (also known as SPPAuthZ) is a central repository of information about various applications, including authorized users and their permitted roles. These applications may be written in different languages, and with a wide range of technologies, but all of them will rely on the authorization service to validate a user’s access level.

What are the Local Security Administration Pages? The Local Security Administration Pages are the means by which Local Security Administrators (LSAs) may define users, and then assign roles to those users for the various applications supported by the Portal.

What are Local Security Administrators? One of the requirements for the Authorization Service is that permissions may either be assigned globally, or at a “scoped” level. Global permissions are only assigned once per user, per application, and apply to users across all of SPP’s members and related organizations.

“Scoped” roles are permissions that apply to a narrower focus. For example, it is possible to create roles that are scoped at the market participant level, thus allowing a person to perform functions for a particular market participant only.

SPP’s Administrators can assign roles across all applications and scopes, but there is another way that users can be assigned permissions. A user can be given “Local Security Administrator” status within a particular company, thus allowing that user to create and modify user accounts and permissions only within their particular area of influence. A user may be given LSA status for more than one company (though this may be procedurally restricted), and can grant access permissions to any user assigned to a company for which the LSA has been granted LSA status.

For example, user Alan Smithee might be assigned as an LSA for two meter agents: “ABC Power, Incorporated”, and “ABC Limited”. Suppose there are two users: User A is assigned to “ABC Power, Incorporated”, and User B is assigned to “ABC Limited”. Since Mr. Smithee is an LSA for both companies, he can assign permissions for both scopes to either user. So even though User A is assigned to “ABC Power, Incorporated”, he or she could be given permissions at the “ABC Limited” scope due to both companies sharing an LSA.

Please note that if there are multiple LSAs for a particular entity, they may not edit each other’s permissions. Permission changes to LSAs must be made by an SPP administrator.

Can roles differ per application? One of the most important concepts behind the Authorization Service is that each application has its own customized list of roles. The Service does not define what each role can do within an application—that is decided and implemented by the team(s) responsible for those applications. The Authorization Service merely houses a custom list of roles and assignments, which are requested by each application during the login process.

For example, a team has created an application called “Birthday Tracker”. To interface with the Authorization Service, the team might ask for the following roles:

 Can Enter Birthdays  Can Print Calendars  Read-Only 34 Marketplace Portal LSA User Guide

System administrators would then define these roles for the “Birthday Tracker” application, thus allowing other administrators and LSAs to assign these roles to users in the system. A user has been assigned two of these permissions:

Alan Smithee  Can Print Calendars Alan Smithee  Read-Only

Under this scenario, when Alan Smithee logs into the “Birthday Tracker” application, the application will call the Authorization Service to see what roles have been assigned. The Service will return “Can Print Calendars” and “Read-Only”. Please note that it is up to the “Birthday Tracker” application to know what to do with that information.