User Authorization System for Horizontal Public Administration Information Systems
This document describes the core functionality of the service of horizontal authorization system, which is a system for enabling and disabling roles on public officials based on the application Upon login, the Authorized User Administrator has access to the following functionalities:
Active Information System Details
This functionality provides information on user categories and the role of users required to connect to the application.
User Categories:
Essentially, this refers to the type of users, which can be exclusively Public Servants or Public Employees, and natural persons outside the public sector. In our case, we refer to exclusive public servants, meaning the system can be used only by them.
User Roles:
These are the roles a public entity user can obtain to use the application.
| Role Code | Role Name |
|---|---|
| 1880 | Central Administrator |
| 1881 | Entity Administrator |
User Management
Includes functionality for user entry, role assignment, and role revocation.
More in detail this function gives us the ability to add or edit a user.
Adding a New User:
If the Tax Identification Number (AFM) to be entered corresponds to an employee who can be authorized, the user can create a user account by assigning one or even two roles as desired using this function.
Editing a User:
If the AFM being edited corresponds to an active user, this function allows the administrator to deactivate the user or change one of the roles they already hold.
User Searches
Includes functionality for searching information system users using various criteria.
Core Endpoints for SOE
1. POST Endpoint:
https://test.gsis.gr/esbpilot/pubAuthDocManagementRestService/padInfoSystemAll
Auth Type: Basic Auth
Description:
Provides basic information about public employee roles and the organizations that have been declared.
Response:
{
"padInfoSystemAllOutputRecord": {
"pageModel": {
"liableVatNo": "OAUTH",
"pubAuthDoc": {
"informationSystem": {
"applcationId": 2747,
"applcationName": "Management & Administration gov.gr platform",
"roles": [
{
"roleId": 1881,
"roleName": "Organization Administrator",
"hid": 2168
},
{
"roleId": 1880,
"roleName": "Central Administrator",
"hid": 2168
}
],
"userOrganisations": [
{
"organisationUnitName": "TEST MINISTRY 38",
"organisationUnitCode": "67140"
},
{
"organisationUnitName": "MINISTRY OF DIGITAL GOVERNANCE",
"organisationUnitCode": "66797"
},
{
"organisationUnitName": "MINISTRY OF FINANCE",
"organisationUnitCode": "83842"
}
],
"adminSelected": true,
"restricted": false,
"nonPsAccess": false,
"rolesPerAou": false,
"licensedRoles": false,
"hid": 2168
}
}
},
"pageData": {}
},
"callSequenceId": 10025006011,
"callSequenceDate": "2025-05-20T19:18:37.621+03:00",
"errorRecord": {}
}
2. POST Endpoint:
https://test.gsis.gr/esbpilot/pubAuthDocManagementRestService/padEmplList
Auth Type: Basic Auth
Description:
Provides an overview of public employees – which roles each person has, and whether these roles are active or not.
Response:
{
"padEmplListOutputRecord": {
"pageModel": {
"pubAuthDoc": {
"employeesList": {
"employees": [
{
"employeeId": 2340,
"employeeVatNo": "024199363",
"employeeName": "Employee Name",
"employeeSurname": "SURNAME",
"authorisations": [
{
"id": 3117,
"startDate": "2024-09-05",
"endDate": "2024-09-05",
"role": {
"roleId": 1881,
"hid": 2168
},
"userOrgVatNo": "090165560",
"active": false,
"userOrgCode": "83842"
}
]
}
]
}
}
},
"pageData": {}
},
"callSequenceId": 10024898517,
"callSequenceDate": "2025-05-20T19:23:21.999+03:00",
"errorRecord": {}
}
Calling the padEmplList Endpoint from Our Projects
To retrieve role information for public employees, we must call the padEmplList endpoint. This will return role allocation data and the active status of employees so we can store or update them in our database.
post_data_padempllist Function – Prepares POST Payload
def post_data_padempllist() -> dict:
from datetime import datetime
import pytz
athens_tz = pytz.timezone("Europe/Athens")
audit_transaction_date = datetime.now(athens_tz).strftime("%Y-%m-%dT%H:%M:%SZ")
logging.info("***** AUDIT TRANSACTION DATE: %s *****", audit_transaction_date)
# create audit record
audit_record = AuditRecordLogging.objects.create(
protocol_id=f"{uuid.uuid4()}BOOKING/{datetime.now().strftime('%Y-%m-%d')}",
ip_address=settings.WS_IP_ADDRESS,
user_id=settings.WS_IP_ADDRESS, # no user context, system call
is_successful=True,
service_endpoint_name=AuditRecordLogging.AuditRecordChoice.SOE,
)
post_data = {
"auditRecord": {
"auditTransactionId": str(audit_record.id),
"auditTransactionDate": audit_transaction_date,
"auditUnit": audit_record.business_unit,
"auditProtocol": audit_record.protocol_id,
"auditUserId": settings.WS_IP_ADDRESS,
"auditUserIp": settings.WS_IP_ADDRESS,
},
"padEmplListInputRecord": {
"page": 1,
"size": 10000,
"lang": "el",
"source": {"employee": {}},
},
}
return post_data
Making the Request to SOE
Once the payload is generated, the following code snippet performs the request to the SOE endpoint and handles the response.
try:
response = requests.post(
settings.PADEMPLLIST_ENDPOINT,
json=post_data_padempllist(),
auth=(settings.BASIC_AUTH_USERNAME, settings.BASIC_AUTH_PASSWORD),
)
response.raise_for_status()
data = response.json()
except requests.RequestException as e:
logging.error("Request to PADEMPLLIST failed: %s", str(e))
return
except ValueError as e:
logging.error("Failed to parse JSON from PADEMPLLIST response: %s", str(e))
return
Important Notes
Every call to the SOE must be logged in our local database and also reported to the designated authority responsible for the SOE external service.
This is achieved through the auditRecord, which contains the necessary call metadata. These details are saved internally via the AuditRecordLogging model.