Prepare users for an evaluation environment
Create the minimum user set needed to run a controlled DALP demo or evaluation environment.
An evaluation environment needs real DALP users with the right platform roles, wallets, identities, and verification state. Create only the users you need for the scenario you want to show.
This guide helps an operator prepare a small controlled user set for a demo, proof of concept, or internal evaluation.
When you finish, open each participant record and check the evidence needed for the flow you plan to test. This guide does not replace production onboarding policy.
Use this as a deployment-readiness guide for an evaluation environment. It belongs with platform setup because the user set, role model, and data boundaries must be ready before a demo, sandbox validation, or production rehearsal starts.
What you are preparing
Use this setup when you need to demonstrate DALP with a few known participants:
| User type | Purpose in the evaluation | Minimum setup |
|---|---|---|
| Platform operator | Grants platform roles and keeps the environment operable. | Existing administrator with permission to grant roles. |
| Identity Manager | Creates users and manages identity registration. | User account, wallet, and Identity Manager role. |
| Verification Issuer | Issues trusted KYC verification claims. | User account, wallet, Verification Issuer role, and trusted issuer setup for the KYC topic. |
| Investor or test participant | Receives identity, KYC, and asset-flow checks. | User account, wallet, registered identity, KYC profile, and any required verification claims. |
Keep the environment small
Start with one operator, one Identity Manager, one Verification Issuer, and one or two investor users. Add more users only when the scenario needs separation of duties, multiple jurisdictions, or failure-path testing.
Prerequisites
Before creating evaluation users, confirm that:
- The system is deployed and you can sign in as an administrator.
- Your administrator can grant platform roles. See Add administrators.
- At least one operator has the Identity Manager role for user creation and identity operations.
- At least one operator has the Verification Issuer role and is trusted for the KYC topic before issuing KYC claims.
- Each person or test participant has a unique email address for the environment.
- Wallet verification, such as PIN or 2FA, is enabled for accounts that sign transactions.
Prepare the user set
Create the operator accounts
Create the Identity Manager and Verification Issuer accounts first. Use Create users when you need controlled setup without waiting for email acceptance. Use Invite users when the person should accept an invitation and complete access themselves.
Each created user gets a DALP user record and wallet. Direct creation also creates an identity, but identity registration is still a separate workflow.
Grant the required platform roles
Open Platform Settings > Platform Admins and grant each operator only the role needed for the evaluation:
- Grant Identity Manager to the operator who creates users, registers identities, and reviews KYC profiles.
- Grant Verification Issuer to the operator who issues KYC verification claims.
If one person performs both jobs in a demo, assign both roles to that account. For production rehearsals, keep the roles on separate accounts so the evaluation reflects your operating model.
Create investor or participant users
Create the investor or test participant accounts from Participants > Users. Use clear names and email addresses for each scenario, such as a qualified investor, restricted investor, or internal test participant.
After creation, open each user record and confirm the wallet and identity fields are present. If the participant must sign in later, trigger the appropriate access flow from the user-management pages.
Register identities before compliance checks
Register each participant identity before issuing verifications or testing asset flows that depend on identity state. See Register user.
Do not treat a created user as fully ready until the identity registration state matches the scenario you plan to test.
Add and review KYC data
For participants that need KYC, collect or enter the required profile data. Review the profile before issuing the on-chain verification. See Provide KYC data and the compliance KYC guides.
Keep raw evidence and reviewer notes in your compliance records. DALP verification claims should use the approved KYC profile content hash, not personal data.
Issue the required verification claims
Use the Verification Issuer account to issue the KYC verification claim after the profile is approved. See Verify KYC.
Confirm that the user record shows an active trusted verification before using the participant in a transfer, subscription, redemption, or other asset-flow test that requires KYC.
Add the required test data
A useful evaluation environment needs enough data to prove the intended flow without turning the environment into a production clone. Prepare the smallest data set that exercises the scenario and makes pass and fail states visible.
| Data type | Minimum evaluation data | Readiness check |
|---|---|---|
| Operator users | One Identity Manager and one Verification Issuer, or one combined operator for a basic demo. | Operators can sign in, have wallets, and can reach the screens their roles require. |
| Participant users | One eligible investor and, when testing controls, one restricted or incomplete participant. | Each participant has a unique email address, wallet, user record, and clear scenario label. |
| Identity records | Registered identity for each participant used in asset flows. | The participant record shows the registered identity before verification or transfer testing. |
| KYC profiles | Approved KYC profile for eligible participants; incomplete or rejected profile only when testing failure paths. | The KYC state matches the story you will demonstrate. |
| Verification claims | Trusted knowYourCustomer verification for each eligible participant. | The issuer is trusted for the topic and the participant shows an active trusted verification. |
| Asset-flow evidence | The asset, compliance rule, transfer, subscription, redemption, or servicing flow you plan to show. | The flow succeeds for the eligible participant and fails for the expected control case. |
Do not use shared inboxes, shared operator accounts, or real personal data unless your compliance policy explicitly requires it for the evaluation.
Match the environment type
Evaluation, staging, demo, and production environments use the same operating concepts, but the setup discipline is different.
| Environment | Use it for | User and data rules | Before moving on |
|---|---|---|---|
| Demo | A scripted product walkthrough with known outcomes. | Keep users few, named by scenario, and resettable. Use synthetic data unless an approved customer exercise requires otherwise. | Run the readiness checklist and rehearse the exact path you will show. |
| Evaluation or sandbox | Customer or internal testing of selected DALP flows. | Create distinct users for each role being tested. Include both eligible and ineligible participants when compliance outcomes matter. | Confirm every role, identity, KYC, and verification state from the participant record before testing asset flows. |
| Staging | Release validation or production rehearsal. | Mirror production role separation and access controls. Use production-like configuration without unnecessary personal data. | Confirm least privilege, trusted issuer setup, evidence retention, and rollback or reset ownership. |
| Production | Live regulated operations. | Use named real users, policy-approved onboarding, compliance evidence retention, and separation of duties. | Complete your organization’s onboarding, access, compliance, and change-control checks before live use. |
Do not promote demo shortcuts
A demo can combine roles or use synthetic participant data. A production rehearsal should not. If the evaluation is meant to prove production readiness, separate the Identity Manager and Verification Issuer roles and use the same approval evidence your production policy requires.
Demo readiness checklist
Before a walkthrough or evaluation session, confirm that:
- The administrator, Identity Manager, and Verification Issuer can sign in and pass wallet verification.
- The operator accounts have only the roles needed for the evaluation.
- The Verification Issuer is trusted for the
knowYourCustomertopic used by the scenario. - Every participant email address is unique in the environment.
- Each participant has a wallet and registered identity.
- Eligible participants have approved KYC profiles and active trusted KYC verifications.
- Any negative-path participant is intentionally incomplete, restricted, or unverified.
- The asset or workflow you plan to show has the compliance configuration that matches the participant states.
- The success path and the expected failure path have both been rehearsed before the session.
- Demo-only roles, users, and data have an owner for cleanup or reset after the evaluation.
Runnable example
For a basic evaluation, prepare four users:
- Sign in as an administrator who can grant platform roles.
- Create
Identity Manager Demoand grant the Identity Manager role. - Create
Verification Issuer Demo, grant the Verification Issuer role, and confirm the issuer is trusted forknowYourCustomer. - Create
Investor Demo 1. - Register
Investor Demo 1in the identity registry. - Add and approve the investor's KYC profile.
- Issue a trusted
knowYourCustomerverification for the investor using the approved KYC profile content hash. - Open Participants > Users and confirm the investor has a wallet, registered identity, approved KYC profile, and active trusted KYC verification.
At this point the investor user is ready for evaluation flows that require a registered identity and trusted KYC claim.
Production requirements
Do not carry demo shortcuts into production. Before using the same pattern for production onboarding, verify the following controls:
| Requirement | What to verify |
|---|---|
| Least privilege | Operators have only the platform roles they need. Remove temporary demo roles after testing. |
| Separation of duties | Identity review, KYC approval, and verification issuance match your compliance policy. |
| Email and access ownership | Production users control their own email inbox and access flow. Do not share credentials between operators. |
| Evidence retention | Raw KYC documents, review notes, and approvals are kept in the required off-chain compliance system. |
| Trusted issuer setup | Verification issuers are trusted for the exact claim topics used by the asset rules. |
| Scenario traceability | Test participants are named and documented clearly enough that reviewers can understand what each user represents. |
Troubleshooting
| Issue | What to check |
|---|---|
| Create user is not visible | Confirm your account has the Identity Manager role and that you are in Participants > Users. |
| User creation fails with an existing email | Use a unique email address for each evaluation participant. DALP does not create a second user with the same email. |
| Identity is missing or not registered | Open the user detail page and run the identity registration workflow before issuing verifications. |
| Verification shows as untrusted | Confirm the issuer is trusted for the selected topic and that the selected topic matches the asset rule. |
| Participant cannot use the asset flow | Check identity registration, active trusted KYC verification, wallet verification, and the asset's compliance configuration. |
Related guides
- Create users - Directly create controlled users for demos and testing
- Invite users - Let users accept an invitation and complete access themselves
- Platform setup overview - Choose the setup path for platform administrators
- Add administrators - Grant platform roles to operators
- Register user - Register a user's identity before compliance checks
- Verify KYC - Issue the trusted KYC verification claim
- Participants hub - Review user records, identity state, holdings, activity, and verification evidence