Page Comparison

According to the default configurations in the EI profile, the Users, Roles and Permissions are stored in the same repository (i.e., the default, embedded H2 database). However, you can change this configuration in such a way that the Users and Roles are stored in one repository (User Store) and the Permissions are stored in a separate repository. A user store can be a typical RDBMS, an LDAP or an external Active Directory. For information on how the repositories for storing information about users and roles are configured, see Configuring User Stores.

The repository that stores Permissions should always be an RDBMS. The Authorization Manager configuration in the user-mgt.xml file (stored in the /conf/ directory of the respective profile) connects the system to this RDBMS.

...

Configuring the Authorization Manager

...

• The org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager class enables the Authorization Manager for your productEI profile.
• The AdminRoleManagementPermissions property sets the registry path where the authorization information (role-based permissions) are stored. Note that this links to the repository that you defined in Step 1.

• It is recommended to enable the GetAllRolesOfUserEnabled property in the AuthorizationManager as follows:
  

  Code Block
  <Property name="GetAllRolesOfUserEnabled">true</Property>

  Although using the user store manager does not depend on this property, you must consider enabling this if there are any performance issues in your production environment. Enabling this property affects the performance when the user logs in. This depends on the users, roles and permission stats.

• By default, the rules linked to a permission (role name, action, resource) are not case sensitive. If you want to make them case sensitive, enable the following property:

  Code Block
  <Property name="CaseSensitiveAuthorizationRules">true</Property>