Versions Compared

Old Version 16

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

A user role is a title that contains Roles contain permissions for users to manage security. Different roles are created the server. You can create different roles with various combinations of permissions with the objective of segregation of duties for users who access the Server.
Identity Server supports the and assign them to a user or a group of users. Through the Management Console, you can also edit and delete an existing user role.

WSO2 supports the  role-based authentication model  model where privileges of a user are based on a the role it is attached with.  

A user is associated with one or more roles (generally specified upon user creation), and each role is associated with zero or more permissions (also generally specified upon user creation). Therefore, the set of permissions owned by a user is determined by the roles assigned to that user.

If a user has several assigned roles, their permissions are added together.

By default, Identity Server comes to.   By default, WSO2 products come with the following roles:

  • Admin - Provides full access to all features and controls. By default, the user "admin" is assigned to both the "Admin" and the "Everyone" roles.
  • Everyone - Every new user is assigned to this role by default. It does not include any permissions.
  • System - This role is not visible in the Management Console.

 

To create a new user role

...

Info
The Domain label specifies the user-store where the role information is saved. The domain is set to PRIMARY by default in the single-user-store option, whereas in the multiple-user-store, all the user-stores are populated in the domain drop-down list allowing you to choose the required user-store.

There are two options available with the Add Role page, namely Role Only and Role with Permissions options. Click the Finish button to save the role with no permissions. Clicking the Next button directs you to the Role with Permissions option.

Info
The permission model of WSO2 Identity Server is hierarchical. Permissions can be assigned to a role in a fine-grained or a coarse-grained manner. For example, you can either select the whole class of permissions, such as Configure, by checking the corresponding box, or you can expand that class and select one or several items.

...

  • .

If a user has several assigned roles, their permissions are added togethe r.

Table of Contents
maxLevel4
minLevel4

Adding a user role 
Anchor
addU
addU

Follow the instructions below to add a user role.

  1. On the Configure tab in the management console, click Users and Roles.Image Added
  2. Click Roles. This link is only visible to users with the Admin role. 
  3. Click Add New Role.
  4. Do the following:
    1. In the Domain list, specify the user store where you want to create this role.
    2. Enter a unique name for this role.
    3. Click Next.
  5. Select the permissions you want users with this role to have. Note that when you assign this role to a user, you can override the role's permissions and customize them for the user. 
  6. Select the existing users you want to have this role. You can also assign this role to users later, but if you are creating this role in an external user store that does not allow empty roles, you must assign it to at least one user. You can search for a user by name, or view all users by entering * in the search field.
  7. Click Finish.

The role is created and is listed on the Roles page. You can now edit the role as needed.    

Info

When adding roles to external user stores, note the following:

  • Some external user stores do not allow you to create empty roles. In that case, selecting users who belong to a role is mandatory.
  • If you connect to an external user store (e.g., LDAP) in read-only mode, you can read existing roles from it, but you can not edit/delete the roles. In this case, you can still create new roles that are editable and can be managed internally.
  • If you connect to an external user store in read/write mode, you can edit the roles in the external user store as well.

Searching for user roles

You can search for an existing user role using the search facility on the  Roles  screen as follows:  

  1. S elect the domain (unique identifier) of the user store where you want to search for the role. By default, there are three options:
    • PRIMARY: Searches within the primary user store
    • ALL-USER-STORE-DOMAINS: Searches within all user stores configured in the system.
    • Internal: Searches in the database where internal/system-reserved user roles such as  Internal/everyone  are stored.
  2. Enter the role name pattern.  For example, if you enter "ab*", it returns all roles that have names starting with "ab". 
  3. Click Search to see the results.

Editing or deleting a role

If you need to make modifications to a role, select the domain (user store) where the role resides, and then use the links in the Actions column on the Roles screen as follows:  

  • Rename the role
  • Change the default permissions associated with this role
  • Assign this role to users
  • View the users who are assigned this role
  • Delete the role if you no longer need it
Info

If the role is in an external user store to which you are connected in read-only mode, you will be able to view the existing roles but not edit or delete them. However, you can still create new editable roles.

Updating role names

If you need to make modifications to the role names, you need to do one of the following:

Table of Contents
maxLevel5
minLevel5

Anchor
UpdateRole1
UpdateRole1
Update before the first startup (recommended)

The default role names (admin and everyone) can be changed before starting WSO2 product by editing <PRODUCT_HOME>/repository/conf/user-mgt.xml.

Code Block
languagehtml/xml
<Configuration> 
	<AdminRole>admin</AdminRole> 
	<AdminUser> 
		<UserName>admin</UserName> 
		<Password>admin</Password> 
	</AdminUser> 
	<EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root --> 
	<Property name="dataSource">jdbc/WSO2CarbonDB</Property> 
	<Property name="MultiTenantRealmConfigBuilder">org.wso2.carbon.user.core.config.multitenancy.SimpleRealmConfigBuilder</Property> 
</Configuration>

The following are the changes that need to be made in the configurations above:

  • Change <AdminRole>admin</AdminRole> to <AdminRole>administrator</AdminRole>.
  • Change <EveryOneRoleName>everyone</EveryOneRoleName> to <EveryOneRoleName>Your role</EveryOneRoleName>.
Update after the product is used for sometime 

You do not have to do this when updating before the first startup. The following steps guide you through updating the role names:

  1. Make the configuration changes indicated in the above section.
  2. You need to do the following user store level changes for existing users if you have changed the role names as mentioned earlier. 

    • If you are connected to JDBCUserStoreManager you need to update the UM_USER_ROLE table with the existing users after changing the 'admin' and 'everyone' role names. Also if you have changed the permission of 'everyone' role the UM_ROLE_PERMISSION has to be updated with the permissions to the new role.

      Info

      The schema can be located by referring to the data source defined in the user-mgt.xml file. The data source definition can be found under repository/conf/datasources/master-datasources.xml.

    • If you are connected to ReadWriteLdapUserStoreManager you need to populate the members of the previous admin role to the new role under the Groups.
  3. After the changes restart the server.

 

Excerpt
hiddentrue

Instructions on how to create and add a new user role in the WSO2 Identity Server.