To enable users to log into the IS Management Console, you create user accounts and assign them roles, which are sets of permissions. You can add individual users or import users in bulk. The following sections list out the various ways to configure your users.
...
You can create new users using any of the following methods and then assign the roles to the created users:
Table of Content Zone |
---|
|
Creating a new user using the management consoleFollow the instructions below to add a new user account and configure its role. - On the Main tab in the Management Console, click Add under Users and Roles.
- Click Users. This link is only visible to users with the Admin role.
Click Add New User. The following screen appears.
Warning |
---|
Do not use the special character, "#" while defining any of the user naming attirbutes since it is reserved for a specific functionality. This condition applies across all user stores. |
Info |
---|
When giving a username, it should not contain backslash (“/”) or any special character ("&", "$", "%") as specified in user-mgt.xml in <IS_HOME>/repository/conf under <Property name="UsernameJavaRegEx"> |
- Do the following:
- In the Domain list, specify the user store where you want to create this user account. This includes the list of user stores you configured. See Configuring the Realm for more information.
- Enter a unique username and the password that the person will use to log in. By default, the password must be at least five characters.
- If you need to assign a role to user, Click Next and go to step 5, or Click Finish to end the flow.
- Optionally, select the role(s) you want this user to have. If you have many roles in your system, you can search for them by name.
- Click Finish.
A new user account is created with the specified roles and is listed on the Users page. Assigning roles to the user- On the Main tab in the Management Console, click List under Users and Roles.
- Click Users. This link is only visible to users with the Admin role.
- Click the Assign Roles link that corresponds to the user you want to assign to a role.
- Select the role(s) you want to assign and click Update.
- Click Finish.
The user is assigned to the specified roles. You can view a user's roles by clicking on the View Roles link on the user list. Note |
---|
Internal/everyone: This is a conceptual role that is used to group all the users (across the user stores) together. When you create a new user, automatically the user belongs to the Internal/everyone role. By default, this role does not contain any permissions. You can assign permissions depending on the requirement. |
Creating new users using the ask password optionSee the Creating users using the ask password option page for guidance on user creation using the ask password option. Creating new users using SCIMInstead of creating the user through the management console, it can also be done using a SCIM request as seen below. Info |
---|
In the request, you can avoid providing the password of new user by enabling the ask password option and providing the email address of the user in the request so that the user will get an email to that email address to confirm the account and set the password. |
Code Block |
---|
| curl -v -k --user admin:admin --data "{"schemas":[],"name":{"familyName":"familyName","givenName":"givenName"},"userName":"username","password":"password","emails":[{"primary":true,"value":"wso2_home.com","type":"home"},{"value":"wso2_work.com","type":"work"}]}" --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users |
Code Block |
---|
| {"id":"0d2714d0-6a33-4ddd-b4e0-612584c4a8c8","schemas":["urn:scim:schemas:core:1.0"],"name":{"familyName":"familyName","givenName":"givenName"},"userName":"username","emails":[{"value":"wso2_home.com","type":"home"},{"value":"wso2_work.com","type":"work"}],"meta":{"lastModified":"2016-01-25T11:44:14","location":"https://localhost:9443/wso2/scim/Users/0d2714d0-6a33-4ddd-b4e0-612584c4a8c8","created":"2016-01-25T11:44:14"}} |
Creating new users using SOAPThe user can also be created by calling the RemoteUserStoreManager service. If you are new to admin services, see Calling Admin Services. Disable the hidden admin service property in the <IS_HOME>/repository/conf/carbon.xml file. By default the admin services are disabled as it is not recommended to expose these URLs to users. However, it can be enabled if it needs to be accessed by the administrators. Code Block |
---|
<HideAdminServiceWSDLs>false</HideAdminServiceWSDLs> |
Open the following Admin Service from SOAP UI: https://localhost:9443/services/RemoteUserStoreManagerService?wsdl
Info |
---|
If you have ocnfigured WSO2 IS to use an IP or hostname, replace localhost with your IP or hostname. |
Call the addUser() method to create the user and make sure to give the email address of the user. This is similar to the following SOAP request. Code Block |
---|
language | xml |
---|
title | SOAP Request |
---|
| <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.ws.um.carbon.wso2.org" xmlns:xsd="http://common.mgt.user.carbon.wso2.org/xsd">
<soapenv:Header/>
<soapenv:Body>
<ser:addUser>
<ser:userName>username</ser:userName>
<!--Zero or more repetitions:-->
<ser:roleList>admin</ser:roleList>
<!--Zero or more repetitions:-->
<ser:claims>
<xsd:claimURI>http://wso2.org/claims/emailaddress</xsd:claimURI>
<xsd:value>wso2demomail@gmail.com</xsd:value>
</ser:claims>
<ser:profileName>default</ser:profileName>
<ser:requirePasswordChange>true</ser:requirePasswordChange>
</ser:addUser>
</soapenv:Body>
</soapenv:Envelope> |
Note |
---|
There will be no SOAP response as this is a one way SOAP operation. You can check successful creation of the user account using the management console by clicking Users and Roles>Users>List under the Configure section. |
|
Update users
Table of Contents |
---|
maxLevel | 4 |
---|
minLevel | 4 |
---|
include | Update user using management console|Update user using SCIM|Update user using SOAP |
---|
|
Update user using management console
Follow the below instruction to update a user using management console.
- On the Main tab in the Management Console, click List under Users and Roles.
- Click Users. This link is only visible to users with the Admin role.
- You will see the list of users that are available and you can click Update Profile if you want to update the profile of a particular user.
- There you can update the details of the user and click Update.
Other than updating user profile details, you can also change the password of the user and assign more roles to the user.
Update user using SCIM
You can use following the following SCIM cURL commands to update a user created using SCIM.
Code Block |
---|
|
curl -v -k --user {IS_USERNAME}:{IS_PASSWORD} -X PATCH -d '{"schemas":[],"name":{"familyName":"{LAST_NAME}","givenName":"{FIRST_NAME"},"userName":"{USERNAME","emails": "{EMAIL"}' --header "Content-Type:application/json" https://{IS_IP}:{IS_PORT}/wso2/scim/Users/{SCIM_USER_ID} |
Code Block |
---|
|
curl -v -k --user admin:admin -X PATCH -d '{"schemas":[],"name":{"familyName":"gunasinghe","givenName":"hasinitg"},"userName":"hasinitg","emails":[{"value":"hasini@wso2.com","type":"work"},{"value":"hasi7786@gmail.com","type":"home"}]}' --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users/0032fd29-55a9-4fb9-be82-b1c97c073f02 |
You can use the "PUT" operation instead of "PATCH", but PUT will delete all the other claims of the user that are not getting updated by the command. Therefore, PATCH operation is recommended instead of the PUT operation.
Update user using SOAP
The users also can update their claims by calling the
RemoteUserStoreManager
service. If you are new to admin services, see
Calling Admin Services.
Disable the hidden admin service property in the <IS_HOME>/repository/conf/carbon.xml
file.
By default the admin services are disabled as it is not recommended to expose these URLs to users. However, it can be enabled if it needs to be accessed by the administrators.
Code Block |
---|
<HideAdminServiceWSDLs>false</HideAdminServiceWSDLs> |
Open the following Admin Service from SOAP UI: https://localhost:9443/services/RemoteUserStoreManagerService?wsdl
Info |
---|
If you have ocnfigured WSO2 IS to use an IP or hostname, replace localhost with your IP or hostname. |
There are few SOAP service methods that can use to update user details by calling the above admin service.
updateCredential()
: This is the method used to update password of the user.
Code Block |
---|
|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.ws.um.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:updateCredential>
<!--Optional:-->
<ser:userName>user123</ser:userName>
<!--Optional:-->
<ser:newCredential>password123</ser:newCredential>
<!--Optional:-->
<ser:oldCredential>password</ser:oldCredential>
</ser:updateCredential>
</soapenv:Body>
</soapenv:Envelope> |
updateUserListOfRole()
: This is the method used to update roles of the user.
Code Block |
---|
|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.ws.um.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:updateUserListOfRole>
<!--Optional:-->
<ser:roleName>admin123</ser:roleName>
<!--Zero or more repetitions:-->
<ser:deletedUsers>sampleUser</ser:deletedUsers>
<!--Zero or more repetitions:-->
<ser:newUsers>user123</ser:newUsers>
</ser:updateUserListOfRole>
</soapenv:Body>
</soapenv:Envelope> |
...
Info |
---|
Note the following before you use this feature: If the option to import users in bulk is not enabled in your product by default, you can enable it by adding the following property to the JDBC user store configured in the user-mgt. xml file (stored in the <PRODUCT_HOME>/repository/conf directory). Please see the User Store management section for more information. Code Block |
---|
<Property name="IsBulkImportSupported">true</Property> |
- It is recommended to upload a maximum of 500,000 users at a time. If you need to upload more users, you can upload them in separate batches of 500,000 each.
You can also specify the size of the file that you can upload to the product in the <PRODUCT_HOME>/repository/conf/carbon.xml file using the TotalFileSizeLimit element as shown below. This value is in MB. Code Block |
---|
<TotalFileSizeLimit>100</TotalFileSizeLimit> |
|
...