According to the default configuration in WSO2 productsconfigurations in the EI profile, the Users, Roles and Permissions are stored in the same repository (i.e., the default, embedded H2 database). However, you can change this configuration in such a way that the Users and Roles are stored in one repository (User Store) and the Permissions are stored in a separate repository. A user store can be a typical RDBMS, an LDAP or an external Active Directory. For information on how the repositories for storing information about users and roles are configured, see Configuring User Stores.
The repository that stores Permissions should always be an RDBMS. The Authorization Manager configuration in the user-mgt.xml file (stored in the <PRODUCT_HOME>/repository/conf/
directory of the respective profile) connects the system to this RDBMS.
...
- Change the default H2 database or set up another RDBMS for storing permissions.
- When you set up an RDBMS for your system, it is necessary to create a corresponding datasource, which allows the system to connect to the database.
- If you are replacing the default H2 database with a new RDBMS, update the
master-datasource.xml
file (stored in the <PRODUCT_HOME>/repositorythe/conf/datasources/
directory of the EI profile) with the relevant information. - Alternatively, create a new XML file with the datasource information of your new RDBMS and store it in the same
<PRODUCT_HOME>/repository/conf/datasources/
directory of the EI profile.
- If you are replacing the default H2 database with a new RDBMS, update the
For information on how you can set up a new RDBMS and configure it for your system, see Setting Up the Physical Database, and for information on the purpose of defining datasources and how they are configured for a product, see Managing Datasources.
Step 2: Updating the user realm configurations
...
Update the datasource information using the <Property>
element under <Configuration>
. Given below are the properties that are set by default.
Property Name | Description | Mandatory/Optional |
---|---|---|
dataSource | This is the jndi name of the datasource that is used for referring to the datasource. In the following example, the jndi name of the default datasource defined in the |
| Mandatory | |
isCascadeDeleteEnabled | This property is set to 'true' by default, which enables cascade delete for the UM_USER_PERMISSION and UM_ROLE_PERMISSION tables when a permission gets deleted from the UM_PERMISSION table. That is, if a record in the parent table is deleted the corresponding records in the child table will be automatically deleted. | Mandatory |
You can add more optional configurations using the <Property>
element:
Property Name | Description | Mandatory/Optional |
---|---|---|
testOnBorrow | It is recommended to set this property to 'true' so that object connections will be validated before being borrowed from the JDBC pool. For this property to be effective, the |
|
Optional |
Configuring the Authorization Manager
...
- The
org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager
class enables the Authorization Manager for your productEI profile. - The
AdminRoleManagementPermissions
property sets the registry path where the authorization information (role-based permissions) are stored. Note that this links to the repository that you defined in Step 1. It is recommended to enable the
GetAllRolesOfUserEnabled
property in theAuthorizationManager
as follows:Code Block <Property name="GetAllRolesOfUserEnabled">true</Property>
Although using the user store manager does not depend on this property, you must consider enabling this if there are any performance issues in your production environment. Enabling this property affects the performance when the user logs in. This depends on the users, roles and permission stats.
By default, the rules linked to a permission (role name, action, resource) are not case sensitive. If you want to make them case sensitive, enable the following property:
Code Block <Property name="CaseSensitiveAuthorizationRules">true</Property>