...
| Info | ||
|---|---|---|
To access the admin dashboard from another role(excluding admin), open
|
Updating the administrator
...
Note the following regarding the configuration above.
| Element | Description |
|---|---|
<AddAdmin> | When true, this element creates the admin user based on the AdminUser element. It also indicates whether to create the specified admin user if it doesn't already exist. When connecting to an external read-only LDAP or Active Directory user store, this property needs to be false if an admin user and admin role exist within the user store. If the admin user and admin role do not exist in the user store, this value should be true, so that the role is added to the user management database. However, if the admin user is not there in the user store, we must add that user to the user store manually. If the AddAdmin value is set to true in this case, it will generate an exception. |
<AdminRole>wso2admin</AdminRole> | This is the role that has all administrative privileges of the WSO2 product, so all users having this role are admins of the product. You can provide any meaningful name for this role. This role is created in the internal H2 database when the product starts. This role has permission to carry out any actions related to the Management Console. If the user store is read-only, this role is added to the system as a special internal role where users are from an external user store. |
<AdminUser> | Configures the default administrator for the WSO2 product. If the user store is read-only, the admin user must exist in the user store or the system will not start. If the external user store is read-only, you must select a user already existing in the external user store and add it as the admin user that is defined in the |
<UserName> | This is the username of the default administrator or super tenant of the user store. If the user store is read-only, the admin user MUST exist in the user store for the process to work. |
<Password> |
If the user store is read-only, this element and its value are ignored after the server starts for the first time. Therefore we can reset this password back to the original value/variable after server starts for the first time. This password is used only if the user store is read-write and |
the |
value is set |
to
| ||
<EveryOneRoleName> | The name of the "everyone" role. All users in the system belong to this role. |
Configuring the authorization manager
...
Set up the database connection by update the datasource information using the
<Property>element under<Configuration>. The jndi name of the datasource should be used to refer to the datasource. In the following example, the jndi name of the default datasource defined in the<PRODUCT_HOME>/repository/conf/datasources/master-datasources.xmlfile is linked from theuser-mgt.xmlfile.Code Block language html/xml linenumbers true <Realm> <Configuration> .......... <Property name="dataSource">jdbc/WSO2CarbonDB</Property> </Configuration> ... </Realm>
You can add more configurations using the
<Property>element:Property Name
Description
Mandatory/Optional testOnBorrowIt is recommended to set this property to 'true' so that object connections will be validated before being borrowed from the JDBC pool. For this property to be effective, the
validationQueryparameter in the<PRODUCT_HOME>/repository/conf/datasources/master-datasources.xmlfile should be a non-string value. This setting will avoid connection failures. See the section on performance tuning of WSO2 products for more information.Optional The default Authorization Manager section in the
user-mgt.xmlfile is shown below. This can be updated accordingly.Code Block <AuthorizationManager class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager"> <Property name="AdminRoleManagementPermissions">/permission</Property> <Property name="AuthorizationCacheEnabled">true</Property> </AuthorizationManager>- The
org.wso2.carbon.user.core.authorization.JDBCAuthorizationManagerclass enables the Authorization Manager for your product. - The
AdminRoleManagementPermissionsproperty sets the registry path where the authorization information (role-based permissions) are stored. Note that this links to the repository that you defined in Step 1. It is recommended to enable the
GetAllRolesOfUserEnabledproperty in theAuthorizationManageras follows:Code Block <Property name="GetAllRolesOfUserEnabled">true</Property>
Although using the user store manager does not depend on this property, you must consider enabling this if there are any performance issues in your production environment. Enabling this property affects the performance when the user logs in. This depends on the users, roles and permission stats.
By default, the rules linked to a permission (role name, action, resource) are not case sensitive. If you want to make them case sensitive, enable the following property:
Code Block <Property name="CaseSensitiveAuthorizationRules">true</Property>
- The
...