To enable users to log into the IS Management Console, you create user accounts and assign them roles, which are sets of permissions. You can add individual users or import users in bulk. The following sections list out the various ways to configure your users.
...
You can create new users using any of the following methods and then assign the roles to the created users:
Table of Content Zone | |||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||||||||||||||||||||||||||||||
Creating a new user using the management consoleFollow the instructions below to add a new user account and configure its role.
A new user account is created with the specified roles and is listed on the Users page. Assigning roles to the user
The user is assigned to the specified roles. You can view a user's roles by clicking on the View Roles link on the user list.
Creating new users using the ask password optionSee the Creating users using the ask password option page for guidance on user creation using the ask password option. Creating new users using SCIMInstead of creating the user through the management console, it can also be done using a SCIM request as seen below.
Creating new users using SOAPThe user can also be created by calling the
|
Update users
Table of Contents | ||||||
---|---|---|---|---|---|---|
|
Update user using management console
Follow the below instruction to update a user using management console.
- On the Main tab in the Management Console, click List under Users and Roles.
- Click Users. This link is only visible to users with the Admin role.
- You will see the list of users that are available and you can click Update Profile if you want to update the profile of a particular user.
- There you can update the details of the user and click Update.
Other than updating user profile details, you can also change the password of the user and assign more roles to the user.
Update user using SCIM
You can use following the following SCIM cURL commands to update a user created using SCIM.
Code Block | ||
---|---|---|
| ||
curl -v -k --user {IS_USERNAME}:{IS_PASSWORD} -X PATCH -d '{"schemas":[],"name":{"familyName":"{LAST_NAME}","givenName":"{FIRST_NAME"},"userName":"{USERNAME","emails": "{EMAIL"}' --header "Content-Type:application/json" https://{IS_IP}:{IS_PORT}/wso2/scim/Users/{SCIM_USER_ID} |
Code Block | ||
---|---|---|
| ||
curl -v -k --user admin:admin -X PATCH -d '{"schemas":[],"name":{"familyName":"gunasinghe","givenName":"hasinitg"},"userName":"hasinitg","emails":[{"value":"hasini@wso2.com","type":"work"},{"value":"hasi7786@gmail.com","type":"home"}]}' --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users/0032fd29-55a9-4fb9-be82-b1c97c073f02 |
You can use the "PUT" operation instead of "PATCH", but PUT will delete all the other claims of the user that are not getting updated by the command. Therefore, PATCH operation is recommended instead of the PUT operation.
Update user using SOAP
RemoteUserStoreManager
service. If you are new to admin services, see Calling Admin Services.Disable the hidden admin service property in the
<IS_HOME>/repository/conf/carbon.xml
file.
By default, the admin services are disabled as it is not recommended to expose these URLs to users. However, it can be enabled if it needs to be accessed by the administrators.Code Block <HideAdminServiceWSDLs>false</HideAdminServiceWSDLs>
Open the following Admin Service from SOAP UI: https://localhost:9443/services/RemoteUserStoreManagerService?wsdl
Info If you have ocnfiguredWSO2 IS to use an IP or hostname, replace
localhost
with your IP or hostname.There are few SOAP service methods that can use to update user details by calling the above admin service.
updateCredential()
: This is the method used to update password of the user.Code Block title Request: Sample <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.ws.um.carbon.wso2.org"> <soapenv:Header/> <soapenv:Body> <ser:updateCredential> <!--Optional:--> <ser:userName>user123</ser:userName> <!--Optional:--> <ser:newCredential>password123</ser:newCredential> <!--Optional:--> <ser:oldCredential>password</ser:oldCredential> </ser:updateCredential> </soapenv:Body> </soapenv:Envelope>
updateUserListOfRole()
: This is the method used to update roles of the user.Code Block title Request: Sample <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.ws.um.carbon.wso2.org"> <soapenv:Header/> <soapenv:Body> <ser:updateUserListOfRole> <!--Optional:--> <ser:roleName>admin123</ser:roleName> <!--Zero or more repetitions:--> <ser:deletedUsers>sampleUser</ser:deletedUsers> <!--Zero or more repetitions:--> <ser:newUsers>user123</ser:newUsers> </ser:updateUserListOfRole> </soapenv:Body> </soapenv:Envelope>
...
Info | ||||
---|---|---|---|---|
Note the following before you use this feature:
|
...
Note | ||
---|---|---|
In WSO2 IS, you can choose to leave the password empty as shown by the third line in the below sample file. To use this option, you need to first enable the Ask Password option for the server.
|
...
WSO2 Identity Server (WSO2 IS) allows you to track details related to user deletion by writing the following information to a log file whenever each time a user is deleted:
- Username: The username of The user name of the deleted user.
Domain name: The user store domain name of the deleted user.
- The tenant domain name of the deleted user.
- Tenant ID: The tenact ID The tenant ID of the deleted user.
- Timestamp: The timestamp that the user was deleted.
You can use this log file as an input to the Identity Anonymization tool that is packaged with WSO2 ISIdentity Server, to ensure that you remove references to all deleted user identities.
Follow the steps below to configure WSO2 IS Identity Server to log details related to user deletion when each time you delete a user:
Edit the
<IS_HOME>/repository/conf/identity/identity.xml
file, and setenable
totrue
in the following event listener:Code Block <EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.user.mgt.listeners.UserDeletionEventListener" orderId="98" enable="false"/> </EventListeners>
Edit the
<IS_HOME>/repository/conf/identity/identity.xml
file, and setenable
totrue
in the following event recorder:Code Block <UserDeleteEventRecorders> <UserDeleteEventRecorder name="org.wso2.carbon.user.mgt.recorder.DefaultUserDeletionEventRecorder" enable="false"> </UserDeleteEventRecorder> </UserDeleteEventRecorders>
This results in all user delete events being logged using a log4j appender, and written in CSV format to the
delete-event.log
file available in writes details related to user deletion in the CSV format to the<IS_HOME>/repository/logs
directory/delete-event.log
file.Infotip title Note If necessary you can write user delete event details to a custom CSV file that you specify. To do this, add the following property within the
<UserDeleteEventRecorder>
element in the<IS_HOME>/repository/conf/identity/identity.xml
file, and be sure to specify the required custom CSV file path.Code Block <Property name="path">${carbon.home}/repository/logs/delete-records.csv</Property>
Tip |
---|
By default all logs related to user deletion are written in CSV format to a specified log file. You can extend this functionality to log the details in any other format that you want, and you can also extend the functionality to write the details to a text file, database, or any other file depending on your requirement. Follow the steps below If you want to extend the functionality of the event recorder:
|
Excerpt | ||
---|---|---|
| ||
Instructions on how to add new users and assign roles to them. |
...