Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

To enable users to log into the IS Management Console, you create user accounts and assign them roles, which are sets of permissions. You can add individual users or import users in bulk. The following sections list out the various ways to configure your users.

...

You can create new users using any of the following methods and then assign the roles to the created users:

Table of Content Zone
locationtop

Creating a new user using the management console

Follow the instructions below to add a new user account and configure its role.

  1. On the Main tab in the Management Console, click Add under Users and Roles.
  2. Click Users. This link is only visible to users with the Admin role. 
  3. Click Add New User. The following screen appears.

    Info
    Warning

    Do not use the special character, "#" while defining any of the user naming attirbutes since it is reserved for a specific functionality. This condition applies across all user stores.

    Info

    When giving a username, it should not contain backslash (“/”) or any special character ("&", "$", "%") as specified in user-mgt.xml in <IS_HOME>/repository/conf under <Property name="UsernameJavaRegEx">

  4. Do the following:
    1. In the Domain list, specify the user store where you want to create this user account. This includes the list of user stores you configured. See Configuring the Realm for more information.
    2. Enter a unique username and the password that the person will use to log in. By default, the password must be at least five characters. 
    3. If you need to assign a role to user, Click Next and go to step 5, or Click Finish to end the flow.
  5. Optionally, select the role(s) you want this user to have. If you have many roles in your system, you can search for them by name.
  6. Click Finish.

A new user account is created with the specified roles and is listed on the Users page.

Assigning roles to the user

  1. On the Main tab in the Management Console, click List under Users and Roles.
  2. Click Users. This link is only visible to users with the Admin role. 
  3. Click the Assign Roles link that corresponds to the user you want to assign to a role. 
  4. Select the role(s) you want to assign and click Update
  5. Click Finish

The user is assigned to the specified roles. You can view a user's roles by clicking on the View Roles link on the user list. 

Note

Internal/everyone: This is a conceptual role that is used to group all the users (across the user stores) together. When you create a new user, automatically the user belongs to the Internal/everyone role. By default, this role does not contain any permissions. You can assign permissions depending on the requirement.

Creating new users using the ask password option

See the Creating users using the ask password option page for guidance on user creation using the ask password option.

Creating new users using SCIM

Instead of creating the user through the management console, it can also be done using a SCIM request as seen below.

Info

In the request, you can avoid providing the password of new user by enabling the ask password option and providing the email address of the user in the request so that the user will get an email to that email address to confirm the account and set the password.

Info

Before running the cURL commands, make sure you change the SCIMEnabled property to "true" for the primary userstore in <IS_HOME>/repository/conf/identity/user-mgt.xml

Code Block
languagexml
<Property name="SCIMEnabled">true</Property>
Code Block
languagexml
titleRequest
curl -v -k --user admin:admin --data "{"schemas":[],"name":{"familyName":"familyName","givenName":"givenName"},"userName":"username","password":"password","emails":[{"primary":true,"value":"wso2_home.com","type":"home"},{"value":"wso2_work.com","type":"work"}]}" --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users
Code Block
languagexml
titleResponse
{"id":"0d2714d0-6a33-4ddd-b4e0-612584c4a8c8","schemas":["urn:scim:schemas:core:1.0"],"name":{"familyName":"familyName","givenName":"givenName"},"userName":"username","emails":[{"value":"wso2_home.com","type":"home"},{"value":"wso2_work.com","type":"work"}],"meta":{"lastModified":"2016-01-25T11:44:14","location":"https://localhost:9443/wso2/scim/Users/0d2714d0-6a33-4ddd-b4e0-612584c4a8c8","created":"2016-01-25T11:44:14"}} 

Creating new users using SOAP

The user can also be created by calling the RemoteUserStoreManager service. If you are new to admin services, see Calling Admin Services.

  1. Disable the hidden admin service property in the <IS_HOME>/repository/conf/carbon.xml file. 
    Bydefault the admin services are disabled as it is not recommended to expose these URLs to users. However, it can be enabled if it needs to be accessed by the administrators.

    Code Block
    <HideAdminServiceWSDLs>false</HideAdminServiceWSDLs>
  2. Open the following Admin Service from SOAP UI: https://localhost:9443/services/RemoteUserStoreManagerService?wsdl 

    Info

    If you have ocnfiguredWSO2 IS to use an IP or hostname, replace localhost with your IP or hostname.

  3. Call the addUser() method to create the user and make sure to give the email address of the user. This is similar to the following SOAP request.

    Code Block
    languagexml
    titleSOAP Request
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.ws.um.carbon.wso2.org" xmlns:xsd="http://common.mgt.user.carbon.wso2.org/xsd">
       <soapenv:Header/>
       <soapenv:Body>
          <ser:addUser>
    
             <ser:userName>username</ser:userName>
    
             <!--Zero or more repetitions:-->
             <ser:roleList>admin</ser:roleList>
    
             <!--Zero or more repetitions:-->
             <ser:claims>
                <xsd:claimURI>http://wso2.org/claims/emailaddress</xsd:claimURI>
                <xsd:value>wso2demomail@gmail.com</xsd:value>
             </ser:claims>
    
             <ser:profileName>default</ser:profileName>
    
             <ser:requirePasswordChange>true</ser:requirePasswordChange>
          </ser:addUser>
       </soapenv:Body>
    </soapenv:Envelope>
    Note

    There will be no SOAP response as this is a one way SOAP operation. You can check successful creation of the user account using the management console by clicking Users and Roles>Users>List under the Configure section.

Update users

Table of Contents
maxLevel4
minLevel4
includeUpdate user using management console|Update user using SCIM|Update user using SOAP

Update user using management console

Follow the below instruction to update a user using management console.

  1. On the Main tab in the Management Console, click List under Users and Roles.
  2. Click Users. This link is only visible to users with the Admin role. 
  3. You will see the list of users that are available and you can click Update Profile if you want to update the profile of a particular user.
  4. There you can update the details of the user and click Update.

Other than updating user profile details, you can also change the password of the user and assign more roles to the user.

Update user using SCIM

You can use following the following SCIM cURL commands to update a user created using SCIM.

Code Block
titleRequest
curl -v -k --user {IS_USERNAME}:{IS_PASSWORD}  -X PATCH -d '{"schemas":[],"name":{"familyName":"{LAST_NAME}","givenName":"{FIRST_NAME"},"userName":"{USERNAME","emails": "{EMAIL"}' --header "Content-Type:application/json" https://{IS_IP}:{IS_PORT}/wso2/scim/Users/{SCIM_USER_ID}
Code Block
titleRequest: Sample
curl -v -k --user admin:admin -X PATCH -d '{"schemas":[],"name":{"familyName":"gunasinghe","givenName":"hasinitg"},"userName":"hasinitg","emails":[{"value":"hasini@wso2.com","type":"work"},{"value":"hasi7786@gmail.com","type":"home"}]}' --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users/0032fd29-55a9-4fb9-be82-b1c97c073f02

You can use the "PUT" operation instead of "PATCH", but PUT will delete all the other claims of the user that are not getting updated by the command. Therefore, PATCH operation is recommended instead of the PUT operation.

Update user using SOAP

The users also can update their claims by calling the RemoteUserStoreManager service. If you are new to admin services, see Calling Admin Services.
  1. Disable the hidden admin service property in the <IS_HOME>/repository/conf/carbon.xml file. 
    By default, the admin services are disabled as it is not recommended to expose these URLs to users. However, it can be enabled if it needs to be accessed by the administrators.

    Code Block
    <HideAdminServiceWSDLs>false</HideAdminServiceWSDLs>
  2. Open the following Admin Service from SOAP UI: https://localhost:9443/services/RemoteUserStoreManagerService?wsdl 

    Info

    If you have ocnfiguredWSO2 IS to use an IP or hostname, replace localhost with your IP or hostname.

  3. There are few SOAP service methods that can use to update user details by calling the above admin service.

    1. updateCredential(): This is the method used to update password of the user.

      Code Block
      titleRequest: Sample
      <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.ws.um.carbon.wso2.org">
         <soapenv:Header/>
         <soapenv:Body>
            <ser:updateCredential>
               <!--Optional:-->
               <ser:userName>user123</ser:userName>
               <!--Optional:-->
               <ser:newCredential>password123</ser:newCredential>
               <!--Optional:-->
               <ser:oldCredential>password</ser:oldCredential>
            </ser:updateCredential>
         </soapenv:Body>
      </soapenv:Envelope>
    2. updateUserListOfRole(): This is the method used to update roles of the user.

      Code Block
      titleRequest: Sample
      <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.ws.um.carbon.wso2.org">
         <soapenv:Header/>
         <soapenv:Body>
            <ser:updateUserListOfRole>
               <!--Optional:-->
               <ser:roleName>admin123</ser:roleName>
               <!--Zero or more repetitions:-->
               <ser:deletedUsers>sampleUser</ser:deletedUsers>
               <!--Zero or more repetitions:-->
               <ser:newUsers>user123</ser:newUsers>
            </ser:updateUserListOfRole>
         </soapenv:Body>
      </soapenv:Envelope>

...

Info

Note the following before you use this feature: 

  • If the option to import users in bulk is not enabled in your product by default, you can enable it by adding the following property to the JDBC user store configured in the user-mgt.xml file (stored in the <PRODUCT_HOME>/repository/conf directory). Please see the User Store management section for more information.

    Code Block
    <Property name="IsBulkImportSupported">true</Property>
  • It is recommended to upload a maximum of 500,000 users at a time. If you need to upload more users, you can upload them in separate batches of 500,000 each.
  • You can also specify the size of the file that you can upload to the product in the <PRODUCT_HOME>/repository/conf/carbon.xml file using the TotalFileSizeLimit element as shown below. This value is in MB.

    Code Block
    <TotalFileSizeLimit>100</TotalFileSizeLimit>

...

Note

In WSO2 IS, you can choose to leave the password empty as shown by the third line in the below sample file. To use this option, you need to first enable the Ask Password option for the server.

Code Block
UserName,Password,Claims
name1,Password1,http://wso2.org/claims/emailaddress=name1@gmail.com,http://wso2.org/claims/country=France
name2,Password2,http://wso2.org/claims/emailaddress=name2@gmail.com,http://wso2.org/claims/country=France
name3,,http://wso2.org/claims/emailaddress=name3@gmail.com,http://wso2.org/claims/country=France

...

WSO2 Identity Server (WSO2 IS) allows you to track details related to user deletion by writing the following information to a log file whenever each time a user is deleted:

  • Username: The username of The user name of the deleted user.
  • Domain name: The user store domain name of the deleted user.

  • The tenant domain name of the deleted user.
  • Tenant ID: The tenact ID The tenant ID of the deleted user.
  • Timestamp: The timestamp that the user was deleted.

You can use this log file as an input to the Identity Anonymization tool that is packaged with WSO2 ISIdentity Server, to ensure that you remove references to all deleted user identities.

Follow the steps below to configure WSO2 IS Identity Server to log details related to user deletion when each time you delete a user:

  1. Edit the <IS_HOME>/repository/conf/identity/identity.xml file, and set enable to true in the following event listener:

    Code Block
    <EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener"
                          name="org.wso2.carbon.user.mgt.listeners.UserDeletionEventListener"
                          orderId="98" enable="false"/>
    </EventListeners>
  2. Edit the <IS_HOME>/repository/conf/identity/identity.xml file, and set enable to true in the following event recorder:

    Code Block
    <UserDeleteEventRecorders>
           <UserDeleteEventRecorder name="org.wso2.carbon.user.mgt.recorder.DefaultUserDeletionEventRecorder" enable="false">
           </UserDeleteEventRecorder>
    </UserDeleteEventRecorders>

    This results in all user delete events being logged using a log4j appender, and written in CSV format to the delete-event.log file available in writes details related to user deletion in the CSV format to the <IS_HOME>/repository/logs directory/delete-event.log file

    Infotip
    titleNote

    If necessary you can write user delete event details to a custom CSV file that you specify. To do this, add the following property within the <UserDeleteEventRecorder> element in the <IS_HOME>/repository/conf/identity/identity.xml file, and be sure to specify the required custom CSV file path.

    Code Block
    <Property name="path">${carbon.home}/repository/logs/delete-records.csv</Property>
Tip

By default all logs related to user deletion are written in CSV format to a specified log file. You can extend this functionality to log the details in any other format that you want, and you can also extend the functionality to write the details to a text file, database, or any other file depending on your requirement.

Follow the steps below If you want to extend the functionality of the event recorder:

  1. Implement the UserDeletionEventRecorder interface.
  2. Register the implemented class as an OSGi service.
  3. Replace the name of the <UserDeleteEventRecorder> element in the <IS_HOME>/repository/conf/identity/identity.xml file with the fully qualified class name of the UserDeletionEventRecorder interface that you implemented.
Excerpt
hiddentrue

Instructions on how to add new users and assign roles to them.

...