Application visibility allows preventing users with certain roles viewing a Web application in the App Store. When creating a Web application using the App publisher Web interface, you can make the app either visible in public, or restrict its visibility to a particular role(s) as follows.
Web applications with public visibility
Web apps with public visibility, which are created by a user of a specific tenant domain are visible to all users (subscribers, and anonymous users) of that domain. Do not select the Restrict Visibility field, if you need to enable public visibility.
Web applications with visibility restricted by roles
Web applications with a visibility restricted to specific roles are visible only to users assigned to that particular role. Specify the user roles that need to have access to the Web application in the Restrict Visibility field.
Roles that have Web application creation and publication permissions can see all applications in their tenant App Store, even if you restrict access to those roles. This is because, any role that has Web application creation and publication permissions can view and edit all Web applications in the App Publisher.
- If you restrict the visibility of a Web app to a default internal/subscriber role, any user who registers to the App Store is able to access the Web application. This is because, WSO2 App Manager assigns the internal/subscriber role to all users who register to the App Store.
In WSO2 App Manager, visibility levels work for users in different tenant modes as follows.
Visibility in super tenant domain
Application subscribers in of the default super tenant domain can see applications depending on its visibility level as follows.
Anonymous users: can view all applications with public visibility.
- Signed-in users: can view all applications with public visibility, as well as applications that are restricted to a role, which is assigned to the signed-up user.
Visibility in multi-tenant mode
A tenant's App Store is the App Store, which is specific to the tenant domain of the user. Therefore, in multi tenant mode a subscriber can view applications based on their visibility levels, as well as the App Store the user is viewing. Any subscriber can view applications of its tenant App Store depending on its visibility level as follows:
Anonymous users: can view apps that have public visibility, and are created within the current user's tenant domain.
Signed-in users: can view apps that have public visibility, and are created within the current users tenant domain, and also applications created within the current user's tenant domain, which are allowed to be accessed by the current user role.
Controlling visibility of a new user role
Follow the below steps to configure the Web Application visibility restriction feature.
- Log in to management console (https://localhost:9443/carbon), and create a user role named roleA with below permissions. For information on user roles, see Configuring Users and Roles.
- Create a role named roleB with the same permissions as specified above.
- Create a user named userA and assign roleA to the user.
- Create a user named userB and assign roleB to the user.
- Create a Web application. Since we are going to restrict the visibility of this Web app to roleA, enter roleA as the value of Restrict Visibility field, when creating the Web app. For instructions on creating a Web app, see Creating Web Applications.
- Publish the Web application. For instructions on publishing a Web app, see Publishing Web Applications.
- Access App Store as an anonymous user. You will not view the application in App Store.
- Log in to App Store as userA. You are able to view the Web application.
- Log in to App Store as userB or any other user who is not assigned with roleA. You will not be able to view the Web application since it is restricted only to roleA.