Unknown macro: {next_previous_links}
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Visibility settings prevent certain user roles from viewing and modifying APIs created by another user role. This feature allows you to restrict the ability to view and modify APIs for a set of users. 

Enabling Access Control

To enable this feature, open the <API-M_HOME>/repository/conf/api-manager.xml file. Add the code given below under < APIPublisher> .

Skip this step if you are using WSO2 API Manager 2.1.0 - Update 2 or later

<APIPublisher>
	...
	<EnableAccessControl>true</EnableAccessControl>
</APIPublisher>

Instructions to existing users

Skip steps 1-3, if you are using WSO2 API Manager 2.1.0 - Update 2 or later

  1. Open the <APIM_Home>/repository/conf/registry.xml file

  2. Add the following code as the first sub-element under <indexers>

    <indexers>
    	...
    	<indexer class="org.wso2.carbon.apimgt.impl.indexing.indexer.CustomAPIIndexer" mediaTypeRegEx="application/vnd.wso2-api\+xml" profiles ="default,api-store,api-publisher"/>
    	...
    </indexers>
  3. Replace the handler class org.wso2.carbon.registry.indexing.IndexingHandler 
    with org.wso2.carbon.apimgt.impl.handlers.CustomAPIIndexHandler as shown below.

    <handler class="org.wso2.carbon.apimgt.impl.handlers.CustomAPIIndexHandler">
    	<filter class = "org.wso2.carbon.registry.core.jdbc.handlers.filters.MediaTypeMatcher">
    	<property name="mediaType">application/vnd.wso2-api+xml</property>
    	</filter>
    </handler>
  4. Re-index the artifacts in the registry.

    1. Rename the <lastAccessTimeLocation> element in the <API-M_HOME>/repository/conf/registry.xml file. If you use a clustered/distributed API Manager setup, change the file in the API Publisher node. For example, change the /_system/local/repository/components/org.wso2.carbon.registry/indexing/lastaccesstime registry path to /_system/local/repository/components/org.wso2.carbon.registry/indexing/lastaccesstimexyz

      <lastAccessTimeLocation>/_system/local/repository/components/org.wso2.carbon.registry/indexing/lastaccesstimexyz
      </lastAccessTimeLocation>
    2. Shut down API Manager if you have already started it, backup and delete the <API-M_HOME>/solr directory if it exists.

Note that the registry indexing takes some time depending on the number of APIs you have in your store, so the existing APIs may not appear if you are accessing the publisher/store immediately after you start the server.

Restart the server after doing these changes.

Using the API Publisher UI

  1. Log in to API Publisher as an API Creator. For more information on User Roles, see Managing Users and Roles.
  2. Create an API. Select Restricted by roles for Access Control in the Design tab.
  3. Add the roles that have permission to view or modify this API.

    Ensure that the roles you add are valid. If the current creator is not an APIM admin, there should be at least one role of the current creator.

Users with APIM admin permission are treated differently. Even if an API is restricted to certain set of creators of publishers, it will be visible to all the API creators and publishers with APIM admin role.

Using the REST API

You can use the existing REST API to add a new API. To create an API with publisher access control restriction, add the two elements shown below in your request body,

"accessControl" : "RESTRICTED",
"accessControlRoles" : ["admin"]


Note that the roles should be valid. If the API creator is not an API-M admin he/she should at least have one of his/her roles in the accessControlRoles field.


This feature is available and enabled by default in WSO2 API Manager - Update 2 or later

The publisher role cache is enabled by default in API Manager. This is to avoid sending repeated requests to the Key Manager node in a distributed deployment, to authenticate user roles.

This WUM update allows you to disable the feature by disabling <EnablePublisherRoleCache> under <CacheConfigurations>. We recommend enabling the elements shown in the example below.

<CacheConfigurations>
	<EnablePublisherRoleCache>true</EnablePublisherRoleCache>
...

Note that if disabled it results in lowering performance due to repeatedly accessing the Key Manager.



  • No labels