User Roles in API Manager
User management capability is available by default in all WSO2 products. WSO2 API Manager allows you to manage user accounts and roles at different levels. You can log in to the Management Console of the API Manager as an admin user, and create custom roles with different levels of permission. These roles can then be assigned to different users according to your requirement.
We have identified three distinct community roles, which are typically used in many organizational situations, when carrying out different operations in the API Publisher and API Store. They are as follows:
- creator: A creator is typically a person in a technical role who understands the technical aspects of the API (interfaces, documentation, versions, how it is exposed by API gateway) and uses the API Publisher Web application to develop and provision APIs into the API store. The creator uses the API store to consult ratings and feedback provided by API users. Creator can add APIs to the store but cannot manage their life cycles (that is, make them visible to the outside world).
- publisher: A publisher is typically a person in a managerial role and overlooks a set of APIs across the enterprise or a business unit, and controls the API lifecycle and monetization aspects. The publisher also analyzes usage patterns for APIs and has access to all API statistics.
- consumer : A consumer is typically an anonymous user or an application developer who searches the API store to discover APIs and use them. He/she reads the documentation, forums, rates/comments on APIs.
Administrators of the API Manager can use the Management Console UI to add user roles. Roles contain different levels of permissions to manage the Server. You can create different roles with various combinations of permissions. Follow the instructions below to create the creator
, publisher
and subscriber
roles.
Creating user roles
- Log in to the Management Console (https://localhost:9443/carbon) and select Users and Roles under the Configure menu. For instructions on accessing the Management Console, see Running the Product.
- In the User Management page that opens, click Roles and Add New Role link.
Adding the
creator
role - Add user role as
creator
and click Next. The Domain drop-down list contains all user stores configured for this product instance. By default, you only have the PRIMARY user store. To configure secondary user stores, see Configuring Secondary User Stores.
- Give the following privileges to the creator role. You can select them from the list of permissions that appears.
- Configure > Governance and all underlying permissions.
- Login
- Manage > API > Create
- Manage > Resources > Govern and all underlying permissions
Any user with the above permissions assigned is able to create, update and manage APIs using the API Publisher Web interface.
- Click Finish once you are done adding permission. The role will be listed in the Roles window as follows:
From here, you can rename, edit, delete or assign users to the role.
Adding the
publisher
role - In the Add Role page, add user role as publisher and click Next. The Domain drop-down list contains all user stores configured for this product instance. By default, you only have the PRIMARY user store. To configure secondary user stores, see Configuring Secondary User Stores.
- Give the following privileges to the publisher role by selecting them from the list of permissions that appears.
- Login
- Manage > API > Publish
Any user with the above permissions assigned is able to manage the API's life cycle using the API Publisher Web interface. - Click Finish once you are done adding permission. The role will be listed in the Roles window as follows:
From here, you can rename, edit, delete or assign users to the role.
The default
subscriber
roleWhen you first log in to the Management Console, you can see the subscriber role already there, defined out of the box. The reason is because API Manager assigns this default subscriber role to all users who self-register to the API Store.
Follow the instructions below to create a different role with the same permission levels.
- In the Add Role window, add a suitable name for the role and click Next. For example,
- Give the following privileges to the new role.
- Login
- Manage > API > Subscribe
Any user with the above permissions assigned is able to log in to the API Store and perform operations on the published APIs.
- Click Finish once you are done adding permission. The role will be listed in the Roles window.
Open
<APIM_HOME>/repository/conf/
api-manager.xml
file and edit the<SelfSignUp>
element to reflect the newly added role. For example,<SelfSignUp> <Enabled>true</Enabled> <SubscriberRoleName>NewSubscriber</SubscriberRoleName> <CreateSubscriberRole>true</CreateSubscriberRole> </SelfSignUp>
Editing this file ensures that all users who self-sign-up to API Store are automatically assigned the
NewSubscriber
role.Note: The
<CreateSubscriberRole>
parameter specifies whether the subscriber role should be created in the local user store or not. It is only used when the API subscribers are authenticated against the local user store. That means the local Carbon server is acting as the AuthManager.Set this parameter to false if a remote Carbon server acts as the AuthManager.