User Permissions for the EI Message Broker
This section explains in detail how the Management Console of a WSO2 product can be used for configuring the permissions granted to a user role. You will also find detailed descriptions on all the types of permissions that can be granted.
Introduction to role-based permissions
The User Management module in WSO2 products enable role-based access. With this functionality, the permissions enabled for a particular role determines what that user can do using the Management Console of a WSO2 product. Permissions can be granted to a role at two levels:
- Super tenant level: A role with super tenant permissions is used for managing all the tenants in the system and also for managing the key features in the system, which are applicable to all the tenants.
- Tenant level: A role with tenant level permissions is only applicable to individual tenant spaces.
By default, every WSO2 product comes with the following User, Role and Permissions configured:
The Admin user and Admin role is defined and linked to each other in the user-mgt.xml file, stored in the
<PRODUCT_HOME>/repository/conf/
directory as shown below.<AddAdmin>true</AddAdmin> <AdminRole>admin</AdminRole> <AdminUser> <UserName>admin</UserName> <Password>admin</Password> </AdminUser>
- The Admin role has all the permissions in the system enabled by default. Therefore, this is a super tenant, with all permissions enabled.
You will be able to log in to the Management Console of the product with the Admin user defined in the user-mgt.xml
file. You can then create new users and roles and configure permissions for the roles using the Management Console. However, note that you cannot modify the permissions of the Admin role. The possibility of managing users, roles and permissions is granted by the User Management permission. See the documentation on configuring the system administrator for more information.
Configuring permissions for a role
To configure the permissions for a role:
- Click Users and Roles in the Configure tab of the navigator. All the roles created in the system will be listed in the Roles page as shown below.
Click Permissions to open the permissions navigator for the role as shown below.
Note that there may be other categories of permissions enabled for a WSO2 product, depending on the type of features that are installed in the product.- You can select the relevant check boxes to enable the required permissions for your role. The descriptions of all the available permissions are explained below.
Descriptions of permissions
Let us now go through each of the options available in the permissions navigator to understand how they apply to functions in WSO2 MB.
Log-in permissions
The Login permission defined under Admin permissions allows users to log in to the Management Console of the product. Therefore, this is the primary permission required for using the Management Console.
Super Tenant permissions
The following table describes the permissions at Super Tenant level. These are also referred to as Super Admin permissions.
Permission | Description of UI menus enabled |
---|---|
Configuration permissions: | The Super Admin/Configuration permissions are used to grant permission to the key functions in a product server, which are common to all the tenants. In each WSO2 product, several configuration permissions will be available depending on the type of features that are installed in the product. - Feature Management permission ensures that a user can control the features installed in the product using the Management Console. That is, the Features option will be enabled under the Configure menu. See the topic on feature management for more information. - Logging permission enables the possibility to configure server logging from the Management Console. That is, the Logging option will be enabled under the Configure menu. See the topic on logging management for more information. |
Management permissions: | The Super Admin/Manage permissions are used for adding new tenants and monitoring them. - Modify/Tenants permission enables the Add New Tenant option in the Configure menu of the Management Console, which allows users to add new tenants. See the topic on configuring multiple tenants for more information. |
Server Admin permissions: | Selecting the Server Admin permission enables the Shutdown/Restart option in the Main menu of the Management Console. |
Tenant-level permissions
The following table describes the permissions at Tenant level. These are also referred to as Admin permissions.
Note that when you select a node in the Permissions navigator, all the subordinate permissions that are listed under the selected node are also automatically enabled.
Configuration permissions
The following table explains the permissions required for performing various configuration tasks in the WSO2 MB.
Permission level | Description of UI menus enabled |
---|---|
Admin/Configure | When the Admin/Configure permission node is selected, the following menus are enabled in the Management Console: - Configure menu/Datasources: Not applicable to MB. - Configure menu/Server Roles: Not applicable to MB. - Additionally, all permissions listed under Configure in the permissions navigator are selected automatically. |
Admin/Configure/Security | When the Admin/Configure/Security permission node is selected, the following menus are enabled in the Configure menu of the Management Console: - Keystores: See the topic on managing keystores for information. - This permission will also enable the Roles option under Configure/Users and Roles. See the topic on configuring users, roles and permissions for more information. - Additionally, all permissions listed under Security in the permissions navigator are selected automatically. |
Admin/Configure/Security/Identity Management/User Management | This permission enables the possibility to add users from the Management Console. That is, the Users option will be enabled under Configure/Users and Roles. |
Admin/Configure/Security/Identity Management/Profile Management | This permissions enables the profiles of all the users. You can view the profile in the Configure tab, Users and Roles -> Users link. |
Admin/Configure/Security/Identity Management/Password Management | This permission enables the Change Password option for the users listed in the User Management/Users and Roles/Users screen, which allows the log in user to change the passwords. |
Permissions for managing Queues and Topics
WSO2 Message Broker is primarily used for brokering messages between external applications using /wiki/spaces/MB350/pages/46071939 and /wiki/spaces/MB350/pages/46071945. Explained below are the role-based permissions applicable for working with queues and topics in WSO2 MB.
Permissions required for working with Queues:
Permission level Description of UI menus enabled Admin/Queue/Add This permission enables the option to Add queues. You will be able to add new queues and view a list of the available queues with this permission. To be able to delete, purge messages to a queue or browse details of a queue, you need the following permissions.
Note that a user that has permission to Add new queues, by default obtains permission to consume messages from all queues created by the same user and to publish messages to the same queues.
Admin/Manage/Queue/Browse This permission enables the Browse option for Queues. When you go to the Main tab and click Queues -> List, you will see the Browse link enabled for each queue. Admin/Manage/Queue/Delete This permission enables the Delete option for Queues. When you go to the Main tab and click Queues -> List, you will see the Delete link enabled for each queue. Admin/Manage/Queue/Purge This permission enables the Purge Messages option for Queues. When you go to the Main tab and click Queues -> List, you will see the Purge Messages link enabled for each queue. Admin/Manage/Dead Letter Channel This permission enables users to see any queue information that is stored in the Dead Letter Channel. When this node is selected, the following permissions will be automatically granted:
- Browse: Allows users to browse details of a queue stored in the Dead Letter Channel.
- Delete: Allows users to delete any queue stored in the Dead Letter Channel.
- Reroute: Allows users to reroute a queue stored in the Dead Letter Channel to any other queue chosen by the user.
- Restore: Allows users to restore a queue stored in the Dead Letter Channel to the queue from which it originated.
Permissions required for working with Topics:
Permission level Description of UI menus enabled Admin/Manage/Topic/Add This permission enables the possibility of adding topics and sub topics. When you go to the Main tab, the Add option will be enabled Topics, which can be used to add a new topic. When you go to Topics -> List and select a particular topic, the Add Subtopic link will also be enabled.
Note that a user that has permission to Add new topics, by default obtains permission to subscribe and publish to all the topics that are created by the same user.
Admin/Manage/Topic/Delete This permission enables the possibility of deleting topics and subtopics. When you go to Topics -> List and select a particular topic, the Delete link will be enabled.
Note that the Admin/Manage/Resources/Browse permission node should also be enabled for topic deletion to be allowed.
Admin/Manage/Topic/Details This permission enables the possibility of checking the details of topics and subtopics. When you go to Topics -> List and select a particular topic, the Details link will be enabled. Listed below are the permissions that will allow users to manage subscriptions to a Topic or Queue.
Permission level Description of UI menus enabled Admin/Manage/Subscription/Queue This permission enables the possibility of viewing details of queue subscribers. The Subscription -> Queue Subscription List option will be available in the Main tab. Admin/Manage/Subscription/CloseQueueSubscriptions This permission in addition to 'Admin/Manage/Subscription/Queue' will allow users to close queue subscriptions. Admin/Manage/Subscription/Topic This permission enables the possibility of viewing details of topic subscribers. The Subscription -> Topic Subscription List option will be available in the Main tab. Admin/Manage/Subscription/CloseTopicSubscriptions This permission in addition to 'Admin/Manage/Subscription/Topic' will allow users to close topic subscriptions.
Subscribing to Topics/Queues
Explained above are the list of role-based permissions that are required by users in order to create and manage queues/topics from the Management Console.
Note that the permission to create topics/queues also includes the permissions for publishing messages to that topic/queue and consuming the messages published to that topic/queue.
Once queues and topics are created in the Management Console, other users should be able to publish to these topics/queues and consume the messages that are published. Therefore, the creator of the topic/queue should grant permissions to other user roles at the time of creating the topic/queue as shown below.
- When adding a topic from the Management Console, all the available user roles will be listed as shown below. The topic creator can then select the relevant check box to grant the relevant permissions. See the detailed instruction on creating topics in WSO2 MB.
- When adding a queue from the Management Console, all the available user roles will be listed as shown below. The queue creator can then select the relevant check box to grant the relevant permissions. See the detailed instruction on creating queues in WSO2 MB.
General management permissions
Listed below are the permissions for some of the general functions applicable to WSO2 MB.
Permission level | Description of UI menus enabled |
---|---|
Admin/Manage/Add | This permission enables the Cassandra Keyspaces menu under the Main navigator menu. This option allows users to add and manage keyspaces in a Cassandra cluster. |
Admin/Manage/Resources/Browse | This permission enables the Browse option under the Registry menu in the main navigator. This option allows users to browse the resources stored in the registry by using the Registry tree navigator. |
Admin/Manage/Search | This permission enables the Search option under the Registry sub menu in the Main menu. This option allows users to search for specific resources stored in the registry by filling in the search criteria. |
Permissions for monitoring
Permission level | Description of UI menus enabled |
---|---|
Admin/Monitor/Logs | When this node is selected, the following menus are enabled in the Monitor tab of the Management Console: - Monitor menu/System Logs: See the topic on system logs for information on how to use this option. - Monitor menu/Application Logs: See the topic on application logs for information on how to use this option. |
Admin/Monitor/Metrics | When this node is selected, the following menus are enabled in Monitor tab of the Management Console:
|