This documentation is for WSO2 ESB version 4.5.0. View documentation for the latest release.

Introduction to User Management

User management is a mechanism which involves defining and managing users, roles and their access levels in a system. A user management dashboard or console provides system administrators a holistic view of a system's active user sessions, their log-in statuses, the privileges of each user and their activity in the system, enabling the system admins to make business-critical, real-time security decisions. A typical user management implementation involves a wide range of functionality such as adding/deleting users, controlling user activity through permissions, managing user roles, defining authentication policies, managing external user stores, manual/automatic log-out, resetting user passwords etc.

Any user management system has users, roles, user stores and user permissions as its basic components. 

Users

Users are consumers who interact with your organizational applications, databases or any other systems. These users can be a person, a device or another application/program within or outside of the organization's network. Since these users interact with internal systems and access data, the need to define which user is allowed to do what is critical to most security-conscious organizations. This is how the concept of user management developed.

User Stores

A user store is the database where information of the users and/or user roles is stored. User information includes log-in name, password, fist name, last name, e-mail etc.

The user stores of all WSO2 Carbon-based products are embedded H2 databases except for WSO2 Identity Server, which has an embedded LDAP as its user store. In Carbon, permission is stored in a separate database called the user management database, which by default is H2. However, users have the ability to connect to external user stores as well.

The user stores of Carbon products can be configured to operate in either one of the following modes.

  • User store operates in read/write mode - In Read/Write mode, WSO2 Carbon reads/writes into the user store.
  • User store operates in read only mode - In Read Only mode, WSO2 Carbon guarantees that it does not modify any data in the user store. Carbon maintains roles and permissions in the Carbon database but it can read users/roles from the configured user store.

Permission

A permission is a 'delegation of authority' or a 'right' assigned to a user or a group of users to perform an action on a system. Permissions can be granted to or revoked from a user/user group/user role automatically or by a system administrator. For example, if a user has the permission to log-in to a systems, then the permission to log-out is automatically implied without the need of granting it specifically.

User Roles

A user role is a consolidation of several permissions. Instead of associating permissions with a user, admins can associate permissions with a user role and assign the role to users. User roles can be reused throughout the system and prevents the overhead of granting multiple permissions to each and every user individually.

User Management in WSO2 Carbon

User management comes bundled with the WSO2 Carbon platform and facilitates the management and control of user accounts and roles at different levels. Since it is integrated into the core Carbon platform, user management capability is available by default in all WSO2 Carbon-based products.

The user store of Carbon products can be configured to operate in either one of the following modes.

  • User store operates in read/write mode - In Read/Write mode, WSO2 Carbon reads/writes into the user store.
  • User store operates in read only mode - In Read Only mode, WSO2 Carbon guarantees that it does not modify any data in the user store. Carbon maintains roles and permissions in the Carbon database but it can read users/roles from the configured user store.

The user kernal of WSO2 Carbon has the following features:

  • The concept of single user store which is either external or internal.
  • Ability to operate in read-only/read-write mode on your company's LDAP user stores.
  • Ability to work with Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS) in read write mode.
  • Supports any custom realm.
  • Roles can contain users from external user stores.
  • Improved configuration capability for external user stores.
  • Capability to read roles from LDAP/Active Directory user stores.
  • Implements management permission of the carbon console.

The user core is driven by the user-mgt.xml file found in: CARBON_HOME/repository/conf directory.