This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
User Management
WSO2 Identity Server (IS) allows you to manage users and their roles with the single-user-store and multiple-user-store options.
Single-user-store option allows you to manage users and their roles in a single centralized data store whereas in the multiple-user-store option, the user and their roles are stored in more than one data store. In other words, one specific user can be attached to multiple user-stores.
In order to be available, the multiple-user-store option's domain name property must be attached to each user-store section in the mgt.xml file. e.g., <Property name="DomainName">WSO2.COM</Property>.
IS supports the role-based authentication model where privileges of a user are based on the role attached.
A user is associated with one or more roles (generally specified upon user creation), and each role is associated with zero or more permissions (also generally specified upon user creation). Therefore, the set of permissions owned by a user is determined by the roles assigned to that user. If a user has several assigned roles, their permissions are added together.
By default, Identity Server comes with the following roles:
- Admin - Provides full access to all features and controls. By default, the user "Admin" is assigned to both the "Admin" and the "Everyone" roles.
- Everyone - Every new user is assigned to this role by default. It does not include any permissions.
- System - This role is not visible in the Management Console.
The Identity Server UI does not allow the configuring of permissions assigned to the "Admin" role.
The permission model of WSO2 Identity Server is hierarchical. Permissions can be assigned to a role in a fine-grained or a coarse-grained manner.
"Read/Write" and "Read Only" Modes
The User Management of WSO2 Carbon allows you to facilitate user accounts and roles at different levels.
The user store of Carbon products can be configured to operate in one of the following modes, which determine the functionality.
Modes of operation:
- Read/write - This mode allows the user to modify the user store.
- Read only - This mode prevents the user from changing any data in the user store.
If the user store is operating in "Read/Write" mode, the user can:
- Add, modify, or remove user accounts
- Reset user passwords
- Manage user roles
- Build "import users" from other User Stores
If the user store is operating in "Read Only" mode, the user can:
- View user accounts
WSO2 Carbon maintains roles and permissions in the Carbon database, but it can also read users/roles from the configured User Store.
For detailed information on configuring users, roles, and permissions, see the following pages:
- Configuring Users — Instructions on how to add new users and assign roles to them.
- Configuring Roles — Instructions on how to create and add a new user role in the WSO2 Identity Server.
- Changing a Password — Instructions on how to change a user's current password in the WSO2 Identity Server.
- Configuring User Stores — General information about user management.