This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
Role-based Permissions
The User Management module in WSO2 products enable role-based access. With this functionality, the permissions enabled for a particular role determines what that user can do using the management console of a WSO2 product. Permissions can be granted to a role at two levels:
Super tenant level: A role with super tenant permissions is used for managing all the tenants in the system and also for managing the key features in the system, which are applicable to all the tenants.
Tenant level: A role with tenant level permissions is only applicable to individual tenant spaces.
The permissions navigator that you use to enable permissions for a role is divided into these two categories (Super Admin permissions and Admin permissions) as shown below. However, note that there may be other categories of permissions enabled for a WSO2 product, depending on the type of features that are installed in the product.
You can access the permissions navigator for a particular role by clicking Permissions as shown below.
By default, every WSO2 product comes with the following User, Role and Permissions configured:
The Admin user and Admin role is defined and linked to each other in the
user-mgt.xmlfile, stored in the<PRODUCT_HOME>/repository/conf/directory as shown below.<AddAdmin>true</AddAdmin> <AdminRole>admin</AdminRole> <AdminUser> <UserName>admin</UserName> <Password>admin</Password> </AdminUser>The Admin role has all the permissions in the system enabled by default. Therefore, this is a super tenant, with all permissions enabled.
You will be able to log in to the management console of the product with the Admin user defined in the user-mgt.xml file. You can then create new users and roles, and configure permissions for the roles using the management console. However, note that you cannot modify the permissions of the Admin role. The possibility of managing users, roles and permissions is granted by the User Management permission. See the documentation on configuring the user realm for more information.
Description of role-based permissions
Note that the descriptions given in this document only explains how permissions control access to operations available on the management console.
The descriptions of permissions in the Permissions navigator are as follows:
The Login permission defined under Admin permissions allows users to log in to the management console of the product. Therefore, this is the primary permission required for using the management console.
The following table describes the permissions at Super Tenant level. These are also referred to as Super Admin permissions.
The following table describes the permissions at Tenant level. These are also referred to as Admin permissions.