This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
Configuring Roles and Permissions
Roles contain permissions for users to manage the server. You can create different roles with various combinations of permissions and assign them to a user or a group of users. Through the Management Console, you can also edit and delete an existing user role.
WSO2 supports the role-based authentication model where privileges of a user are based on the role it is attached with. By default, WSO2 products come with the following roles:
- Admin - Provides full access to all features and controls. By default, the user "admin" is assigned to both the "Admin" and the "Everyone" roles. The Identity Server does not allow you to configure permissions assigned to the 'Admin' role.
- Everyone - Every new user is assigned to this role by default. It does not include any permissions.
- System - This role is not visible in the Management Console.
If a user has several assigned roles, their permissions are added together.
Adding a user role
Follow the instructions below to add a user role.
- On the Main tab in the Management Console, click Add under Users and Roles.
- Click Roles. This link is only visible to users with the Admin role.
- Click Add New Role.
- Do the following:
- In the Domain list, specify the user store where you want to create this role.
- Enter a unique name for this role.
- Click Next.
- Select the permissions you want users with this role to have. Note that when you assign this role to a user, you can override the role's permissions and customize them for the user.
- Select the existing users you want to have this role. You can also assign this role to users later, but if you are creating this role in an external user store that does not allow empty roles, you must assign it to at least one user. You can search for a user by name, or view all users by entering
*
in the search field. - Click Finish.
The role is created and is listed on the Roles page. You can now edit the role as needed.
Updating role names
To make modifications to the role names, do one of the following:
Update before the first startup (recommended)
You can change the default role names (admin
and everyone
) before starting up the WSO2 Identity Server. To do this, change the following elements in the <PRODUCT_HOME>/repository/conf/user-mgt.xml
file:
- Change
<AdminRole>admin</AdminRole>
to<AdminRole>administrator</AdminRole>
. - Change
<EveryOneRoleName>everyone</EveryOneRoleName>
to<EveryOneRoleName>Your role name</EveryOneRoleName>
.
<Configuration> <AdminRole>admin</AdminRole> <AdminUser> <UserName>admin</UserName> <Password>admin</Password> </AdminUser> <EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root --> <Property name="dataSource">jdbc/WSO2CarbonDB</Property> <Property name="MultiTenantRealmConfigBuilder">org.wso2.carbon.user.core.config.multitenancy.SimpleRealmConfigBuilder</Property> </Configuration>
Update after the product is used for sometime
If you have already updated the role names before the first startup of the product, these steps are not necessary. The following steps guide you through updating the role names after you have used the product for sometime.
- Make the configuration changes indicated in the above section.
- Do the following user store level changes for existing users:
If you are connected to the
JDBCUserStoreManager
, update theUM_USER_ROLE
table with the existing users and the new role names that you defined in place of the 'admin' and 'everyone' roles. If you have changed the permissions of the 'everyone' role, update theUM_ROLE_PERMISSION
table the permissions of the new role.The schema can be located by referring to the data source defined in the user-mgt.xml file. The data source definition can be found in the
repository/conf/datasources/master-datasources.xml
file.- If you are connected to the
ReadWriteLdapUserStoreManager,
populate the members of the previous admin role to the new role under Groups.
- After the changes have been made, restart the server.
Searching for roles
Once you have added a role in the Identity Server, you can search for the role by doing the following.
- On the Main tab in the Management Console, click List under Users and Roles.
- Click Roles. This link is only visible to users with the Admin role. The following screen appears.
You can search for users by doing the following.- Select the user store that the role resides in using the Select Domain dropdown.
- Enter the role name of the role and click Search Roles. For roles to be listed, you must use the exact name of the role, or use a role name pattern by including *. For example, if you have a role named Manager, you can either search for this role by searching for "Manager", or you could search for "Ma*" to list out all the role with names beginning with "Ma".
- The role is displayed in the list.
Editing or deleting a role
If you need to make modifications to a role, use the links in the Actions column on the Roles screen as follows:
- Rename the role
- Change the default permissions associated with this role
- Assign this role to users
- View the users who are assigned this role
- Delete the role if you no longer need it
If the role is in an external user store to which you are connected in read-only mode, you will be able to view the existing roles but not edit or delete them. However, you can still create new editable roles.
- See Role-based Permissions for more information.
- See Permissions Required to Invoke Admin Services for a complete list of permissions required to invoke admin services.