/
Configuring Roles and Permissions

This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Configuring Roles and Permissions

Jan 15, 2018

Roles contain permissions for users to manage the server. You can create different roles with various combinations of permissions and assign them to a user or a group of users. Through the Management Console, you can also edit and delete an existing user role.

WSO2 supports the role-based authentication model where privileges of a user are based on the role it is attached with. By default, WSO2 products come with the following roles:

  • Admin - Provides full access to all features and controls. By default, the user "admin" is assigned to both the "Admin" and the "Everyone" roles. The Identity Server does not allow you to configure permissions assigned to the 'Admin' role.

  • Everyone - Every new user is assigned to this role by default. It does not include any permissions.

  • System - This role is not visible in the Management Console.

If a user has several assigned roles, their permissions are added together.

WSO2 products have two types of roles. External Roles and Internal Roles. Let say there are two user stores.





Store-A

Store-B



Store-A

Store-B

Users

user_A

user_B

Roles

role_A

role_B



External Roles :
Store in user store itself. Only users in that user store can assign to external roles in same user store.
Example: user_A can assign to role_A
                user_B can't assign to role_A

In the user stores, users are assigned to a Group. Within the WSO2 servers, we have Roles and directly map one Group to a Role then assign the permission for that role. There is a one to one mapping between Groups and Roles and same Group name is used to represent the Role in the server.


Internal Roles :

Store in Identity server database. User in all user stores can assign to these roles.

Example: both user_A and user_B can assign to same internal role

For internal Roles, there are no mapped Groups in user stores. So we directly assign users to these roles (Do not support to assign Groups to these Roles)



Internal/everyone: This is a conceptual role that is used to group all the users (across the user stores) together. When you create a new user, automatically the user belongs to the Internal/everyone role.

Application Role: is a special case of internal roles, these are created for a single service provider (SP) application and only users in this role can manage relevant SP application.



Adding a user role 

Add role using management console

Follow the instructions below to add a user role.

  1. On the Main tab in the Management Console, click Add under Users and Roles.

  2. Click Roles. This link is only visible to users with the Admin role. 

  3. Click Add New Role.

  4. Do the following:

    1. In the Domain list, specify the user store where you want to create this role.

    2. Enter a unique name for this role.

    3. Click Next.

  5. Select the permissions you want users with this role to have. You can also not assign permissions to a role. Note that when you assign this role to a user, you can override the role's permissions and customize them for the user. 

  6. Select the existing users you want to have this role. You can also assign this role to users later, but if you are creating this role in an external user store that does not allow empty roles, you must assign it to at least one user. You can search for a user by name(or user role by role name), or view all users or roles by entering * in the search field.

  7. Click Finish.

The role is created and is listed on the Roles page. You can now edit the role as needed.  

Add role using SCIM

  • In SCIM creating role means creating a group. Read more on SCIM.

    Request

    curl -v -k --user {IS_USERNAME}:{IS_PASSWORD} --data '{"displayName": {GROUP_NAME},"members": {MEMBERS_OF_THE_GROUP}}' --header "Content-Type:application/json" https://{IS_IP}:{IS_PORT}/wso2/scim/Groups

    Request: Sample

    curl -v -k --user admin:admin --data '{"displayName": "engineer","members": [{"value":"316214c0-dd7e-4dc3-bed8-e91227d32597","hasinitg": "hasinitg"}]}' --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Groups

    You receive a response with the payload as indicated below and a response status 201 CREATED:

    Response

    {"id":"b4f9bccf-4f79-4288-be21-78e0d4500714","schemas":["urn:scim:schemas:core:1.0"],"displayName":"PRIMARY/engineer","members":[{"value":"0032fd29-55a9-4fb9-be82-b1c97c073f02","display":"hasinitg"}],"meta":{"lastModified":"2016-01-26T18:31:57","created":"2016-01-26T18:31:57","location":"https://localhost:9443/wso2/scim/Groups/b4f9bccf-4f79-4288-be21-78e0d4500714"}}

    You can observe in the management console of IS, that the new group is listed under roles and user 'hasinitg' is listed under users of that group.