This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Configuring Roles

Owned by Former user (Deleted)
Last updated: Jan 05, 2016
1 min read

Roles contain permissions for users to manage the server. You can create different roles with various combinations of permissions and assign them to a user or a group of users. User roles can be reused throughout the system and prevent the overhead of granting multiple permissions to each and every user individually. Through the Management Console, you can also edit and delete an existing user role.

WSO2 supports the role-based authentication model where privileges of a user are based on the role it is attached to. By default, WSO2 products come with the following roles:

  • Admin - Provides full access to all features and controls. By default, the user "admin" is assigned to both the "Admin" and the "Everyone" roles.
  • Everyone - Every new user is assigned to this role by default. It does not include any permissions.
  • System - This role is used internally by the product and is not visible in the Management Console.

A user can have multiple roles and thus will have the permissions in all those roles.  

Adding a user role

Follow the instructions below to add a user role.

  1. On the Configure tab in the management console, click Users and Roles.
  2. Click Roles. This link is only visible to users with the Admin role.
  3. Click Add New Role.
  4. Do the following:
    1. From the Domain drop-down list, select the domain of the user store where you want to create the user role. The default is PRIMARY. For more information on the primary user store, see Configuring Primary User Stores.
    2. Enter a unique name for this role.
    3. Click Next.
  5. Select the permissions you want users with this role to have. Note that when you assign this role to a user, you can override the role's permissions and customize them for the user. 
  6. Select the existing users you want to have this role. You can also assign this role to users later, but if you are creating this role in an external user store that does not allow empty roles, you must assign it to at least one user. You can search for a user by name, or view all users by entering * in the search field.
  7. Click Finish.

When adding roles to external user stores, note the following:

  • Some external user stores do not allow you to create empty roles. In that case, selecting users who belong to a role is mandatory.
  • If you connect to an external user store (e.g., LDAP) in read-only mode, you can read existing roles from it, but you can not edit/delete the roles. In this case, you can still create new roles that are editable and can be managed internally.
  • If you connect to an external user store in read/write mode, you can edit the roles in the external user store as well.

The role is created and is listed on the Roles page. You can now edit the role as needed.  

Searching for user roles

You can search for an existing user role using the search facility on the Roles screen as follows:

  1. Select the domain (unique identifier) of the user store where you want to search for the role. By default, there are three options as follows:
    • PRIMARY: Searches within the primary user store.
    • ALL-USER-STORE-DOMAINS: Searches within all user stores configured in the system.
    • Internal: Searches in the database where internal/system-reserved user roles such as Internal/everyone are stored.
  2. Enter the role name pattern. For example, if you enter "ab*", it returns all roles that have names starting with "ab".
  3. Click Search to see the results.

Editing or deleting a role

If you need to make modifications to a role, select the domain (user store) where the role resides, and then use the links in the Actions column on the Roles screen as follows:

  • Rename the role
  • Change the default permissions associated with this role
  • Assign this role to users
  • View the users who are assigned this role
  • Delete the role if you no longer need it

If the role is in an external user store to which you are connected in read-only mode, you will be able to view the existing roles but not edit or delete them. However, you can still create new editable roles.

Updating role names

Do the following to make modifications to the role names:

Updating before initial startup (recommended)

You can change the default role names (admin and everyone) before starting a WSO2 product for the first time by editing <PRODUCT_HOME>/repository/conf/user-mgt.xml. Following is how the file looks by default:

<Configuration>
	<AddAdmin>true</AddAdmin>
	<AdminRole>admin</AdminRole> 
	<AdminUser> 
		<UserName>admin</UserName> 
		<Password>admin</Password> 
	</AdminUser> 
	<EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root --> 
	<Property name="dataSource">jdbc/WSO2CarbonDB</Property> 
	<Property name="MultiTenantRealmConfigBuilder">org.wso2.carbon.user.core.config.multitenancy.SimpleRealmConfigBuilder</Property> 
</Configuration>

Make the following changes to these configurations:

  • Change <AdminRole>admin</AdminRole> to <AdminRole>administrator</AdminRole>.
  • Change <EveryOneRoleName>everyone</EveryOneRoleName> to <EveryOneRoleName>Your role</EveryOneRoleName>.
Updating after the product has been started

To update role names after initial startup, take the following steps:

  1. Make the configuration changes as described above.
  2. Make the following changes to the existing users in the user store:

    • If you are connected to JDBCUserStoreManager, update the UM_USER_ROLE table for the existing users after changing the admin and everyone role names. If you have changed the permission of the everyone role, also update the UM_ROLE_PERMISSION table with the permissions for the new role.

      You can locate the schema of the user store by referring to the data source defined in the user-mgt.xml file. The data source definition is located in <PRODUCT_HOME>/repository/conf/datasources/master-datasources.xml.

    • If you are connected to ReadWriteLdapUserStoreManager, populate the members of the previous admin role to the new role under the Groups.
  3. Restart the server.