Users, Roles and Permissions
Users and Roles
WSO2 ESB allows managing users and their roles. A user is associated with one or more roles (generally specified at user creation time) and each role is associated with zero or more permissions (generally specified at role creation time). Therefore the set of permissions owned by a user is determined by the roles assigned to that user. If a user has several assigned roles, their permissions are added together.
By default, ESB comes with the following roles:
- Admin - Provides full access to all the features and controls in the ESB. By default the user "admin" is assigned to both the "Admin" and the "Everyone" roles.
- Everyone - Every new user is assigned to this role by default. It does not include any permissions.
- System - This role is not visible in the management console.
Note
The ESB UI does not allow configuring the permissions assigned to the "Admin" role.
Permissions
The permission model of WSO2 ESB is hierarchical. The full ESB permission tree looks as follows:
Permissions can be assigned to the role in a fine grained or a coarse grained manner. For example, you can either select the whole class of permissions, like "Configure", by checking the corresponding box:
Or you can expand that class and select one or several items:
"Read/Write" and "Read Only" Modes
The User Management of the WSO2 Carbon allows to facilitate user accounts and roles at different levels.
The User Store of Carbon products can be configured to operate in one of the following modes, which determine the functionality.
Modes of operation:
- Read/write - This mode allows the user to modify the User Store.
- Read only - This mode prevents the user from changing any data in the User Store.
If the User Store is operating in "Read/Write" mode, the user can:
- Add, modify or remove user accounts
- Reset user passwords
- Manage user roles
- Build "import users" from other User Stores
If the User Store is operating in "Read Only" mode, the user can:
- View user accounts
Note
WSO2 Carbon maintains roles and permissions in the Carbon database, but it can read users/roles from the configured User Store.
See also Managing Role Permissions in the "Registry" section.
For the detailed information on configuring users, roles and permissions, see the following pages:
- Adding a New User — Instructions on how to add new users and assign them roles.
- Using External User Stores (LDAP AD) — Instructions on how to access the external User Stores.
- Deleting a User — Instructions on how to delete users.
- Resetting a User's Password — Instructions on how to reset user's password.
- Changing Current User's Password — Instructions on how to change my user password in ESB.
- Creating a User Role — Instructions on how to create a new user role.
- Defining User Role — Instructions on how to define the User Role.
- Accessing Users and Roles Screen — Instructions on how to access the Users and Roles screen.
- Related Articles about Users, Roles, and Permissions