Role-based Permissions

Introduction to role-based permissions

The User Management module in WSO2 products enable role-based access. With this functionality, the permissions enabled for a particular role determines what that user can do using the management console of a WSO2 product. Permissions can be granted to a role at two levels:

Super tenant level: A role with super tenant permissions is used for managing all the tenants in the system and also for managing the key features in the system, which are applicable to all the tenants.
Tenant level: A role with tenant level permissions is only applicable to individual tenant spaces.

The permissions navigator that you use to enable permissions for a role is divided into these two categories (Super Admin permissions and Admin permissions) as shown below. However, note that there may be other categories of permissions enabled for a WSO2 product, depending on the type of features that are installed in the product.

You can access the permissions navigator for a particular role by clicking Permissions as shown below.

By default, every WSO2 product comes with the following users, roles and permissions configured:

Users:

Admin - Has all the permissions in the system enabled by default. Therefore, this is a super tenant, with all permissions enabled. By default, the admin user is assigned to both the Admin and the Everyone roles.

The Admin user and Admin role is defined and linked to each other in the user-mgt.xml file, stored in the <PRODUCT_HOME>/repository/conf/ directory as shown below.

<AddAdmin>true</AddAdmin>
<AdminRole>admin</AdminRole>
<AdminUser>
     <UserName>admin</UserName>
     <Password>admin</Password>
</AdminUser>

Roles:

Admin - Provides full access to all features and controls. By default, the admin role is assigned to the admin user.
Internal/Everyone - Every new user is assigned to this role by default. It does not include any permissions.
Internal/System - This role is not visible in the Management Console.

There may be other users and roles configured by default depending on the type of features installed in your product.

WSO2 API Manager comes with the following additional roles configured by default:

Internal/creator
Internal/publisher
Internal/subscriber

For more information about these roles, see Adding User Roles.

You will be able to log in to the management console of the product with the Admin user defined in the user-mgt.xml file. You can then create new users and roles and configure permissions for the roles using the management console. However, note that you cannot modify the permissions of the Admin role. The possibility of managing users, roles and permissions is granted by the User Management permission. For more information, see Configuring the User Realm.

Description of role-based permissions

Log-in permissions

The Login permission defined under Admin permissions allows users to log in to the management console of the product. Therefore, this is the primary permission required for using the management console.

Super Tenant permissions

The following table describes the permissions at Super Tenant level. These are also referred to as Super Admin permissions.

Permission

Description of UI menus enabled

Configuration permissions:

The Super Admin/Configuration permissions are used to grant permission to the key functions in a product server, which are common to all the tenants. In each WSO2 product, several configuration permissions will be available depending on the type of features that are installed in the product.

- Feature Management permission ensures that a user can control the features installed in the product using the management console. That is, the Features option will be enabled under the Configure menu.
- Logging permission enables the possibility to configure server logging from the management console. That is, the Logging option will be enabled under the Configure menu.

Management permissions:

The Super Admin/Manage permissions are used for adding new tenants and monitoring them.

- Modify/Tenants permission enables the Add New Tenant option in the Configure menu of the management console, which allows users to add new tenants.
- Monitor/Tenants permission enables the View Tenants option in the Configure menu of the management console.

Server Admin permissions:

Selecting the Server Admin permission enables the Shutdown/Restart option in the Main menu of the management console.

Tenant-level permissions

The following table describes the permissions at Tenant level. These are also referred to as Admin permissions.

Note that when you select a node in the Permissions navigator, all the subordinate permissions that are listed under the selected node are also automatically enabled.

Permission level	Description of UI menus enabled
Admin	When the Admin permission node is selected, the following menus are enabled in the management console: - User Store Management: This permission allows users to add new user stores and manage them with the management console. Note that only secondary user stores can be added using this option. For more details, see Configuring User Stores. - Identity Providers: For details on how to use this option, see Adding and Configuring an Identity Provider. - Additionally, all permissions listed under Admin in the permissions navigator are selected automatically.
Admin/Configure	When the Admin/Configure permission node is selected, the following menus are enabled in the management console: - Main menu/PAP: For details on how to use this option, see Working with Entitlement. - Main menu/PDP: For details on how to use this option, see Working with Entitlement. - Configure menu/Datasources: For details on how to use this option, see managing datasources. - Configure menu/Server Roles: For more details, see Server Roles. - Tools menu/Tryit (XACML): For details on how to use this option, see Using the XACML TryIt Tool. - Additionally, all permissions listed under Configure in the permissions navigator are selected automatically.
Admin/Configure/Security	When the Admin/Configure/Security permission node is selected, the following menus are enabled in the Configure menu of the management console: - Claim Management: For details on how to use this option, see Claim Management. - Keystores: For details on how to use this option, see Configuring Keystores in WSO2 API Manager. - Service Principle (Kerberos KDC): For details on how to use this option, see Kerberos Security. - Email Templates: For details on how to use this option, see Email Templates. - This permission will also enable the Roles option under Configure/Users and Roles. For more information, see Managing Users and Roles. - Additionally, all permissions listed under Security in the permissions navigator are selected automatically.
Admin/Configure/Security/Identity Management/Password Management	This permission enables the Change Password option for the users listed in the User Management/Users and Roles/Users screen, which allows the logged in user to change the passwords.
Admin/Configure/Security/Identity Management/Profile Management	This permission enables the User Profile option for the users listed in the User Management/Users and Roles/Users screen, which allows the logged in user to update user profiles.
Admin/Configure/Security/Identity Management/User Management	This permission enables the possibility to add users from the management console. That is, the Users option will be enabled under Configure/Users and Roles.
Admin/Manage	When the Admin/Manage permission is selected, the following menus will be enabled in the management console: - Main menu/Service Providers: For details on how to use this option, see Adding and Configuring a Service Provider. - Tools menu/SAML: For details on how to use this option, see Using the SAML2 Toolkit. - Additionally, all permissions listed under Admin/Manage in the permissions navigator will be enabled automatically.
Admin/Manage/Add	- Manage menu/Add/Modules: This permission enables you to upload modules using the management console. - Manage menu/Add/Services: This permission enables you to upload/generate/create/schedule services in WSO2 DSS. See the tutorials on creating, generating, uploading data services and scheduling tasks. - Manage menu/Add/Webapps: This permission enables you to upload webapps using the management console.
Admin/Manage/API/Create	This permission enables the possibility to create APIs in the API Publisher of the API Manager.
Admin/Manage/API/Publish	This permission enables the possibility to publish the APIs available in the API Publisher of the API Manager. Published APIs are then visible in the API Store of the API Manager.
Admin/Manage/API/Subscribe	This permission enables the possibility to subscribe to an API through an application, in the API Store of the API Manager.
Admin/Manage/API-M Admin	This permission enables the possibility to access the Admin Portal of the API Manager.
Admin/Manage/Dead Letter Channel	This permission enables users to see any queue information that is stored in the Dead Letter Channel. When this node is selected, the following permissions will be automatically granted: Browse: Allows users to browse details of a queue stored in the Dead Letter Channel. Delete: Allows users to delete any queue stored in the Dead Letter Channel. Reroute: Allows users to reroute a queue stored in the Dead Letter Channel to any other queue chosen by the user. Restore: Allows users to restore a queue stored in the Dead Letter Channel to the queue from which it originated.
Admin/Manage/Configure	- Manage menu/Configure/Modules: This permission enables listing of the modules. - Manage menu/Configure/Services: This permission enables listing of the services. - Manage menu/Configure/Webapps: This permission enables listing of the webapps.
Admin/Manage/Queue	- Manage menu/Queue/Add: This permission enables the option to Add queues. You will be able to add new queues and view a list of the available queues with this permission. Note that a user that has permission to Add new queues, by default obtains permission to consume messages from all queues created by the same user and to publish messages to the same queues. - Manage menu/Queue/Browse: This permission enables the Browse option for queues. When you go to the Main tab and click Queues > List, you will see the Browse link enabled for each queue. - Manage menu/Queue/Delete: This permission enables the Delete option for queues. When you go to the Main tab and click Queues > List, you will see the Delete link enabled for each queue. - Manage menu/Queue/Purge: This permission enables the Purge Messages option for queues. When you go to the Main tab and click Queues > List, you will see the Purge Messages link enabled for each queue.
Admin/Manage/Resources/Browse	This permission enables the Browse option under the Registry menu in the main navigator. This option allows users to browse the resources stored in the registry by using the Registry tree navigator. For more information, see Working with the Registry.
Admin/Manage/Search	This permission enables the Search option under the Registry sub menu in the Main menu. This option allows users to search for specific resources stored in the registry by filling in the search criteria. For more information, see Working with the Registry.
Admin/Manage/Subscription	- Manage menu/Subscription/ViewQueueSubscriptions: This permission enables the possibility of viewing details of queue subscribers. The Subscription > Queue Subscription List option will be available in the Main tab. - Manage menu/Subscription/CloseQueueSubscriptions: This permission, in addition to the Admin/Manage/Subscription/ViewQueueSubscriptions permission, will allow users to close queue subscriptions. - Manage menu/Subscription/ViewTopicSubscriptions: This permission enables the possibility of viewing details of topic subscribers. The Subscription > Topic Subscription List option will be available in the Main tab. - Manage menu/Subscription/ViewTopicSubscriptions: This permission, in addition to the Admin/Manage/Subscription/ViewTopicSubscriptions permission, will allow users to close topic subscriptions.
Admin/Manage/Topic	- Manage menu/Topic/Add: This permission enables the possibility of adding topics and sub topics. When you go to the Main tab, the Add option will be enabled for Topics, which can be used to add a new topic. When you go to Topics > List and select a particular topic, the Add Subtopic link will also be enabled. Note that a user that has permission to Add new topics, by default obtains permission to subscribe and publish to all the topics that are created by the same user. - Manage menu/Topic/Browse: - Manage menu/Topic/Delete: This permission enables the possibility of deleting topics and subtopics. When you go to Topics > List and select a particular topic, the Delete link will be enabled. Note that the Admin/Manage/Resources/Browse permission node should also be enabled for topic deletion to be allowed. - Manage menu/Topic/Details: This permission enables the possibility of checking the details of topics and subtopics. When you go to Topics > List and select a particular topic, the Details link will be enabled.
Admin/Monitor	When the Admin/Monitor permission node is selected, the following menus are enabled in the management console: - Monitor menu/System Statistics: This allows users to monitor performance statistics. - Monitor menu/SOAP Message Tracer: This allows users to monitor SOAP messages. - Monitor menu/Message Flows: This allows users to monitor message flows. - Additionally, all permissions listed under Admin/Monitor in the permissions navigator will be enabled automatically.
Admin/Monitor/Logs	When the Admin/Monitor/Logs permission node is selected, the following menus are enabled in the management console: - Monitor menu/System Logs: This allows users to monitor system logs. - Monitor menu/Application Logs: This allows users to monitor application logs. For details on how to use these options, see View and Download Logs.
Admin/Monitor/Metrics	When this node is selected, the following menus are enabled in the Monitor tab of the Management Console: Metrics/JVM Metrics: Used for monitoring system statistics common to all products. Metrics/Messaging Metrics: Used for monitoring API-M-specific statistics.