Skip to end of metadata
Go to start of metadata

Application visibility allows you to prevent users with certain roles from viewing a web application in the App Store. When creating a web application using the App Publisher, you can make the app visible to the public, or restrict its visibility to a particular role(s).

restrict visibility of Web app to specific user role(s)

Web applications with public visibility

Web apps with public visibility, which are created by a user of a specific tenant domain, are visible to all users (subscribers and anonymous users) of that domain. Do not select the Restrict Visibility field if you need to enable public visibility.

Web applications with visibility restricted by roles

Web applications with a visibility restricted to specific roles are visible only to users assigned to that particular role. Specify the user roles that need to have access to the web application in the Restrict Visibility field.

  • Roles that have web application creation and publication permissions can see all applications in their tenant App Store, even if you restrict access to those roles. This is because any role that has web application creation and publication permissions can view and edit all web applications in the App Publisher.

  • If you restrict the visibility of a web app to a default internal/subscriber role, any user who registers to the App Store is able to access the web application. This is because, WSO2 App Manager assigns the internal/subscriber role to all users who register to the App Store.

In WSO2 App Manager, visibility levels work for users in different tenant modes as follows.

Visibility in super tenant domain

Application subscribers of the default super tenant domain can see applications depending on its visibility level.

  • Anonymous users can view all applications with public visibility.

  • Signed-in users can view all applications with public visibility, as well as applications that are restricted to a role assigned to the signed-in user.

Visibility in multi-tenant mode

A tenant's App Store is the App Store specific to the tenant domain of the user. Therefore, in multi-tenant mode, a subscriber can view applications based on their visibility levels, as well as the App Store the user is viewing. Any subscriber can view applications of its tenant App Store depending on its visibility level as follows:

  • Anonymous users can view apps that have public visibility and are created within the current user's tenant domain.

  • Signed-in users can view apps that have public visibility and apps created within the current users tenant domain that are allowed to be accessed by the current user role.

Controlling visibility of a new user role

Follow the steps below to configure web application visibility.

  1. Log in to the Management Console (https://localhost:9443/carbon) and create a user role named roleA with the permissions given below. For information on user roles, see Configuring Users and Roles.
  2. Create a role named roleB with the same permissions as specified above.
  3. Create a user named userA and assign roleA to the user.
  4. Create a user named userB and assign roleB to the user.
  5. Create a web application. To restrict visibility of this web app to roleA, enter roleA as the value in the Restrict Visibility field when creating the app.

    In order to create a web app, log in with a user that has the following permissions:

    • All Permissions > Admin Permissions > Configure > Governance and all underlying permissions
    • All Permissions > Admin Permissions > Login
    • All Permissions > Admin Permissions > Manage > API > Create  
    • All Permissions > Admin Permissions > Manage > Resources > Govern and all underlying permissions  
  6. Publish the web application.
  7. Access the App Store as an anonymous user. You are unable to see the newly created application in the App Store.
  8. Now log in to the App Store as userA. You are now able to see the newly created application.
  9. Log in to the App Store as userB or any other user who is not assigned roleA. You are unable to see the application as visibility is restricted to roleA.
  • No labels