User management involves defining and managing users, roles, and their access levels in a system. This page introduces the WSO2 user management functionality in the following sections:
A user management dashboard or console provides system administrators with a high-level view of a system's active user sessions, their log-in statuses, the privileges of each user, and their activity in the system, enabling system admins to make business-critical, real-time security decisions. A typical user management implementation involves a wide range of functionality such as adding/deleting users, controlling user activity through permissions, managing user roles, defining authentication policies, managing external user stores, manual/automatic log-out, and resetting user passwords.
Any user management system has the following basic components: users permissions, user roles, and user stores. Following is more information about each of these components.
Users are consumers who interact with your organizational applications, databases, and other systems. A user can be a person, a device, or another application/program within or outside of the organization's network. Because users interact with internal systems and access data, security-conscious organizations need to define which data and functionality each user can access by assigning permissions.
A permission is a delegation of authority or a right that is assigned to a user or a group of users to perform an action on a system. Permissions can be granted to or revoked from a user, user group, or user role automatically or by a system administrator. For example, if a user has the permission to log in to a system, the permission to log out is automatically granted as well.
A user role is a grouping of permissions. In addition to assigning individual permissions to users, admins can create user roles and assign those roles to users. For example, you might create user roles called VP, Manager, and Employee, each of which has a different set of permissions, and then assign those roles to users based on their position in the company. Then, if you need to modify the permissions of all your managers, you can simply modify the Manager user role, and all users with that role will have their permissions updated automatically.
A user store is the database where information about the users and user roles is stored, including log-in name, password, first name, last name, and e-mail address. The user stores of all WSO2 Carbon-based products are embedded H2 databases except for WSO2 Identity Server, which has an embedded LDAP as its user store. In Carbon, permissions are stored in a separate database called the User Management database. The default User Management database is H2, but you can connect to external user stores as well.
The user stores of Carbon products can be configured to operate in read/write mode, in which it reads data and also writes data to the user store, and read-only mode, in which it does not modify any data. Carbon maintains roles and permissions in the Carbon database, but it can read users and roles from the configured user store.
In addition to the primary user store, you can configure additional, secondary user stores.
User management in WSO2 products
User management is available by default in all WSO2 Carbon-based products. It includes the following functionality:
- A primary user store, either the embedded (internal) user store or an external store (JDBC, LDAP, or Active Directory).
- Ability to configure additional user stores as secondary user stores.
- Ability to operate in read-only or read-write mode on your company's LDAP user stores.
- Ability to work with Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS) in read/write mode.
- Ability to read roles from external user stores.
Configuring user management
The complete configuration for user management (referred to as the realm) is in the
user-mgt.xml file in the
<PRODUCT_HOME>/repository/conf/ directory. You can also configure users and roles through the management console, as described in the next topics in this section.
Customizing user management
You can create a custom implementation of the user management functionality and use it in WSO2 products. For complete information, see Customizing User Management (Carbon 4.2.0 v2).