User management functionality is provided by default in all WSO2 Carbon-based products and is configured in the
user-mgt.xml file found in the
<PRODUCT_HOME>/repository/conf/ directory. This documentation explains the main settings relevant to the system administrator.
The admin user is the super tenant that will be able to manage all other users, roles and permissions in the system by using the management console of the product. Therefore, the user that should have admin permissions is required to be stored in the primary user store when you start the system for the first time. The documentation on setting up primary user stores will explain how to configure the administrator while configuring the user store. The information under this topic will explain the main configurations that are relevant to setting up the system administrator.
If the primary user store is read-only, you will be using a user ID and role that already exists in the user store, for the administrator. If the user store is read/write, you have the option of creating the administrator user in the user store as explained below. By default, the embedded H2 database (with read/write enabled) is used for both these purposes in WSO2 products.
Note the following key facts about the system administrator in your system:
- The admin user and role is always stored in the primary user store in your system.
- An administrator is configured for your system by default. This admin user is assigned to the admin role, which has all permissions enabled.
- The permissions assigned to the default admin role cannot be modified.
Before you begin:
Ensure that you have a primary user store (for storing users and roles) and an RDBMS (for storing information related to permissions). See the related documentation for instructions on how to set up these repositories.
Updating the administrator
<Configuration> section at the top of the
<PRODUCT_HOME>/repository/conf/user-mgt.xml file allows you to configure the administrator user in your system as well as the RDBMS that will be used for storing information related to user authentication (i.e. role-based permissions).
Note the following regarding the configuration above.
|This is the role that has all administrative privileges of the WSO2 product, so all users having this role are admins of the product. You can provide any meaningful name for this role. This role is created in the internal H2 database when the product starts. This role has permission to carry out any actions related to the Management Console. If the user store is read-only, this role is added to the system as a special internal role where users are from an external user store.|
Configures the default administrator for the WSO2 product. If the user store is read-only, the admin user must exist in the user store or the system will not start. If the external user store is read-only, you must select a user already existing in the external user store and add it as the admin user that is defined in the
|This is the username of the default administrator or super tenant of the user store. If the user store is read-only, the admin user MUST exist in the user store for the process to work.|
Do NOT put the password here but leave the default value. If the user store is read-only, this element and its value are ignored. This password is used only if the user store is read-write and the
Note that the password in the
|The name of the "everyone" role. All users in the system belong to this role.|
- Configuring the Primary User Stores: This topic explains how the primary user store is set up and configured for your product.
- Configuring the Authorization Manager: This topic explains how the repository (RDBMS) for storing authorization information (role-based permissions) is configured for your product.
- Changing a Password: This topic explains how you can change the admin password using the management console of the product.