Due to a known issue do not use JDK1.8.0_151 with WSO2 products. Use JDK 1.8.0_144 until JDK 1.8.0_162-ea is released.
This documentation is for WSO2 Data Services Server version 3.5.1. For the latest documentation, see the documentation for WSO2 Enterprise Integrator.
||
Skip to end of metadata
Go to start of metadata

This section explains in detail how the management console of a WSO2 product can be used for configuring the permissions granted to a user role. You will also find below, detailed descriptions on all the types of permissions that can be granted.


Introduction to role-based permissions

The User Management module in WSO2 products enable role-based access. With this functionality, the permissions enabled for a particular role determines what that user can do using the management console of a WSO2 product. Permissions can be granted to a role at two levels:

  • Super tenant level: A role with super tenant permissions is used for managing all the tenants in the system and also for managing the key features in the system, which are applicable to all the tenants. 
  • Tenant level: A role with tenant level permissions is only applicable to individual tenant spaces.

By default, every WSO2 product comes with the following User, Role and Permissions configured:

  • The Admin user and Admin role is defined and linked to each other in the user-mgt.xml file, stored in the <PRODUCT_HOME>/repository/conf/ directory as shown below.

    <AddAdmin>true</AddAdmin>
    <AdminRole>admin</AdminRole>
    <AdminUser>
         <UserName>admin</UserName>
         <Password>admin</Password>
    </AdminUser>
  • The Admin role has all the permissions in the system enabled by default. Therefore, this is a super tenant, with all permissions enabled.

You will be able to log in to the management console of the product with the Admin user defined in the user-mgt.xml file. You can then create new users and roles and configure permissions for the roles using the management console. However, note that you cannot modify the permissions of the Admin role. The possibility of managing users, roles and permissions is granted by the User Management permission.

Go to the WSO2 administration guide for detailed instructions on the following:

 


Configuring permissions for a role

Once a user role is already created in your product, you can configure the permissions for the role as explained below:

  1. Click Users and Roles in the Configure tab of the navigator. All the roles created in the system will be listed in the Roles page as shown below.
  2. Click Permissions to open the permissions navigator for the role as shown below.

    Note that there may be other categories of permissions enabled for a WSO2 product, depending on the type of features that are installed in the product. 

  3. You can select the relevant check boxes to enable the required permissions for your role. The descriptions of all the available permissions are explained below.

Descriptions of permissions

Let us now go through each of the options available in the permissions navigator to understand how they apply to functions in WSO2 Data Services Server (WSO2 DSS).

 

Log-in permissions

The Login permission defined under Admin permissions allows users to log in to the management console of the product. Therefore, this is the primary permission required for using the management console.

Super Tenant permissions

The following table describes the permissions at Super Tenant level. These are also referred to as Super Admin permissions.

PermissionDescription of UI menus enabled
Configuration permissions:
 
The Super Admin/Configuration permissions are used to grant permission to the key functions in a product server, which are common to all the tenants. In each WSO2 product, several configuration permissions will be available depending on the type of features that are installed in the product.

- Feature Management permission ensures that a user can control the features installed in the product using the management console. That is, the Features option will be enabled under the Configure menu. See the topic on feature management for more information.
- Logging permission enables the possibility to configure server logging from the management console. That is, the Logging option will be enabled under the Configure menu. See the topic on configuring log4j properties for more information.
Management permissions:

The Super Admin/Manage permissions are used for adding new tenants and monitoring them.

- Modify/Tenants permission enables the Add New Tenant option in the Configure menu of the management console, which allows users to add new tenants.
- Monitor/Tenants permission enables the View Tenants option in the Configure menu of the management console.

See the topic on configuring multiple tenants for more information.

Server Admin permissions:Selecting the Server Admin permission enables the Shutdown/Restart option in the Main menu of the management console.

Tenant-level permissions

The following table describes the permissions at Tenant level. These are also referred to as Admin permissions.

Note that when you select a node in the Permissions navigator, all the subordinate permissions that are listed under the selected node are also automatically enabled.

Permissions for configuring the server

The following table explains the permissions required for performing various configuration tasks in WSO2 DSS.

Permission levelDescription of UI menus enabled
Admin/Configure

When the Admin/Configure permission node is selected, the following menus are enabled in the management console:

- Configure
menu/Datasources: This permission enables the user to Add/Edit/Remove datasources.
- Configure
menu/Discovery: This permission enables the service discovery feature.
- Configure menu/Theme: This permission is not applicable to WSO2 DSS.

- Additionally, all permissions listed under Configure in the permissions navigator are selected automatically.

Admin/Configure/SecurityWhen the Admin/Configure/Security permission node is selected, the following menus are enabled in the Configure menu of the management console:

- Keystores: See the topic on managing keystores for information.
- This permission will also enable the Roles option under Configure/Users and Roles.
See the topic on configuring users, roles and permissions for more information.
- Additionally, all permissions listed under Security in the permissions navigator are selected automatically.
Admin/Configure/Security/Identity Management/User ManagementThis permission enables the possibility to add users from the Management Console. That is, the Users option will be enabled under Configure/Users and Roles. See the topic on configuring users, roles and permissions for more information.
Admin/Configure/Security/Identity Management/Profile ManagementThis permission enables the profiles of all the users. You can view the profile in the Configure tab, Users and Roles -> Users link.
Admin/Configure/Security/Identity Management/Password ManagementThis permission enables the Change Password option for the users listed in the User Management/Users and Roles/Users screen, which allows the user to change the passwords. See the topic on configuring users, roles and permissions for more information.

Permissions for managing the server

Listed below are the permissions for some of the general functions applicable to WSO2 DSS. 

Permission levelDescription of UI menus enabled
Admin/Manage/Add- Manage menu/Add/Modules: This permission enables you to upload modules using the management console.
- Manage
menu/Add/Services: This permission enables you to upload/generate/create/schedule services in WSO2 DSS. See the tutorials on creating, generating, uploading data services and scheduling tasks.
- Manage menu/Add/Webapps: This permission is not applicable to WSO2 DSS.
Add/Manage/Extensions- Manage menu/Extensions/List: This permission is not applicable to WSO2 DSS.
- Manage menu/Extensions/Add: This permission is not applicable to WSO2 DSS. 
Add/Manage/Configure- Manage menu/Configure/Modules: This permission enables listing of the modules.
- Manage
menu/Configure/Services: This permission enables listing of the services.
- Manage menu/Configure/Webapps: This permission is not applicable to WSO2 DSS.
Admin/Manage/Resources

This permission enables the Browse option under the Registry menu in the main navigator. This option allows users to browse the resources stored in the registry by using the Registry tree navigator.

 See the topic on working with the registry for more information.

Admin/Manage/Search

This permission enables the Search option under the Registry sub menu in the Main menu. This option allows users to search for specific resources stored in the registry by filling in the search criteria.

See the topic on working with the registry for more information.

Permissions for monitoring the server

Permission levelDescription of UI menus enabled
Admin/Monitor

When the Admin/Monitor permission node is selected, the following menus are enabled in the management console:

- Monitor
menu System Statistics: This allows users to monitor performance statistics.
- Monitor
menu/SOAP Tracer: This allows users to monitor SOAP messages.
- Monitor menu/Message Flows: This allows users to monitor message flows.

- Additionally, all permissions listed under Monitor in the permissions navigator are selected automatically.

Admin/Monitor/Logs

When this node is selected, the following menus are enabled in the Monitor tab of the management console:

- Monitor menu/System Logs: This allows users to monitor system logs.
- Monitor menu/Application Logs: This allows users to application logs.

See the topic on viewing and downloading logs for instructions.

  • No labels