||
Skip to end of metadata
Go to start of metadata

The User Management module in WSO2 products enables role-based access. With this functionality, the permissions enabled for a particular role determines what that user can do using the management console of a WSO2 product. Permissions can be granted to a role at two levels:

  • Super tenant level: A role with super tenant permissions is used for managing all the tenants in the system and also for managing the key features in the system, which are applicable to all the tenants. 
  • Tenant level: A role with tenant level permissions is only applicable to individual tenant spaces.

The permissions navigator that you use to enable permissions for a role is divided into these two categories (Super Admin permissions and Admin permissions) as shown below. However, note that there may be other categories of permissions enabled for a WSO2 product, depending on the type of features that are installed in the product. 

 

You can access the permissions navigator for a particular role by clicking Permissions as shown below. 

By default, every WSO2 product comes with the following User, Role and Permissions configured:

  • The Admin user and Admin role is defined and linked to each other in the user-mgt.xml file, stored in the <PRODUCT_HOME>/repository/conf/ directory as shown below.

    <AddAdmin>true</AddAdmin>
    <AdminRole>admin</AdminRole>
    <AdminUser>
         <UserName>admin</UserName>
         <Password>admin</Password>
    </AdminUser>
  • The Admin role has all the permissions in the system enabled by default. Therefore, this is a super tenant, with all permissions enabled.

You will be able to log in to the management console of the product with the Admin user defined in the user-mgt.xml file. You can then create new users and roles and configure permissions for the roles using the management console. However, note that you cannot modify the permissions of the Admin role. The possibility of managing users, roles and permissions is granted by the User Management permission. See the documentation on configuring the system administrator for more information.

See the following topics:

Description of role-based permissions

Note that the descriptions given in this document only explains how permissions control access to operations available on the management console.

The descriptions of permissions in the Permissions navigator are as follows:

  • The Login permission defined under Admin permissions allows users to log in to the management console of the product. Therefore, this is the primary permission required for using the management console.
  • The following table describes the permissions at Super Tenant level. These are also referred to as Super Admin permissions.

    PermissionDescription of UI menus enabled
    Configuration permissions:
     
    The Super Admin/Configuration permissions are used to grant permission to the key functions in a product server, which are common to all the tenants. In each WSO2 product, several configuration permissions will be available depending on the type of features that are installed in the product.

    - Feature Management permission ensures that a user can control the features installed in the product using the management console. That is, the Features option will be enabled under the Configure menu. See the topic on feature management for more information.
    - Logging permission enables the possibility to configure server logging from the management console. That is, the Logging option will be enabled under the Configure menu. See the topic on logging management for more information.
    Management permissions:

    The Super Admin/Manage permissions are used for adding new tenants and monitoring them.

    - Modify/Tenants permission enables the Add New Tenant option in the Configure menu of the management console, which allows users to add new tenants.
    - Monitor/Tenants permission enables the View Tenants option in the Configure menu of the management console.

    See the topic on configuring multiple tenants for more information.

    Server Admin permissions:
    Selecting the Server Admin permission enables the Shutdown/Restart option in the Main menu of the management console.
  • The following table describes the permissions at Tenant level. These are also referred to as Admin permissions.

    Note that when you select a node in the Permissions navigator, all the subordinate permissions that are listed under the selected node are also automatically enabled.

    Permission levelDescription of UI menus enabled
    Admin

    When the Admin permission node is selected, the following menus are enabled in the management console:

    - Configure menu/User Store Management: This permission allows users to add new user stores and manage them with the management console. Note that only secondary user stores can be added using this option. See the topic on user store management for more details.
    - Configure menu/HDFC Role Management

    - Additionally, all permissions listed under Admin in the permissions navigator are selected automatically.

    Admin/ConfigureWhen the Admin/Configure permission node is selected, the following menus are enabled in the management console:

    - Configure
    menu/Datasources: See the topic on managing datasources for information on how to use this option.
    - Configure
    menu/Server Roles

    - Additionally, all permissions listed under Configure in the permissions navigator are selected automatically.
    Admin/Configure/SecurityWhen the Admin/Configure/Security permission node is selected, the following menus are enabled in the Configure menu of the management console:

    - Claim Management
    - Keystores: See the topic on working with keystores for information on keystores.
    - Service Principle (Kerberos KDC): See the topic on service principal management for more information on how to use this option.

    - This permission will also enable the Roles option under Configure/Users and Roles.
    See the topic on configuring users, roles and permissions for more information.

    - Additionally, all permissions listed under Security in the permissions navigator are selected automatically.
    Admin/Configure/Security/Identity Management/User ManagementThis permission enables the possibility to add users from the management console. That is, the Users option will be enabled under Configure/Users and Roles.
    Admin/Configure/Security/Identity Management/Password ManagementThis permission enables the Change Password option for the users listed in the User Management/Users and Roles/Users screen, which allows the log in user to change the passwords.
    Admin/ManageWhen the Admin/Manage permission is selected, the following menus will be enabled in the management console:

    - Main menu/RSS Manager: See the topic on provisioning relational database management systems for information on how to use this option.
    - Monitor
    menu/Cassandra Stats: See the topic on monitoring cluster statistics for information on how to use this option.
    - Tools
    menu/Cassandra Operations: See the topic on performing cluster node operations for information on how to use this option.

    - Additionally, all permissions listed under Admin/Manage in the permissions navigator will be enabled automatically. 
    Admin/Manage/AddThis permission enables the Cassandra Keyspaces menu under the Main navigator menu. This option allows users to add and manage keyspaces in a Cassandra cluster.
    Admin/Manage/Resources/BrowseThis permission enables the Browse option under the Registry menu in the main navigator. This option allows users to browse the resources stored in the registry by using the Registry tree navigator.
    Admin/Manage/SearchThis permission enables the Search option under the Registry sub menu in the Main menu. This option allows users to search for specific resources stored in the registry by filling in the search criteria.
    Admin/Monitor/LogsWhen the Admin/Monitor/Logs permission node is selected, the following menus are enabled in the management console:

    - Monitor menu/System Logs: See the topic on system logs for information on how to use this option.
    - Monitor menu/Application Logs: See the topic on application logs for information on how to use this option. 

Product-specific permissions

In addition to the common role-based permissions that are used in all WSO2 products, the following permissions are available in WSO2 Storage Sever:

Permission CategoryPermissionDescription of UI menus enabled
Application permissions 

Application permissions are a new category of permissions available in WSO2 Storage Server, because of the Cassandra and RSS Manager features that are installed in the product:

Name: WSO2 Carbon - Cassandra Feature
Identifier: org.wso2.carbon.cassandra.feature.group

Name: RSS Manager Feature
Identifier: org.wso2.carbon.rssmanager.feature.group

 Cassandra permissions

These permissions allow users to provision NoSQL data stores using WSO2 Storage Server as follows:

  • adding, deleting and editing keyspaces
  • adding, deleting and editing column families and columns in a keyspace.

See the topic on enabling Cassandra permissions for more information.

 RSS Manager permissions

These permissions allow users to carry out database provisioning activities using WSO2 Storage Server as follows:

  • adding, deleting and editing RSS instances in the server,
  • adding, deleting and editing databases and database users in an RSS instance.
  • attaching database users.

Note that these permissions can be separately defined for each RDBMS environment. Also, you can define separate permissions for System RSS Instances and User Defined RSS Instances. See RDBMS provisioning for more information.

See the documentation of WSO2 Products, for descriptions of more feature-specific permissions.

  • No labels