This documentation is for WSO2 Identity Server 5.3.0 . View documentation for the latest release.

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


WSO2 products has two types of roles. External Roles and Internal Roles. Let say there are two user stores.


External Roles :
Store in user store itself. Only users in that user store can assign to external roles in same user store.
Eg : user_A can assign to role_A
       user_B can't assign to role_A

In the user stores Users are assign to a Groups. Within the WSO2 servers we have Roles and directly map one Group to a Role then assign the permission for that role. There is a one to one mapping between Groups and Roles and same Group name is used to represent the Role in the server.

Internal Roles :
Store in Identity server database. User in all user stores can assign to these roles.
Eg : both user_A and user_B can assign to same internal
For internal Roles there are not no mapped Groups in user stores. So we directly assign users to these roles (Do not support to assign Groups to these Roles)


Internal/everyone : This is a conceptual role that is used to group all the users (across the user stores) together. When you create a new user, automatically the user belongs to the Internal/everyone role.

Application Role : is a special case of internal roles, these are created for a single service provider ( SP ) application and only users in this role can mange relevant SP application.