This documentation is for WSO2 Identity Server 5.4.0 . View documentation for the latest release.

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


If a user has several assigned roles, their permissions are added together.

WSO2 products has two products have two types of roles. External Roles and Internal Roles. Let say there are two user stores.


External Roles :
Store in user store itself. Only users in that user store can assign to external roles in same user store.
Example: user_A can assign to role_A
                user_B can't assign to role_A
In the user stores Users , users are assign assigned to a GroupsGroup. Within the WSO2 servers, we have Roles and directly map one Group to a Role then assign the permission for that role. There is a one to one mapping between Groups and Roles and same Group name is used to represent the Role in the server.

Internal Roles :
Store in Identity server database. User in all user stores can assign to these roles.
Example: both user_A and user_B can assign to same internal role
For internal Roles, there are no mapped Groups in user stores. So we directly assign users to these roles (Do not support to assign Groups to these Roles)


Internal/everyone: This is a conceptual role that is used to group all the users (across the user stores) together. When you create a new user, automatically the user belongs to the Internal/everyone role.

Application Role: is a special case of internal roles, these are created for a single service provider (SP) application and only users in this role canmange can manage relevant SP application.

Table of Contents


Table of Content Zone

Update before the first startup (recommended)


You can change the default role names (admin and everyone) before starting up the WSO2 Identity Server. To do this, change the following elements in the <PRODUCT_HOME>/repository/conf/user-mgt.xml file:

  • Change <AdminRole>admin</AdminRole> to <AdminRole>New role name</AdminRole>.
  • Change <EveryOneRoleName>everyone</EveryOneRoleName> to <EveryOneRoleName>New role name</EveryOneRoleName>.
Code Block
	<EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root --> 
	<Property name="dataSource">jdbc/WSO2CarbonDB</Property> 
	<Property name="MultiTenantRealmConfigBuilder">org.wso2.carbon.user.core.config.multitenancy.SimpleRealmConfigBuilder</Property> 

Update after the product is used for sometime some time (advanced configuration)

If you have already updated the role names before the first startup of the product, these steps are not necessary. The following steps guide you through updating the role names after you have used the product for some time. 

  1. Make the configuration changes indicated in the above section.
  2. Do the following user store level changes for existing users: 
    • If you are connected to the JDBCUserStoreManager, update the UM_USER_ROLE table with the existing users and the new role names that you defined in place of the 'admin' and 'everyone' roles. If you have changed the permissions of the 'everyone' role, update the UM_ROLE_PERMISSION table the permissions of the new role.


      The schema can be located by referring to the data source defined in the user-mgt.xml file. The data source definition can be found in the repository/conf/datasources/master-datasources.xml file.

    • If you are connected to the ReadWriteLdapUserStoreManager, populate the populate the members of the previous admin role to the new role under Groups.
  3. After the changes have been made, restart the server.


  1. On the Main tab in the Management Console, click List under Users and Roles.
  2. Click Roles. This link is only visible to users with the Admin role. The following screen appears.

    You can search for users by doing the following.
    1. Select the user store that the role resides in using the Select Domain dropdown drop-down.
    2. Enter the role name of the role and click Search Roles. For roles to be listed, you must use the exact name of the role, or  use a use a role name pattern by including *. For example, if you have a role named Manager, you can either search for this role by searching for "Manager", or you could search for "Ma*" to list out all the role with names beginning with "Ma".
    3. The role is displayed in the list.