WSO2 Identity Server supports the role-based authentication model where privileges of a user are based on roles attached.
A user is associated with one or more roles (generally specified upon user creation), and each role is associated with zero or more permissions (also generally specified upon role creation). Therefore, the set of permissions owned by a user is determined by the roles assigned to that user. If a user has several assigned roles, their permissions are added together.
Before you begin
The following items are things to note before you begin.
Only system administrators can add, modify and remove users and roles. To set up administrators, see Configuring the System Administrator.
Your product has a primary user store where the users/roles that you create using the management console are stored by default. It's default
RegExconfigurations are as follows.
RegExconfigurations ensure that parameters like the length of a user name/password meet the requirements of the user store. See Configuring the Primary User Store for more information of these properties.
When creating users/roles, if you enter a username, password etc. that does not conform to the
RegExconfigurations, the system throws an exception. You can either change the
RegExconfiguration or enter values that conform to the
RegEx. If you change the default user store or set up a secondary user store, configure the
RegExaccordingly under the user store manager configurations in
The permission model of WSO2 Identity Server is hierarchical. Permissions can be assigned to a role in a fine-grained or a coarse-grained manner.
Coarse-grained permissions define large subcomponents such as 'Application Management' or 'Claim Management'. Using coarse-grained permissions you can assign permissions to roles based on these large subcomponents.
Fine-grained permissions control access to smaller subcomponents or subtasks of the component such as 'create application', 'delete application' etc.
WSO2 Carbon maintains roles and permissions in the Carbon database, but it can also read users/roles from the configured User Store.