Hi, In fact, even by using the SOAP service call to add role mgt only as a permission, the result is the same the created user won't have the possibility to create roles:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:ser="http://service.ws.um.carbon.wso2.org"; xmlns:xsd=" http://dao.service.ws.um.carbon.wso2.org/xsd";> <soapenv:Header/> <soapenv:Body> <ser:addRole> <!--Optional:--> <ser:roleName>TestRole</ser:roleName> <!--Zero or more repetitions:--> <ser:userList>hanen</ser:userList> <!--Zero or more repetitions:--> <ser:permissions> <!--Optional:--> <xsd:action>ui.execute</xsd:action> <!--Optional:--> <xsd:resourceId>/permission/admin/manage/identity/rolemgt/</xsd:resourceId> </ser:permissions> </ser:addRole> </soapenv:Body> </soapenv:Envelope> Regards, Hanen On Wed, Jan 4, 2017 at 5:06 PM, Darshana Gunawardana <darsh...@wso2.com> wrote: > Hi Chamila\Hanen, > > Yes. you need to have "'/permission/admin/manage/identity'" permission to > manage roles from the UI. Since we are doing multiple management operation > via management console we require much higher level of permissions. But > Relevant backend services (UserAdmin service) do support finer level > permission ("/permission/admin/manage/identity/usermgt") then if some > external client need to connect with restricted permissions still it's > possible. But indeed this UIs can be improved to support fine > grained permissions. Since we are working on the IS 6.0.0 which is based on > next gen Carbon 5 platform with complete re-design of the product with > parallel to IS 5.3.0 release, we did not focus on major redesigning of UI > and related UI permissions with the IS 5.3.0. > > Giving you bit of insight of IS 6.0.0 effort, we have plans to decouple > persona that use identity server for different types of administration and > provide separate views for each of those. You will be able to follow up on > those discussions on architecture list soon. > > We have created https://wso2.org/jira/browse/IDENTITY-5560 to track this > specific improvement, and it will consider fixing this in a future release. > > Thanks > > On Wed, Jan 4, 2017 at 7:13 PM, Hanen Ben Rhouma <hanen...@gmail.com> > wrote: > >> Hi, >> >> Actually I tried most of the combinations and the smallest set of >> permissions allowing users to create roles is by selecting the whole >> "Identity" permissions block. Why ???? >> Sometimes we want some type of users to be able to only create users and >> assign them to some roles, the rest of the application (IdP, SP, Key >> stores, Workflow mgt, etc.) isn't trivial to them and is not even in their >> scope of responsibility. Why such limitation? >> >> Regards, >> Hanen >> >> On Wed, Jan 4, 2017 at 1:32 PM, Chamila Wijayarathna < >> cdwijayarat...@gmail.com> wrote: >> >>> Hi, >>> >>> It looks like you need to have '/permission/admin/manage/identity' to >>> do this using management console. However, when looking at code if you are >>> doing it using API calls, having "User Management" and "Role Management" >>> should be enough to do this. >>> >>> It should work with "Roles Management" IMO, I'm not sure why it's not >>> implemented like that. >>> @Johann, Darshana : Any idea on this? >>> >>> On Wed, Jan 4, 2017 at 10:42 PM, Hanen Ben Rhouma <hanen...@gmail.com> >>> wrote: >>> >>>> >>>> Hello, >>>> >>>> What is the permission that gives the user the possibility to create >>>> roles and assign users to them? I tried "Roles Management" permission but >>>> it's not doing the trick. >>>> >>>> >>>> Regards, >>>> Hanen >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> Dev@wso2.org >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> >>> -- >>> Chamila Dilshan Wijayarathna, >>> PhD Research Student >>> The University of New South Wales (UNSW Canberra) >>> Australian Centre for Cyber Security >>> Australian Defence Force Academy >>> PO Box 7916, Canberra BA ACT 2610 >>> Australia >>> Mobile:(+61)416895795 <+61%20416%20895%20795> >>> >>> >> > > > -- > Regards, > > > *Darshana Gunawardana*Associate Technical Lead > WSO2 Inc.; http://wso2.com > > *E-mail: darsh...@wso2.com <darsh...@wso2.com>* > *Mobile: +94718566859 <+94%2071%20856%206859>*Lean . Enterprise . > Middleware >
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
