Hi Hanen, To achieve this in SOAP API calls, your user need to have both "User Management" and "Role Management" permissions.
Regards! Chamila On Thu, Jan 5, 2017 at 9:37 PM, Hanen Ben Rhouma <[email protected]> wrote: > Hi, > > In fact, even by using the SOAP service call to add role mgt only as a > permission, the result is the same the created user won't have the > possibility to create roles: > > <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; > xmlns:ser="http://service.ws.um.carbon.wso2.org"; xmlns:xsd=" > http://dao.service.ws.um.carbon.wso2.org/xsd";> > <soapenv:Header/> > <soapenv:Body> > <ser:addRole> > <!--Optional:--> > <ser:roleName>TestRole</ser:roleName> > <!--Zero or more repetitions:--> > <ser:userList>hanen</ser:userList> > <!--Zero or more repetitions:--> > <ser:permissions> > <!--Optional:--> > <xsd:action>ui.execute</xsd:action> > <!--Optional:--> > <xsd:resourceId>/permission/admin/manage/identity/rolemgt/ > </xsd:resourceId> > </ser:permissions> > </ser:addRole> > </soapenv:Body> > </soapenv:Envelope> > > Regards, > Hanen > > On Wed, Jan 4, 2017 at 5:06 PM, Darshana Gunawardana <[email protected]> > wrote: > >> Hi Chamila\Hanen, >> >> Yes. you need to have "'/permission/admin/manage/identity'" permission >> to manage roles from the UI. Since we are doing multiple management >> operation via management console we require much higher level of >> permissions. But Relevant backend services (UserAdmin service) do support >> finer level permission ("/permission/admin/manage/identity/usermgt") >> then if some external client need to connect with restricted permissions >> still it's possible. But indeed this UIs can be improved to support fine >> grained permissions. Since we are working on the IS 6.0.0 which is based on >> next gen Carbon 5 platform with complete re-design of the product with >> parallel to IS 5.3.0 release, we did not focus on major redesigning of UI >> and related UI permissions with the IS 5.3.0. >> >> Giving you bit of insight of IS 6.0.0 effort, we have plans to decouple >> persona that use identity server for different types of administration and >> provide separate views for each of those. You will be able to follow up on >> those discussions on architecture list soon. >> >> We have created https://wso2.org/jira/browse/IDENTITY-5560 to track this >> specific improvement, and it will consider fixing this in a future release. >> >> Thanks >> >> On Wed, Jan 4, 2017 at 7:13 PM, Hanen Ben Rhouma <[email protected]> >> wrote: >> >>> Hi, >>> >>> Actually I tried most of the combinations and the smallest set of >>> permissions allowing users to create roles is by selecting the whole >>> "Identity" permissions block. Why ???? >>> Sometimes we want some type of users to be able to only create users and >>> assign them to some roles, the rest of the application (IdP, SP, Key >>> stores, Workflow mgt, etc.) isn't trivial to them and is not even in their >>> scope of responsibility. Why such limitation? >>> >>> Regards, >>> Hanen >>> >>> On Wed, Jan 4, 2017 at 1:32 PM, Chamila Wijayarathna < >>> [email protected]> wrote: >>> >>>> Hi, >>>> >>>> It looks like you need to have '/permission/admin/manage/identity' to >>>> do this using management console. However, when looking at code if you are >>>> doing it using API calls, having "User Management" and "Role Management" >>>> should be enough to do this. >>>> >>>> It should work with "Roles Management" IMO, I'm not sure why it's not >>>> implemented like that. >>>> @Johann, Darshana : Any idea on this? >>>> >>>> On Wed, Jan 4, 2017 at 10:42 PM, Hanen Ben Rhouma <[email protected]> >>>> wrote: >>>> >>>>> >>>>> Hello, >>>>> >>>>> What is the permission that gives the user the possibility to create >>>>> roles and assign users to them? I tried "Roles Management" permission but >>>>> it's not doing the trick. >>>>> >>>>> >>>>> Regards, >>>>> Hanen >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> [email protected] >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>>> >>>> -- >>>> Chamila Dilshan Wijayarathna, >>>> PhD Research Student >>>> The University of New South Wales (UNSW Canberra) >>>> Australian Centre for Cyber Security >>>> Australian Defence Force Academy >>>> PO Box 7916, Canberra BA ACT 2610 >>>> Australia >>>> Mobile:(+61)416895795 <+61%20416%20895%20795> >>>> >>>> >>> >> >> >> -- >> Regards, >> >> >> *Darshana Gunawardana*Associate Technical Lead >> WSO2 Inc.; http://wso2.com >> >> *E-mail: [email protected] <[email protected]>* >> *Mobile: +94718566859 <+94%2071%20856%206859>*Lean . Enterprise . >> Middleware >> > > -- Chamila Dilshan Wijayarathna, PhD Research Student The University of New South Wales (UNSW Canberra) Australian Centre for Cyber Security Australian Defence Force Academy PO Box 7916, Canberra BA ACT 2610 Australia Mobile:(+61)416895795
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
