Is it possible to hide the extra modules (IdP, SP, Claim Mgt, etc.) from the interface once the user is logged with a role which has "/permission/ admin/manage/identity" as permissions ?
Regards, Hanen On Thu, Jan 5, 2017 at 12:06 PM, Hanen Ben Rhouma <hanen...@gmail.com> wrote: > I did add both permissions and same is happening. > > Shall I raise a bug? > > Regards, > Hanen > > > On Thu, Jan 5, 2017 at 11:40 AM, Chamila Wijayarathna < > cdwijayarat...@gmail.com> wrote: > >> Hi Hanen, >> >> To achieve this in SOAP API calls, your user need to have both "User >> Management" and "Role Management" permissions. >> >> Regards! >> Chamila >> >> On Thu, Jan 5, 2017 at 9:37 PM, Hanen Ben Rhouma <hanen...@gmail.com> >> wrote: >> >>> Hi, >>> >>> In fact, even by using the SOAP service call to add role mgt only as a >>> permission, the result is the same the created user won't have the >>> possibility to create roles: >>> >>> <soapenv:Envelope xmlns:soapenv="http://schemas. >>> xmlsoap.org/soap/envelope/" xmlns:ser="http://service.ws.u >>> m.carbon.wso2.org" xmlns:xsd="http://dao.service. >>> ws.um.carbon.wso2.org/xsd"> >>> <soapenv:Header/> >>> <soapenv:Body> >>> <ser:addRole> >>> <!--Optional:--> >>> <ser:roleName>TestRole</ser:roleName> >>> <!--Zero or more repetitions:--> >>> <ser:userList>hanen</ser:userList> >>> <!--Zero or more repetitions:--> >>> <ser:permissions> >>> <!--Optional:--> >>> <xsd:action>ui.execute</xsd:action> >>> <!--Optional:--> >>> <xsd:resourceId>/permission/admin/manage/identity/rolemgt/</ >>> xsd:resourceId> >>> </ser:permissions> >>> </ser:addRole> >>> </soapenv:Body> >>> </soapenv:Envelope> >>> >>> Regards, >>> Hanen >>> >>> On Wed, Jan 4, 2017 at 5:06 PM, Darshana Gunawardana <darsh...@wso2.com> >>> wrote: >>> >>>> Hi Chamila\Hanen, >>>> >>>> Yes. you need to have "'/permission/admin/manage/identity'" permission >>>> to manage roles from the UI. Since we are doing multiple management >>>> operation via management console we require much higher level of >>>> permissions. But Relevant backend services (UserAdmin service) do support >>>> finer level permission ("/permission/admin/manage/identity/usermgt") >>>> then if some external client need to connect with restricted permissions >>>> still it's possible. But indeed this UIs can be improved to support fine >>>> grained permissions. Since we are working on the IS 6.0.0 which is based on >>>> next gen Carbon 5 platform with complete re-design of the product with >>>> parallel to IS 5.3.0 release, we did not focus on major redesigning of UI >>>> and related UI permissions with the IS 5.3.0. >>>> >>>> Giving you bit of insight of IS 6.0.0 effort, we have plans to decouple >>>> persona that use identity server for different types of administration and >>>> provide separate views for each of those. You will be able to follow up on >>>> those discussions on architecture list soon. >>>> >>>> We have created https://wso2.org/jira/browse/IDENTITY-5560 to track >>>> this specific improvement, and it will consider fixing this in a future >>>> release. >>>> >>>> Thanks >>>> >>>> On Wed, Jan 4, 2017 at 7:13 PM, Hanen Ben Rhouma <hanen...@gmail.com> >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> Actually I tried most of the combinations and the smallest set of >>>>> permissions allowing users to create roles is by selecting the whole >>>>> "Identity" permissions block. Why ???? >>>>> Sometimes we want some type of users to be able to only create users >>>>> and assign them to some roles, the rest of the application (IdP, SP, Key >>>>> stores, Workflow mgt, etc.) isn't trivial to them and is not even in their >>>>> scope of responsibility. Why such limitation? >>>>> >>>>> Regards, >>>>> Hanen >>>>> >>>>> On Wed, Jan 4, 2017 at 1:32 PM, Chamila Wijayarathna < >>>>> cdwijayarat...@gmail.com> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> It looks like you need to have '/permission/admin/manage/identity' >>>>>> to do this using management console. However, when looking at code if you >>>>>> are doing it using API calls, having "User Management" and "Role >>>>>> Management" should be enough to do this. >>>>>> >>>>>> It should work with "Roles Management" IMO, I'm not sure why it's not >>>>>> implemented like that. >>>>>> @Johann, Darshana : Any idea on this? >>>>>> >>>>>> On Wed, Jan 4, 2017 at 10:42 PM, Hanen Ben Rhouma <hanen...@gmail.com >>>>>> > wrote: >>>>>> >>>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> What is the permission that gives the user the possibility to create >>>>>>> roles and assign users to them? I tried "Roles Management" permission >>>>>>> but >>>>>>> it's not doing the trick. >>>>>>> >>>>>>> >>>>>>> Regards, >>>>>>> Hanen >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Dev mailing list >>>>>>> Dev@wso2.org >>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Chamila Dilshan Wijayarathna, >>>>>> PhD Research Student >>>>>> The University of New South Wales (UNSW Canberra) >>>>>> Australian Centre for Cyber Security >>>>>> Australian Defence Force Academy >>>>>> PO Box 7916, Canberra BA ACT 2610 >>>>>> Australia >>>>>> Mobile:(+61)416895795 <+61%20416%20895%20795> >>>>>> >>>>>> >>>>> >>>> >>>> >>>> -- >>>> Regards, >>>> >>>> >>>> *Darshana Gunawardana*Associate Technical Lead >>>> WSO2 Inc.; http://wso2.com >>>> >>>> *E-mail: darsh...@wso2.com <darsh...@wso2.com>* >>>> *Mobile: +94718566859 <+94%2071%20856%206859>*Lean . Enterprise . >>>> Middleware >>>> >>> >>> >> >> >> -- >> Chamila Dilshan Wijayarathna, >> PhD Research Student >> The University of New South Wales (UNSW Canberra) >> Australian Centre for Cyber Security >> Australian Defence Force Academy >> PO Box 7916, Canberra BA ACT 2610 >> Australia >> Mobile:(+61)416895795 <+61%20416%20895%20795> >> >> >
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
