Re: [Dev] [WSO2 IS] Permission to create roles and assign users to them
Is it possible to hide the extra modules (IdP, SP, Claim Mgt, etc.) from the interface once the user is logged with a role which has "/permission/ admin/manage/identity" as permissions ? Regards, Hanen On Thu, Jan 5, 2017 at 12:06 PM, Hanen Ben Rhoumawrote: > I did add both permissions and same is happening. > > Shall I raise a bug? > > Regards, > Hanen > > > On Thu, Jan 5, 2017 at 11:40 AM, Chamila Wijayarathna < > cdwijayarat...@gmail.com> wrote: > >> Hi Hanen, >> >> To achieve this in SOAP API calls, your user need to have both "User >> Management" and "Role Management" permissions. >> >> Regards! >> Chamila >> >> On Thu, Jan 5, 2017 at 9:37 PM, Hanen Ben Rhouma >> wrote: >> >>> Hi, >>> >>> In fact, even by using the SOAP service call to add role mgt only as a >>> permission, the result is the same the created user won't have the >>> possibility to create roles: >>> >>> http://schemas. >>> xmlsoap.org/soap/envelope/" xmlns:ser="http://service.ws.u >>> m.carbon.wso2.org" xmlns:xsd="http://dao.service. >>> ws.um.carbon.wso2.org/xsd"> >>> >>> >>> >>> >>> TestRole >>> >>> hanen >>> >>> >>> >>> ui.execute >>> >>> /permission/admin/manage/identity/rolemgt/>> xsd:resourceId> >>> >>> >>> >>> >>> >>> Regards, >>> Hanen >>> >>> On Wed, Jan 4, 2017 at 5:06 PM, Darshana Gunawardana >>> wrote: >>> Hi Chamila\Hanen, Yes. you need to have "'/permission/admin/manage/identity'" permission to manage roles from the UI. Since we are doing multiple management operation via management console we require much higher level of permissions. But Relevant backend services (UserAdmin service) do support finer level permission ("/permission/admin/manage/identity/usermgt") then if some external client need to connect with restricted permissions still it's possible. But indeed this UIs can be improved to support fine grained permissions. Since we are working on the IS 6.0.0 which is based on next gen Carbon 5 platform with complete re-design of the product with parallel to IS 5.3.0 release, we did not focus on major redesigning of UI and related UI permissions with the IS 5.3.0. Giving you bit of insight of IS 6.0.0 effort, we have plans to decouple persona that use identity server for different types of administration and provide separate views for each of those. You will be able to follow up on those discussions on architecture list soon. We have created https://wso2.org/jira/browse/IDENTITY-5560 to track this specific improvement, and it will consider fixing this in a future release. Thanks On Wed, Jan 4, 2017 at 7:13 PM, Hanen Ben Rhouma wrote: > Hi, > > Actually I tried most of the combinations and the smallest set of > permissions allowing users to create roles is by selecting the whole > "Identity" permissions block. Why > Sometimes we want some type of users to be able to only create users > and assign them to some roles, the rest of the application (IdP, SP, Key > stores, Workflow mgt, etc.) isn't trivial to them and is not even in their > scope of responsibility. Why such limitation? > > Regards, > Hanen > > On Wed, Jan 4, 2017 at 1:32 PM, Chamila Wijayarathna < > cdwijayarat...@gmail.com> wrote: > >> Hi, >> >> It looks like you need to have '/permission/admin/manage/identity' >> to do this using management console. However, when looking at code if you >> are doing it using API calls, having "User Management" and "Role >> Management" should be enough to do this. >> >> It should work with "Roles Management" IMO, I'm not sure why it's not >> implemented like that. >> @Johann, Darshana : Any idea on this? >> >> On Wed, Jan 4, 2017 at 10:42 PM, Hanen Ben Rhouma > > wrote: >> >>> >>> Hello, >>> >>> What is the permission that gives the user the possibility to create >>> roles and assign users to them? I tried "Roles Management" permission >>> but >>> it's not doing the trick. >>> >>> >>> Regards, >>> Hanen >>> >>> ___ >>> Dev mailing list >>> Dev@wso2.org >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> Chamila Dilshan Wijayarathna, >> PhD Research Student >> The University of New South Wales (UNSW Canberra) >> Australian Centre for Cyber Security >> Australian Defence Force Academy >> PO Box 7916, Canberra BA ACT 2610 >> Australia >> Mobile:(+61)416895795 <+61%20416%20895%20795> >> >> > -- Regards,
Re: [Dev] [WSO2 IS] Permission to create roles and assign users to them
I did add both permissions and same is happening. Shall I raise a bug? Regards, Hanen On Thu, Jan 5, 2017 at 11:40 AM, Chamila Wijayarathna < cdwijayarat...@gmail.com> wrote: > Hi Hanen, > > To achieve this in SOAP API calls, your user need to have both "User > Management" and "Role Management" permissions. > > Regards! > Chamila > > On Thu, Jan 5, 2017 at 9:37 PM, Hanen Ben Rhouma> wrote: > >> Hi, >> >> In fact, even by using the SOAP service call to add role mgt only as a >> permission, the result is the same the created user won't have the >> possibility to create roles: >> >> http://schemas. >> xmlsoap.org/soap/envelope/" xmlns:ser="http://service.ws.u >> m.carbon.wso2.org" xmlns:xsd="http://dao.service. >> ws.um.carbon.wso2.org/xsd"> >> >> >> >> >> TestRole >> >> hanen >> >> >> >> ui.execute >> >> /permission/admin/manage/identity/rolemgt/> xsd:resourceId> >> >> >> >> >> >> Regards, >> Hanen >> >> On Wed, Jan 4, 2017 at 5:06 PM, Darshana Gunawardana >> wrote: >> >>> Hi Chamila\Hanen, >>> >>> Yes. you need to have "'/permission/admin/manage/identity'" permission >>> to manage roles from the UI. Since we are doing multiple management >>> operation via management console we require much higher level of >>> permissions. But Relevant backend services (UserAdmin service) do support >>> finer level permission ("/permission/admin/manage/identity/usermgt") >>> then if some external client need to connect with restricted permissions >>> still it's possible. But indeed this UIs can be improved to support fine >>> grained permissions. Since we are working on the IS 6.0.0 which is based on >>> next gen Carbon 5 platform with complete re-design of the product with >>> parallel to IS 5.3.0 release, we did not focus on major redesigning of UI >>> and related UI permissions with the IS 5.3.0. >>> >>> Giving you bit of insight of IS 6.0.0 effort, we have plans to decouple >>> persona that use identity server for different types of administration and >>> provide separate views for each of those. You will be able to follow up on >>> those discussions on architecture list soon. >>> >>> We have created https://wso2.org/jira/browse/IDENTITY-5560 to track >>> this specific improvement, and it will consider fixing this in a future >>> release. >>> >>> Thanks >>> >>> On Wed, Jan 4, 2017 at 7:13 PM, Hanen Ben Rhouma >>> wrote: >>> Hi, Actually I tried most of the combinations and the smallest set of permissions allowing users to create roles is by selecting the whole "Identity" permissions block. Why Sometimes we want some type of users to be able to only create users and assign them to some roles, the rest of the application (IdP, SP, Key stores, Workflow mgt, etc.) isn't trivial to them and is not even in their scope of responsibility. Why such limitation? Regards, Hanen On Wed, Jan 4, 2017 at 1:32 PM, Chamila Wijayarathna < cdwijayarat...@gmail.com> wrote: > Hi, > > It looks like you need to have '/permission/admin/manage/identity' to > do this using management console. However, when looking at code if you are > doing it using API calls, having "User Management" and "Role Management" > should be enough to do this. > > It should work with "Roles Management" IMO, I'm not sure why it's not > implemented like that. > @Johann, Darshana : Any idea on this? > > On Wed, Jan 4, 2017 at 10:42 PM, Hanen Ben Rhouma > wrote: > >> >> Hello, >> >> What is the permission that gives the user the possibility to create >> roles and assign users to them? I tried "Roles Management" permission but >> it's not doing the trick. >> >> >> Regards, >> Hanen >> >> ___ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Chamila Dilshan Wijayarathna, > PhD Research Student > The University of New South Wales (UNSW Canberra) > Australian Centre for Cyber Security > Australian Defence Force Academy > PO Box 7916, Canberra BA ACT 2610 > Australia > Mobile:(+61)416895795 <+61%20416%20895%20795> > > >>> >>> >>> -- >>> Regards, >>> >>> >>> *Darshana Gunawardana*Associate Technical Lead >>> WSO2 Inc.; http://wso2.com >>> >>> *E-mail: darsh...@wso2.com * >>> *Mobile: +94718566859 <+94%2071%20856%206859>*Lean . Enterprise . >>> Middleware >>> >> >> > > > -- > Chamila Dilshan Wijayarathna, > PhD Research Student > The University of New South Wales (UNSW Canberra) > Australian Centre for Cyber Security > Australian Defence Force Academy > PO Box 7916, Canberra BA
Re: [Dev] [WSO2 IS] Permission to create roles and assign users to them
Hi Hanen, To achieve this in SOAP API calls, your user need to have both "User Management" and "Role Management" permissions. Regards! Chamila On Thu, Jan 5, 2017 at 9:37 PM, Hanen Ben Rhoumawrote: > Hi, > > In fact, even by using the SOAP service call to add role mgt only as a > permission, the result is the same the created user won't have the > possibility to create roles: > > http://schemas.xmlsoap.org/soap/envelope/; > xmlns:ser="http://service.ws.um.carbon.wso2.org; xmlns:xsd=" > http://dao.service.ws.um.carbon.wso2.org/xsd;> > > > > > TestRole > > hanen > > > > ui.execute > > /permission/admin/manage/identity/rolemgt/ > > > > > > > Regards, > Hanen > > On Wed, Jan 4, 2017 at 5:06 PM, Darshana Gunawardana > wrote: > >> Hi Chamila\Hanen, >> >> Yes. you need to have "'/permission/admin/manage/identity'" permission >> to manage roles from the UI. Since we are doing multiple management >> operation via management console we require much higher level of >> permissions. But Relevant backend services (UserAdmin service) do support >> finer level permission ("/permission/admin/manage/identity/usermgt") >> then if some external client need to connect with restricted permissions >> still it's possible. But indeed this UIs can be improved to support fine >> grained permissions. Since we are working on the IS 6.0.0 which is based on >> next gen Carbon 5 platform with complete re-design of the product with >> parallel to IS 5.3.0 release, we did not focus on major redesigning of UI >> and related UI permissions with the IS 5.3.0. >> >> Giving you bit of insight of IS 6.0.0 effort, we have plans to decouple >> persona that use identity server for different types of administration and >> provide separate views for each of those. You will be able to follow up on >> those discussions on architecture list soon. >> >> We have created https://wso2.org/jira/browse/IDENTITY-5560 to track this >> specific improvement, and it will consider fixing this in a future release. >> >> Thanks >> >> On Wed, Jan 4, 2017 at 7:13 PM, Hanen Ben Rhouma >> wrote: >> >>> Hi, >>> >>> Actually I tried most of the combinations and the smallest set of >>> permissions allowing users to create roles is by selecting the whole >>> "Identity" permissions block. Why >>> Sometimes we want some type of users to be able to only create users and >>> assign them to some roles, the rest of the application (IdP, SP, Key >>> stores, Workflow mgt, etc.) isn't trivial to them and is not even in their >>> scope of responsibility. Why such limitation? >>> >>> Regards, >>> Hanen >>> >>> On Wed, Jan 4, 2017 at 1:32 PM, Chamila Wijayarathna < >>> cdwijayarat...@gmail.com> wrote: >>> Hi, It looks like you need to have '/permission/admin/manage/identity' to do this using management console. However, when looking at code if you are doing it using API calls, having "User Management" and "Role Management" should be enough to do this. It should work with "Roles Management" IMO, I'm not sure why it's not implemented like that. @Johann, Darshana : Any idea on this? On Wed, Jan 4, 2017 at 10:42 PM, Hanen Ben Rhouma wrote: > > Hello, > > What is the permission that gives the user the possibility to create > roles and assign users to them? I tried "Roles Management" permission but > it's not doing the trick. > > > Regards, > Hanen > > ___ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Chamila Dilshan Wijayarathna, PhD Research Student The University of New South Wales (UNSW Canberra) Australian Centre for Cyber Security Australian Defence Force Academy PO Box 7916, Canberra BA ACT 2610 Australia Mobile:(+61)416895795 <+61%20416%20895%20795> >>> >> >> >> -- >> Regards, >> >> >> *Darshana Gunawardana*Associate Technical Lead >> WSO2 Inc.; http://wso2.com >> >> *E-mail: darsh...@wso2.com * >> *Mobile: +94718566859 <+94%2071%20856%206859>*Lean . Enterprise . >> Middleware >> > > -- Chamila Dilshan Wijayarathna, PhD Research Student The University of New South Wales (UNSW Canberra) Australian Centre for Cyber Security Australian Defence Force Academy PO Box 7916, Canberra BA ACT 2610 Australia Mobile:(+61)416895795 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [WSO2 IS] Permission to create roles and assign users to them
Hi, In fact, even by using the SOAP service call to add role mgt only as a permission, the result is the same the created user won't have the possibility to create roles: http://schemas.xmlsoap.org/soap/envelope/; xmlns:ser="http://service.ws.um.carbon.wso2.org; xmlns:xsd=" http://dao.service.ws.um.carbon.wso2.org/xsd;> TestRole hanen ui.execute /permission/admin/manage/identity/rolemgt/ Regards, Hanen On Wed, Jan 4, 2017 at 5:06 PM, Darshana Gunawardanawrote: > Hi Chamila\Hanen, > > Yes. you need to have "'/permission/admin/manage/identity'" permission to > manage roles from the UI. Since we are doing multiple management operation > via management console we require much higher level of permissions. But > Relevant backend services (UserAdmin service) do support finer level > permission ("/permission/admin/manage/identity/usermgt") then if some > external client need to connect with restricted permissions still it's > possible. But indeed this UIs can be improved to support fine > grained permissions. Since we are working on the IS 6.0.0 which is based on > next gen Carbon 5 platform with complete re-design of the product with > parallel to IS 5.3.0 release, we did not focus on major redesigning of UI > and related UI permissions with the IS 5.3.0. > > Giving you bit of insight of IS 6.0.0 effort, we have plans to decouple > persona that use identity server for different types of administration and > provide separate views for each of those. You will be able to follow up on > those discussions on architecture list soon. > > We have created https://wso2.org/jira/browse/IDENTITY-5560 to track this > specific improvement, and it will consider fixing this in a future release. > > Thanks > > On Wed, Jan 4, 2017 at 7:13 PM, Hanen Ben Rhouma > wrote: > >> Hi, >> >> Actually I tried most of the combinations and the smallest set of >> permissions allowing users to create roles is by selecting the whole >> "Identity" permissions block. Why >> Sometimes we want some type of users to be able to only create users and >> assign them to some roles, the rest of the application (IdP, SP, Key >> stores, Workflow mgt, etc.) isn't trivial to them and is not even in their >> scope of responsibility. Why such limitation? >> >> Regards, >> Hanen >> >> On Wed, Jan 4, 2017 at 1:32 PM, Chamila Wijayarathna < >> cdwijayarat...@gmail.com> wrote: >> >>> Hi, >>> >>> It looks like you need to have '/permission/admin/manage/identity' to >>> do this using management console. However, when looking at code if you are >>> doing it using API calls, having "User Management" and "Role Management" >>> should be enough to do this. >>> >>> It should work with "Roles Management" IMO, I'm not sure why it's not >>> implemented like that. >>> @Johann, Darshana : Any idea on this? >>> >>> On Wed, Jan 4, 2017 at 10:42 PM, Hanen Ben Rhouma >>> wrote: >>> Hello, What is the permission that gives the user the possibility to create roles and assign users to them? I tried "Roles Management" permission but it's not doing the trick. Regards, Hanen ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >>> -- >>> Chamila Dilshan Wijayarathna, >>> PhD Research Student >>> The University of New South Wales (UNSW Canberra) >>> Australian Centre for Cyber Security >>> Australian Defence Force Academy >>> PO Box 7916, Canberra BA ACT 2610 >>> Australia >>> Mobile:(+61)416895795 <+61%20416%20895%20795> >>> >>> >> > > > -- > Regards, > > > *Darshana Gunawardana*Associate Technical Lead > WSO2 Inc.; http://wso2.com > > *E-mail: darsh...@wso2.com * > *Mobile: +94718566859 <+94%2071%20856%206859>*Lean . Enterprise . > Middleware > ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [WSO2 IS] Permission to create roles and assign users to them
Hi Chamila\Hanen, Yes. you need to have "'/permission/admin/manage/identity'" permission to manage roles from the UI. Since we are doing multiple management operation via management console we require much higher level of permissions. But Relevant backend services (UserAdmin service) do support finer level permission ("/permission/admin/manage/identity/usermgt") then if some external client need to connect with restricted permissions still it's possible. But indeed this UIs can be improved to support fine grained permissions. Since we are working on the IS 6.0.0 which is based on next gen Carbon 5 platform with complete re-design of the product with parallel to IS 5.3.0 release, we did not focus on major redesigning of UI and related UI permissions with the IS 5.3.0. Giving you bit of insight of IS 6.0.0 effort, we have plans to decouple persona that use identity server for different types of administration and provide separate views for each of those. You will be able to follow up on those discussions on architecture list soon. We have created https://wso2.org/jira/browse/IDENTITY-5560 to track this specific improvement, and it will consider fixing this in a future release. Thanks On Wed, Jan 4, 2017 at 7:13 PM, Hanen Ben Rhoumawrote: > Hi, > > Actually I tried most of the combinations and the smallest set of > permissions allowing users to create roles is by selecting the whole > "Identity" permissions block. Why > Sometimes we want some type of users to be able to only create users and > assign them to some roles, the rest of the application (IdP, SP, Key > stores, Workflow mgt, etc.) isn't trivial to them and is not even in their > scope of responsibility. Why such limitation? > > Regards, > Hanen > > On Wed, Jan 4, 2017 at 1:32 PM, Chamila Wijayarathna < > cdwijayarat...@gmail.com> wrote: > >> Hi, >> >> It looks like you need to have '/permission/admin/manage/identity' to do >> this using management console. However, when looking at code if you are >> doing it using API calls, having "User Management" and "Role Management" >> should be enough to do this. >> >> It should work with "Roles Management" IMO, I'm not sure why it's not >> implemented like that. >> @Johann, Darshana : Any idea on this? >> >> On Wed, Jan 4, 2017 at 10:42 PM, Hanen Ben Rhouma >> wrote: >> >>> >>> Hello, >>> >>> What is the permission that gives the user the possibility to create >>> roles and assign users to them? I tried "Roles Management" permission but >>> it's not doing the trick. >>> >>> >>> Regards, >>> Hanen >>> >>> ___ >>> Dev mailing list >>> Dev@wso2.org >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> Chamila Dilshan Wijayarathna, >> PhD Research Student >> The University of New South Wales (UNSW Canberra) >> Australian Centre for Cyber Security >> Australian Defence Force Academy >> PO Box 7916, Canberra BA ACT 2610 >> Australia >> Mobile:(+61)416895795 <+61%20416%20895%20795> >> >> > -- Regards, *Darshana Gunawardana*Associate Technical Lead WSO2 Inc.; http://wso2.com *E-mail: darsh...@wso2.com * *Mobile: +94718566859 <+94%2071%20856%206859>*Lean . Enterprise . Middleware ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [WSO2 IS] Permission to create roles and assign users to them
Hi, Actually I tried most of the combinations and the smallest set of permissions allowing users to create roles is by selecting the whole "Identity" permissions block. Why Sometimes we want some type of users to be able to only create users and assign them to some roles, the rest of the application (IdP, SP, Key stores, Workflow mgt, etc.) isn't trivial to them and is not even in their scope of responsibility. Why such limitation? Regards, Hanen On Wed, Jan 4, 2017 at 1:32 PM, Chamila Wijayarathna < cdwijayarat...@gmail.com> wrote: > Hi, > > It looks like you need to have '/permission/admin/manage/identity' to do > this using management console. However, when looking at code if you are > doing it using API calls, having "User Management" and "Role Management" > should be enough to do this. > > It should work with "Roles Management" IMO, I'm not sure why it's not > implemented like that. > @Johann, Darshana : Any idea on this? > > On Wed, Jan 4, 2017 at 10:42 PM, Hanen Ben Rhouma> wrote: > >> >> Hello, >> >> What is the permission that gives the user the possibility to create >> roles and assign users to them? I tried "Roles Management" permission but >> it's not doing the trick. >> >> >> Regards, >> Hanen >> >> ___ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Chamila Dilshan Wijayarathna, > PhD Research Student > The University of New South Wales (UNSW Canberra) > Australian Centre for Cyber Security > Australian Defence Force Academy > PO Box 7916, Canberra BA ACT 2610 > Australia > Mobile:(+61)416895795 <+61%20416%20895%20795> > > ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [WSO2 IS] Permission to create roles and assign users to them
Hi, It looks like you need to have '/permission/admin/manage/identity' to do this using management console. However, when looking at code if you are doing it using API calls, having "User Management" and "Role Management" should be enough to do this. It should work with "Roles Management" IMO, I'm not sure why it's not implemented like that. @Johann, Darshana : Any idea on this? On Wed, Jan 4, 2017 at 10:42 PM, Hanen Ben Rhoumawrote: > > Hello, > > What is the permission that gives the user the possibility to create roles > and assign users to them? I tried "Roles Management" permission but it's > not doing the trick. > > > Regards, > Hanen > > ___ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Chamila Dilshan Wijayarathna, PhD Research Student The University of New South Wales (UNSW Canberra) Australian Centre for Cyber Security Australian Defence Force Academy PO Box 7916, Canberra BA ACT 2610 Australia Mobile:(+61)416895795 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] [WSO2 IS] Permission to create roles and assign users to them
Hello, What is the permission that gives the user the possibility to create roles and assign users to them? I tried "Roles Management" permission but it's not doing the trick. Regards, Hanen ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev