This is the way of setting permissions for a role using a “carbon admin service”. Basically, this is an http post request.
The endpoint is : https://localhost:9443/services/UserAdmin.UserAdminHttpsSoap11Endpoint
Replace localhost and port with carbon hostname and the https port(by default 9443)
Request Payload :
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:setRoleUIPermission>
<!--Optional:-->
<xsd:roleName>cg_publisher</xsd:roleName>
<!--Zero or more repetitions:-->
<xsd:rawResources>/permission/admin/login</xsd:rawResources>
<xsd:rawResources>/permission/admin/configure/datasources</xsd:rawResources>
</xsd:setRoleUIPermission>
</soapenv:Body>
</soapenv:Envelope>
Inside <xsd:roleName> element, the Role Name should be passed. If you are using external user_store like LDAP or Active Directory, this is probably the Group Name.
Inside < xsd:rawResources > element, the Permission Path should be passed. If you need to set many permissions for a role Then you can send many elements like this in the same request.
And set Basic Auth giving the username and the password of the admin user of the carbon server in the request. I’ll explain in the below section about this too, if you don’t know how to set basic auth in the request.
This is all about the request and that is all what you should do. But, for creating Permission Path string, you’ll need to understand the Permission Tree of the WSO2 carbon.
Permissions Tree
This is a predefined tree in wso2. If you need to see this tree, this is in the registry location, /_system/governance/permission.
1. Go to WSO2 management console Main -> Registry-> Browse
2. Just paste the above “registry path”( /_system/governance/permission) on Location field in the registry.
3. Expand the Properties section clicking on the “+” mark of the properties.(in the right most corner)
4. You’ll see the Value “All Permissions”. That is the display name of that permission. We’ll need this display name later.
5. In the Entries section, List of names(admin, protected) are permissions.
You can again click one of these permissions, you’ll get the child permissions list of this particular parent permission. You can go inside and inside until a leave gets found. And while, you are moving thru this, the Location path also getting changed. If you go a location like this /_system/governance/permission/admin/login , then, you won’t see any more permissions list inside login permission of the admin permission. Because, login permission is a leaf of this permission tree.
Permission Path
In the permission tree section, if you did that steps correctly, then, you should see the location path of the registry. If you remove the first two locations(/_system/governance) from that location path, the rest is the permission path. That is the string that you need to send in the above request.
Let’s say you are going to set the permissions for login to management console, The permission path for that permission is “/permission/admin/login”(without quotes).
You can give the permissions for the parents.
Suppose that you gave the permission to /permission/ of the permission tree, then, this role has every permission in the permission tree.
Suppose that you gave the permission to /permission/admin/ then, this user has the permissions for the full tree of admin.
Note
Once you send a request for setting a permission or set of permissions to a particular role, then, existing permissions of that particular role is not valid anymore. It set all the new permissions to that particular role sent in the new request. You have to list all the permissions if you need to update the permissions of a particular role like below.
Let’s say admin is the role name and it has following permissions
/permission/admin/configure
/permission/admin/manage/extensions
Now you’ll need to add the permission /permission/manage/manage_tiers also.
Then, your request body should be like.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:setRoleUIPermission>
<!--Optional:-->
<xsd:roleName>admin</xsd:roleName>
<!--Zero or more repetitions:-->
<xsd:rawResources>/permission/admin/configure</xsd:rawResources>
<xsd:rawResources>/permission/admin/manage/extensions</xsd:rawResources>
<xsd:rawResources>/permission/manage/manage_tiers </xsd:rawResources>
</xsd:setRoleUIPermission>
</soapenv:Body>
</soapenv:Envelope>
Setting Basic Auth
For setting this, you have to set a header of your request. Header name is “Authorization”(without quotes). And the value should be Basic <space><base64 encoded administrator username:password pair separated by a semi colon>. Let’s say, your user name and the password is admin/admin. Base64encode the “admin:admin”(without quotes) string. That is YWRtaW46YWRtaW4= . Then, the value of the header for this example,
Name = Authorization
Value = Basic YWRtaW46YWRtaW4=
Validation
For validating, if the permission is set or not.
1. Send a request correctly.
2. Log-in to Management Console.
3. Go to Configure -> Users and Roles
4. Go to roles and click on the permissions of the particular role, you set the permissions.
5. This displays the graphical permission tree.
6. Permissions assigned should have been clicked already.
Here in this large graphical tree, it uses “display name” I described in the 4th step of Permissions Tree section.
Hope you all enjoy!!!
