Is it possible to disable the ability to create applications for selected users? I know that I can use application creation workflow, but then approval task will be created, is there any other way to do it?
We can do this without the Application Creation workflow. This can be done using Roles/ Permissions feature as described here -
https://apim.docs.wso2.com/en/latest/administer/managing-users-and-roles/managing-permissions/
https://apim.docs.wso2.com/en/latest/administer/managing-users-and-roles/managing-user-roles/
You can tap into individual permissions and achieve this.
You can achieve this by changing the scopes assigned to that particular user's role from the Admin portal. For example, the default Internal/subscriber role has apim:app_manage scope assigned. But if you remove this scope from Internal/subscriber, the users will not be able to do CRUD operations on applications.
So similarly, you can create a custom role and assign the required scopes to that role and assign that to the user to achieve your requirement.
Please refer [1] for all available scopes and their usages.
[1] - https://apim.docs.wso2.com/en/latest/administer/managing-users-and-roles/managing-permissions/#adding-api-m-specific-scope-assignments
You can just hide the Application creation button from the dev portal UI using the dev portal customization[1].(By doing this you are only hiding the UI functionality and still, this can achievable using REST APIs).
Follow the below steps to achieve the use case.
To hide the Add New Application button, add the display: 'none' property to the [2] createLinkWrapper class which holds the button.
createLinkWrapper: {
paddingLeft: theme.spacing(2),
display: 'none',
}
Then built the changes following [1] and deployed the changes and then Add New Application button will be hidden.
[1] https://apim.docs.wso2.com/en/latest/reference/customize-product/customizations/advanced-ui-customization/#publisher-and-developer-portal-advanced-ui-customizations
[2] https://github.com/wso2/apim-apps/blob/v9.0.311/portals/devportal/source/src/app/components/Applications/Listing/Listing.jsx#L137
Related
I have enabled multi-tenancy in GCP Identity Platform and unchecked "Enable create (sign-up)" in User Actions section of Identity Platform settings.
I have then implemented example sign-in page by following https://cloud.google.com/identity-platform/docs/multi-tenancy-ui this tutorial.
Specifically I have this snippet in my frontend code:
<script>
var ui = new firebaseui.auth.AuthUI(firebase.auth());
firebase.auth().tenantId = <MY-ONE-AND-ONLY-TENANT-ID>;
ui.start('#firebaseui-auth-container', config);
});
</script>
My problem is that it's still possible to create accounts in this tenant scope despite unchecking the "Enable create (sign-up)".
Additionally, if I comment out this line: firebase.auth().tenantId = <MY-ONE-AND-ONLY-TENANT-ID>;
I get expected This operation is restricted to administrators only. error. Therefore I understand that this setting has effect in general scope of my project.
Question is how do I achieve the same for my tenants if "Settings" page is only available for general scope. It displays <TENANT-NAME> is a tenant, you can manage <TENANT-NAME> and other tenants in <PROJECT-NAME>
Based on this article, when sign-up is disabled in the project settings, it should be mirrored with adminRestrictedOperation flag having set to true in Firebase. Disabling sign-up in the project settings without setting this to true will not have any effect.
Additionally, you might find this GitHub article useful. You can disable new user sign up with email providers by setting the flag disableSignUp.status to true. This will display an error message when new users attempt to sign up.
I have installed Airflow in my Ubuntu system and trying to deploy Airflow to production. I would like to turn off the menu Docs on the UI (browser).
I was reading setting permissions on the menus here access-control but it is hard to turn off this menu for each role. I am curious to know if we can Disable/Hide/Remove Docs menu from the root.
There's no one-click way to turn it off globally. I wonder why it's hard to turn it off for each role? The only way to truly perform this in one action is to query the metastore directly and remove the menu access on Docs permission from all roles using a single SQL query.
Assuming you don't have too many roles, it takes just a few clicks in the UI. First you'll need Admin permissions and go to Security -> List Roles. In there, edit each role and remove the menu access on Docs permission.
I am new to WSO2 identity server. Need some help in getting the role-based access control list.
I have one angular application. In that there is a menu like product list, add product, update product, delete product. Based on the role defined in this application I want to show the menu items to the user. For example, we have roles like admin, manager, user. For the admin-role I have to show all the menu items. For manager-role show add-product, update-product and for the user-role only product-list menu item.
So when the user login into my application based on the user role I want to show the menu list. To authenticate, create users, roles, user role mapping I used SCIM2 APIs of wso2 identity server 5.7.
I tried XACML but not succeeded. Please help me how to get the Role-based ACL.
First get an idea about XACML terms PEP, PDP, PAP, PIP [1][2] might help you. You can think about PEP (Policy Enforcement Point) as per your angular application. In order to communicate with XACML PDP, you can use XACML REST APIs [3]. Regarding writing XACML policies for RBAC, you can have a look already available XACML template authn_role_based_policy_template
[1] https://wso2.com/library/tutorials/2016/02/tutorial-how-to-enable-role-based-access-control-for-wso2-api-manager-using-xacml/
[2] https://wso2.com/library/articles/2013/11/fine-grained-xacml-authoriation-with-pip-points/
[3] https://docs.wso2.com/display/IS570/Using+REST+APIs+via+XACML+to+Manage+Entitlement
Hi I am using WSO2 integrator for my integration projects. I would like to know that, is there a way to hide the source codes deployed in WSO2 as car file.That is, the user should not be allowed to edit the services either in source view or in design view. Also please share the thoughts of customize wso2 itself for the same purpose.
It is possible to create users and assign different permission for users in ESB. You can see in the following documentation how to add users and configure roles:
https://docs.wso2.com/display/ADMIN44x/Configuring+Roles
To add a user On the Main tab in the management console, click Add under Users and Roles and follow along.
The following will help to set permissions:
https://docs.wso2.com/display/ADMIN44x/Role-based+Permissions
If I have an item in draft state and I go to Experience Editor, the add new component is disabled and I cannot add any new components for an Editor role.
Any idea where should I look?
It sounds like member Roles are the issue here.
Look into including one of the Designer roles (Designer / Sitecore Client Designing)
From Sitecore security roles documentation:
Sitecore Client Designing
Gives the user access to Experience Editor Design pane features that allow a user to set layout details associated with items in the Sitecore client.
Members of this role are: Designer
and
Designer
Gives the user read and write access to the areas of the content tree
that are required when changing layout details for individual items
and groups of items via template standard values, as well as items
required when configuring the Experience Editor Design Pane.
This role also has two of the Sitecore Client roles assigned to it, so
if you assign just this role to a user, the Sitecore Client Designing
and Sitecore Client Users roles will be automatically assigned to the
user.
This role provides access to the Experience Editor Design Pane
features and the designer options in the Content Editor.
Note This role is not a member of the Author and Authoring roles, so
it does not allow users to edit items.
Members of this role are: Developer
This sounds like a a workflow security issue. I would recommend using the Access Viewer to check the user's access to the item you are trying to edit. If it tells you that there is no access, the right side of the tool should tell you why. If the 'why' is workflow state access, you probably need to adjust your security on the Workflow state for 'Draft'.