I installed WSO2 APIM 2.6.0 using a distributed deployment (pattern 2) and I enabled Application Sharing in order to allow a group of users (with the same organization value) to be able to manage the organization applications.
For testing purpose, I created a user "user1" with organization "myorg". Then logged in with user1 and created an application "app1" with the group "myorg". After that, I logged in with another user belonging to the same organization and I am able to see the "app1" application. I'm also able to manage the application subscriptions, however I cannot edit and delete the application event if I assign the admin role.
Is there any way to able users from the same organization to modify shared applications?
Application owners are able to share their Applications with others users who belong to the same group. Still, application edit privilege is granted to the app owner only, others can only view the application. This behavior is expected.
If you need to grant application edit privilege to another user, admin has to change the ownership of the application. Then the new owner can edit the application.
Note: The owner changing UI is available in 2.6.0 as a WUM update only and will be there in the next public release. However, this is available in the admin API in the latest released versions.
Related
I have seen two service providers added to my wso2 installation.
As I try to delete any of the service providers I get an error
Error while removing application: Deletion of system applications are not allowed. Application Name: XXX
I have logged in from admin user and still, I am not able to delete it
I tried giving permissions of service provider explicitly to the admin user but still the same error
Hope you are using IS 5.11.0 above.
Conosle and MyAccount are the two systems apps available in the IS pack. It doesn't allow to modify/ delete the system apps.
Console is the newer portal for administrative tasks.
https://stackoverflow.com/a/65733363/10055162
MyAccount is the newer version of
previous user portal/ dashboard.
So deleting these apps are not recommended.
Anyhow, If you want to remove both Myaccount and Console apps out of the readonly apps (allow to modify the app configs/ delete the apps), use the following config.
[system_applications]
read_only_apps = []
Then restart the server. You will be able to do configuration changes now. Refer:
https://is.docs.wso2.com/en/5.11.0/setup/migrating-what-has-changed/#configurable-system-apps
https://stackoverflow.com/a/68167283/10055162
Can an app external to a G-Suite organization manage its SSO settings?
I started by trying to create a client ID/secret for my app as per https://support.google.com/cloud/answer/6158849
A prerequisite for getting a client ID/secret is configuring the app's Consent Screen as per https://support.google.com/cloud/answer/6158849#userconsent
When looking at the "Add Scope" modal, I only see:
Admin SDK ../auth/admin.reports.audit.readonly
Admin SDK ../auth/admin.reports.usage.readonly
How do I get a scope that would allow my app write access to another G-Suite organization's SSO settings?
I am not trying to manage my G-Suite organization's SSO settings.
What you want cannot be achieved essentially because you cannot manage someone else's G-Suite organization's SSO settings. Therefore, no scopes are available for this option.
But if you have access to the domain mentioned, you can use this scope which is the global scope for access to all domain settings.
https://apps-apis.google.com/a/feeds/domain
According to the documentation:
To request access using OAuth 2.0, your application needs the scope information, as well as information that Google supplies when you register your application (such as the client ID and the client secret).
The old admin settings API is still working for SSO settings, just tried. You can manage the SSO settings of any organization that has enabled your project ID with the scope https://apps-apis.google.com/a/feeds/domain/ via a Marketplace install (they install your app) or a manual install as described here
Using WSO2AM 2.1.0 we have a question.
By default the applications of the store are created by subscriber and each subscriber can see only own application (what makes sense).
However here we have an environment where admins want to create a clientapplication configuration and then just pass client credentials to the clients (or developers). In this case - is it possible for admins could see/access applications of other admins?
Edit: I thought I could see applications of other users in the carbon console logged in as an administrator (under service providers). but apparently I see only mine .
Thank you in advance
Have you enabled the application sharing feature?
https://docs.wso2.com/display/AM220/Sharing+Applications+Between+Multiple+Groups
Everything I searched for returns info about internal user SSO, not client facing websites.
I need an SSO implimentation that works with sitecore's asp.net membership api or has it's own sitecore security provider to enable users who log in to publicfacingwebsite1.com to be able to be logged in to publicfacingwebsite2.com and logging out of one will log out of the other. I would prefer sitecore's asp.net membership provider as that will probably have the least upgrade implications in the future.
The domains are different top level domains. The websites are separate sites on the same sitecore instance.
I also need the side ability to impersonate a user (log in as the user) from an admin user, but once I have the main implementation, I'm sure I can find a method for the impersonation.
Regards
I would use a third party framework for the SSO part. For instance IdentityServer3
Here is a good introduction on how to use it together with Sitecore
In regards to the membership provider and the profile data, if you are thinking upgradeability, I am not sure it will be so, if you use the native membership provider. Sitecore will most likely switch to ASP.Net Identity in the near future. The ASP.NET Identity is supported in IdentityServer3, so you might obtain a shared user profile by using IdentityServer for the profile as well. But this is all guessing the future.
If you want to use the membership provider and the standard Sitecore profile provider, I am sure you can customize the implicit flow to map the Identity to a Sitecore user.
User can use facebook account to log in API-M publisher and they have the same permission.
The situation is :
Creator A and B have the same permission (Creator, default by log in)
Creator B add a new API and publish it.
Creator A can delete the API that creator B created.
Can I limit creator A can't operate others' API?
Thanks
Tom
As i understood you have multiple users and users should be able to edit their own APIs and then edit/modify them. We dont have out of the box solution for that as API Manager publisher designed to all API creators/publishers (within same tenant) to allow edit APIs.
If you need to avoid API developers updating running APIs in system, we can have solution for that. For that you can have 2 different roles for API creators and publisher with relevant permissions. Then API developers will have permission to only create and edit APIs. But they cannot publish those APIs or change running APIs. Only publishers can review changes with API developer and publish them to run time.
In this article i have explained how we can achieve this using registry level permissions for API artifact.