I have setup WSO2 EMM with a Read-only LDAP as the user store..
I have gotten the user authentication to work, and if I create roles like subscriber, store or store-admin in the LDAP, that works as well..
But I would like to change the names of the roles, as they are a little too generic.. how do I that??
For the admin role, it can be done in: wso2emm-2.0.1/repository/conf/user-mgt.xml, by changing the:
admin
to something else... but I can't find this for the other roles...
Thanks
Related
I want to give GSAs direct access to modify Google users. I can't find current docs on this so assuming it's not possible right now?
It looks like this is only possible for working with groups:
https://workspaceupdates.googleblog.com/2020/08/new-api-cloud-identity-groups-google.html
I need to give a GSA access to read group membership and also modify user attributes.
Right now I:
create an admin a G Suite user
create a GSA with domain wide auth with these scopes
https://www.googleapis.com/auth/admin.directory.group
https://www.googleapis.com/auth/admin.directory.user
Impersonate the G Suite user with the GSA and modify user attributes like this:
service = create_directory_service("G SUITE USER")
service.users().update(userKey=uKey, body=myAttributes).execute()
Do I still need domain wide delegation to modify user attributes? Or is it supported now as well?
You can follow this guide to create a Service Account, turning on the Admin SDK API (which allows the service account to provision/manage the users), and authorizing it.
The Service Account created can be used then to provision/manage the G-Suite users, here is a guide on how to manage user accounts using the Directory API, which is part of the Admin SDK.
In short, yes it is possible to manage users too, by using Service Accounts, not just groups.
I am using WSO2 APIM 3.2.0 and WSO2 IS 5.11.0.
Is there a way to enable the admin (super_admin) non lock feature?
i.e. even if n attempts of wrong password is used for the admin account login, the admin account should not be locked.
These are the only configurations I could observe for super_admin which is mentioned in the below link
https://is.docs.wso2.com/en/latest/setup/configuring-the-system-administrator/
Is this possible through deployment.toml file or other configuration?
You can assign the Internal/system role to any user to avoid that user getting locked.
But need to keep in mind that this will allow brute-forcing the super admin password. Therefore, the super admin username should be an uncommon one.
I've got a Django site with authentication handled by Auth0 (following this quickstart guide). The issue I have is that users logged in don't have access to Django Admin section:
How can I assign certain Auth0-authenticated users the privileges to login Admin? Somehow link them with current Django-based users perhaps?
You need to use Auth0 roles, or extra data.
The flow works like this:
Log into Auth0 and add in roles or extra data to your user
Create a Django backend in your authentication pipeline to read in the roles/extra data infomration
Have your backend will check this role information and add set "is_staff" to True for the user
I need to add new user in Wso2 CEP (3.1.0) and I know that is possible by "clicking" few steps in console (example from documentation). I wonder if it possible to add new user without login into console, but connect to H2 database and insert user there?
I know that new user is save into "UM_USER" table.
Maybe someone knows what class write user into H2, how passowrd is enrcypted and what is "UM_SALT_VALUE" and why I need it?
If all you want is to manage users programmatically, a better way rather than trying to modify H2 DB is to do it through the relevant admin service. This way you don't have to bother about the underlying user-store or the salt values used for hashing passwords etc.
In Carbon-based products, most of the configurations done through the web console can be done programmatically by calling the relevant admin web service, such as user management, adding/managing deployment artifacts etc.
So for you use case, you can use the User Management admin service at:
https://localhost:9443/services/UserAdmin?wsdl
Note that in order to access this wsdl, you should make these admin service wsdl's visible by editing <CEP>/repository/conf/carbon.xml and restart the server.
<HideAdminServiceWSDLs>false</HideAdminServiceWSDLs>
I have to sync account information across 3 different platforms. I wrote a password script that will update a users account information in LDAP, our Student Information System, and in gmail (for edu). I had no issues with older migration api, but that is going away in the coming months.
I wrote a new library to use oauth2 and the adminSDK to manage my user accounts. Im using a service account and specifying a superadmin account to preform account creations and password updates. This works perfectly fine with normal accounts. However, it seems that I cannot reset my own password (Im an admin).
So far the things that my library can do are: search, create, update, and delete NON-ADMIN accounts. Things that do not work: promote an account to admin, undelete an account, change admin account information (password for example).
Changing admin account info results in: "Not Authorized to access this resource/api" error.
Is there any way to get around this issue? If not, this severely cripples my ability to use the new API to manage my users. well, the admin users anyway. I need it to work for all users, even the hand full of administrators. I simply don'y see the point of a service account impersonating an admin, and then does not have all the proper rights to change account info on all accounts, especially when the previous API allowed it.
please advise.
I can also provide my library for anyone interested in using it.
-Jerry
I figured out my issue.
When I started this project, I created a google account for this project and assigned it superadmin role.
I was revisiting my project today and I was getting the same errors when trying to update admin accounts. I signed into the project's admin gmail account.... and accepted the terms...
now my library works perfectly. yay.