In API Manager, for a given API, I have set API visibility to RoleA only. RoleB is not allowed to see API in store. But users of RoleB can see the API. What am I missing?
The admin user is able to see the APIs, visibility restricted by roles. Admin user is a special user with all the privileges. Can you create a new user with Internal/Subscriber role and check the same. Then it should work.
Related
Was following the WSO2 course and landed on this. So far, only the admin account can publish and API. I just want the API creator to create the API and the API publisher to publish it.
I tried to create different roles and give them only the permissions they required like creator > creates and publisher > publishes. That has not worked so far
You can create roles from the management console and do the relevant role mappings from the Admin Portal. For example, if you want a user who can do CRUD operations on an API, you can assign a role which has Internal/creator mapping to that user. Or if you need more fine grained permissions, you can assign the relevant scopes in the Role Permissions section in the Admin Portal.
Please refer https://apim.docs.wso2.com/en/latest/administer/managing-users-and-roles/managing-user-roles/#creating-user-roles for more information. This also explains what are specific permissions (scopes) applied to each of creator, publisher, etc. You can use that to get an idea of each role's capabilities.
I have installed Wso2 api manager and am trying to set up authentication and authorization via Api manager. I can't figure out how to configure certain users who will be able to login through the app. Currently, all users who are in user story are allowed to login. I need to restrict the ability to login to the app for a certain range of users. How can this be done?
You can achieve this by adding roles to the particular users. Refer to this doc https://apim.docs.wso2.com/en/latest/administer/managing-users-and-roles/managing-user-roles/#managing-user-roles
You need to configure the roles and permissions according to your use case:
Create a role (eg: testRole) and assign required permissions except for the login permission(Admin Permissions > Login) to that role [1].
Create a new user(eg: testUser) and assign the testRole to that user[2].
Now the testUser that you have created has no login permissions to the app.
[1] https://apim.docs.wso2.com/en/latest/administer/managing-users-and-roles/managing-user-roles/#create-user-roles
[2] https://apim.docs.wso2.com/en/latest/administer/managing-users-and-roles/managing-users/#adding-a-new-user
I understand that user and roles in wso2is are use for management the carbon console, how can i use roles and permissions for use in my web app, for example, defined roles and permission and apply policies using xacml ?
You can follow this documentation to set up role-based authorization for your application.
For the permission-based authorization, you can assign those permissions to the role and achieve it.
Our organization has set up WSO2 API Manager 2.1, with a secondary user store binding to our organization's LDAP. We need all users from our organization to have a subscriber role by default.
We would prefer for there to be no need for users to use "Self Sign Up"-- and additionally, "Self Sign Up" appears to create new accounts, however all of our accounts are already in the secondary user store.
How can we configure the system to grant the subscriber role by default?
Is there any common ldap user group for the users? For example users who need to log in to the store belongs to X group. If so, you could assign subscriber related permissions for that group from API manager instead of assigning permissions to the 'everyone' role. (If you have configured the groups related ldap queries correctly you should be able to view them in the API manager carbon console. refer https://docs.wso2.com/display/IS550/Configuring+a+Read-write+LDAP+User+Store)
Is it possible to use the IAM API as a user registration service for my application.
I.e. if i present the user to create an account and password. Can they then log in with the IAM and use my application.
Or is it more for developers who are tinkering around with the actual AWS platform?
Thanks,
Ben
That's not what AWS Identity and Access Management is made for. I guess you don't want your users to have access to your infrastructure … If you want an user registration you should implement it inside your application.