I am very interested in using the WSO Identity server platform module as part of a tenant based SaaS platform.
Looking at the docs the WSO identity server module seems to have two logical tiers of users: a 'super tenant' user tier for sys admin stuff, and 'tenant' level users.
For our platform design we have the concept of 'tenant groups'. Where a 'tenant group' is a logical grouping of tenants. For, example 'tenant group' 'ACME' would be a logical grouping of tenants 'ACME UK', 'ACME USA', and 'ACME Japan'.
For this model we want a third 'tenant group' tier of users -a hybrid of the 'super tenant' user where a 'tenant group' user would have sys admin rights over just the tenants in their group.
Is it possible to adapt the WSO IS functionality to deliver this? If so, how?
Currently WSO2 provides multi tenancy feature. Super Tenant has the management permission of tenants.
Meantime you can also create roles depends on the permission for a particular tenant. You can have different roles to cater your requirement. Please read this document for more information on role management.
Related
I get the error "Groups are not allowed to be added to this role." when I try to add a Google Group in my Cloud Identity domain as a Super Admin (through admin.google.com).
Is there anyway to provide super admin roles to a group of users rather than on individual users?
Thanks.
Basically you cannot create a Super Admin group, and there is a reason:
Super admin accounts have irrevocable administrative permissions that
we do not recommended using in the day-to-day administration of your
organization.
Indeed, this does not really fit with a group-based policy.
Super admin accounts must be managed with direct ownership and countable.
The best practice advised by Google is the one as follows:
Create a new email address that is not specific to a particular user
as the G Suite or Cloud Identity super admin account. This account
should be further secured with multi-factor authentication, and could
be used as an emergency recovery tool.
Disclaimer: Comments and opinions are my own and not the views of my employer.
Our organization has set up WSO2 API Manager 2.1, with a secondary user store binding to our organization's LDAP. We need all users from our organization to have a subscriber role by default.
We would prefer for there to be no need for users to use "Self Sign Up"-- and additionally, "Self Sign Up" appears to create new accounts, however all of our accounts are already in the secondary user store.
How can we configure the system to grant the subscriber role by default?
Is there any common ldap user group for the users? For example users who need to log in to the store belongs to X group. If so, you could assign subscriber related permissions for that group from API manager instead of assigning permissions to the 'everyone' role. (If you have configured the groups related ldap queries correctly you should be able to view them in the API manager carbon console. refer https://docs.wso2.com/display/IS550/Configuring+a+Read-write+LDAP+User+Store)
we would keep our user base in WSO2IS internal repository and we would like to provision users to an Active Directory ldap following our workflow, like Midpoint Evolveum or Apache Syncope do.
The use case is this: we have a new user, mr. Foo.
He has a role in the company:
external user: he is added to WSO2IS and he can access webmail (webmail server uses some protocol to communicate to WSO2IS)
internal user: he is added to WSO2IS, then WSO2IS provisions Foo to the company Active Directory.
Is it possible with WSO2 Identity Server?
Thanks,
Mario
WSO2 IS has rule based provisioning, where you can define rules to which User Store a user can be provisioned.
What you need to do is to set an attribute on the new user, which signifies the user is internal or external, after execution of your workflow. Then this attribute can be evaluated at XACML level to do the selective provisioning.
Following links might help.
Rule Based Provisioning
Workflow Management
We have a lot of systems which have their own authorization mechanisms. Our goal is to expose all of them through IS so we can manage all of them in a single place.
Our users are authenticated in LDAP but their roles are spread through several databases. As far as I can see IS retrieves roles from the domain the user was authenticated. Is it possible to retrieve roles from all user stores ignoring the domain?
I've already tried both RemoteUserStoreManagerService.getRoleListOfUser and using claim http://wso2.org/claims/role.
In WSO2 you can only assign roles to user if roles are in the same user store domain where the user belongs. If the role is an internal role, then you can assign that role to any users in any user stores.
What is the API Service you tried to retrieve roles? and Please explain more about your requirements.
Thanks
Isura
I have a LDAP Second store at APIM (1.10.0).
When I create one aplication, two roles is created like this:
- Application/<user>_<Name application>_PRODUCTION
- Application/<user>_<Name application>_SANDBOX
I' d like create it at LDAP automaticaly . How can I do this?
By design this role is created under Application which is an internal role. One of the benefits of creating under application is that this role can be assigned to a user of any domain(primary/secondary) where as if the role was created under a specific domain then the role would not be available for other domain users
regards,shavantha