Is there a way to create nested groups in WSO2 Identity Server using UI or the SCIM interface's Groups end point with LDAP User Store? I tried both but could not create. Is there any other mechanism or the nested groups not supported?
AFAIK, there is no way to create nested group in WSO2IS, it can only create LDAP groups and assign them to users. But if there are nested group in the LDAP already. Thenusers are retrieved from a particular group, it would give the all users within nested group as well.. However, if you are familiar with XACML, you can use hierarchical groups using this profile. XACML is supported by WSO2 Identity Server to achieve these goals
Related
I have a secondary userstore (JDBC) created in wso2 IS 5.11.0.
2 roles are added under the userstore.
I am using the below SCIM 2.0 api to get the roles.
https://{IS_IP}:(PORT}/t/carbon.super/scim2/Roles, but only the roles created under primary user store is listed in the response.
Under the claims list -> http://wso2.org/claims -> Role -> Mapped attributes, I have added the secondary user store to the list. still not getting the response.
Is there any other configuration to be done to get it via scim api?
Since WSO2 IS-5.11.0 Groups and Roles are considered separately. Refer [1]
https://{IS_HOST}:(PORT}/scim2/Groups endpoint lists out the userstore groups (both primary and secondary user stores' groups)
https://{IS_HOST}:(PORT}/scim2/Roles endpoint lists out the Roles (Roles are basically Internal and Application Roles. You won't see any prefix for Internal roles in the list)
In your case, since you have added a userstore group, it need to be managed via https://{IS_HOST}:(PORT}/scim2/Groups.
Does anybody knows how can I use WSO2 IS Roles or AD groups (throught WSO2 IS) to map AWS ARNs?
https://medium.com/#gayanmadusanka_80721/login-to-aws-console-from-wso2-identity-server-cb05d4d12ff5
I would like to use active directory groups or WSO2 IS roles instead of using mapping claims individually on each user.
I'm building a Django rest framework based service which has some complicated permissions. So far, my microservices stack looks like this:
/auth/ JWT authentication service
/users/ - adding users, adding them to different services
/new-service/ - needs authorization
Users database is shared by auth and users read-only, and read/write respectively. new-service has no access to this database but the challenges consist of:
user can be in multiple groups specific to that service
user could have read-only access to one item in one of the groups
user could be allowed to create new users with access to one of the groups
users have different roles in the service, but we still need to allow for access like the read-only one listed
Groups are used not to manage users, but to provide access to things. Like GitLab groups provide access to GitLab projects.
If I put all the permissions in the users service, my new service has to talk to that one and it will get chatty. It seems like there has to be a data divide, but I'm not sure exactly where to put it. Conversely, should the django-rest-framework service even have a shadow entry of the user account in it's db? Advice appreciated. I'm feeling like I'm having a slow day.
I have successfully added a User to a Group using the WSO2 SCIM apis. Now I have to remove the User from the Group and I was not able to find any apis that support this. Can it be done and if so what is the best way?
You should be able to GET the group and update (PUT) it with that specific user removed.
When you GET role, it should have all members. Then remove the user you want to remove, and send a PUT request to that group.
Please refer the Delete User section of SCIM APIs documentation.
Similarly, you can manage groups by performing CRUD operations on the Group resource endpoint.
I'm working on upgrading from WSO2 Identity Server 4.1.0 to 4.5.0 and I've found that new users are now added to an internal/identity group instead of the in LDAP identity group that they were being added to formerly.
In particular I would like to add new users to the LDAP group (I've got a lot of things that expect and need accounts to be in that group). But it brings up another question, is there anyway to define groups / roles that a new user automatically gets added to during sign-up?
Users who are signing up would be added in to a Internal/identity role by default in 4.5.0. This internal role is created in the internal databases. Basically the user management database which has been defined in user-mgt.xml file.(UM_HYBRID_ROLE table). This is because, This role is created pragmatically, therefore is not good to create in the actual user store. I guess WSo2 Identity Server has not way to configure this role name and configure where it must be retrieved. I saw this as some limitation.