Assign different role to a group member
I am looking for advice on a not so particular situation.
I currently have roughly 20000 stores. All stores have admins, managers and user roles.
- An admin can create/manage any roles
- A manager can create/manage only user role
- A user can login and access custom functionality.
Any persona can be assigned to 1 or multiple store and can have 1 or multiple roles for that particular store. Ie:
- StoreA has userA as Admin and userB as Manager
- StoreB has userA as User and userB as Admin
At first, I converted my stores to be groups. But since roles are binded to the group, I would have still have 3 roles for each group (20000 groups and 60000 roles - Group StoreA, Roles: StoreA_Admin, StoreA_Manager, StoreA_User, etc...). Not sure if it is the right decision, And I am not sure about the performance.
Then, I kept the stores as groups, but instead of creating roles, I created custom multivalued attributes that saves the group uid. That worked in carbon, as well as the API, but the console doesn't like the multivalued fields. And if another role is introduced, I would have to create another field.
Any thought on how to approach this situation ?
We can map your story to IS groups and roles as follows.
Please note that groups and roles are treated as two separate resources since IS-5.11.0.
Refer to:
- https://is.docs.wso2.com/en/5.11.0/setup/migrating-what-has-changed/#group-and-role-separation
- https://medium.com/p/93d42fe2f135
That separation is not clearly visible in the management console. So you can use the console application to create groups and roles.
- Group used to represent a collection of users in the user store. One user can belong to zero or more groups.
- Role is a collection of permissions. A role can have zero or more permissions.
- We can assign a role either to a group/ a user.
Due to this statement:
A user can log in and access custom functionality.
We don't need to assign any role to normal business users specifically.No specific role is required to login into the business application via identity server basic authentication. In case your business application has a role-based access control need to assign a role to business users as well. Otherwise, every user will get login permissions upon successful authentication, it should be enough to do business operations in the application.
In your case, if any store's admin has the same set of permissions and any manager has the same set of permissions, you can't just evaluate the permissions and authorize the requests. For eg: If user B is the manager of store A and admin of store B, he has inherited both admin and manager roles related permissions. But user B performs a request on store B, you have to authorize the request based on only the roles related to store B.
- Adding HTTP security headers to WSO2 APIM (4.1.0) via deployment.toml config
- Compatibility Issue: WSO2 MI 4.1 with MongoDB Connector v2.0.0 and MongoDB 6.x Driver
- How to Access Fields in application/vnd.oracle.adf.resourceitem+json Response in WSO2 Integration Studio?
- WSO2 Multiple Gateway deployment production/sandbox endpoints
- Is there a way to run three instances of WSO2 AM in one localhost?
- CORS Configuration not working in WSO2 API Manager for Oauth2/token API
- WSO2 - Identity server 6.1.0 - Force user to change his password on first login
- OSGI Bundling issue while upgrading WSO2 APIM 3.2 to 4.3
- WSO2 API Manager 4.2 with AWS ALB : Problems with mTLS Authentication Setup
- WSO2 API Manager (wso2am-4.3.0) - Error When Invoking APIs After Disabling OpenAPI Validations
- WSO2 Kafka Consume messages from topic issue
- WSO2 API Manager (wso2am-4.3.0) - How to Disable OpenAPI Validation When Importing Swaggers?
- "keytool error: java.io.IOException: Invalid keystore format"
- wso2 api manager elk based analytics
- How to enable TLS 1.1 in wso2 APIM 4.2
- WSO2 API Manager (wso2am-2.1.0) - How to implement passwordless authentication using WSO2 APIM and Microsoft Authenticator App?
- WSO2 API Manager (wso2am-2.1.0) - BufferOverflowException
- Issue with WSO2 API-Manager 4.3.0: ERR_CONNECTION_RESET at localhost:9443
- Adding advanced UI customizations to WSO2 API-M UIs didn't went well
- WSO2 website access to front site denied and possibility wrong packages or versions
- WSO2 API Manager Integration with Prometheus and Grafana
- Can't Loop over JSON Array from JSON Property in WSO2 ESB
- How to increase CARBON_LOGFILE when building docker image from base image?
- UserNotFound Error for Existing Role in WSO2 IS 7.0.0 XACML Policy
- How to get username of API caller in wso2 apim in Basic Authorization?
- WSO2 calls not showing on fiddler
- What exactly is the difference between "WSO2 API Manager" and "WSO2 Data Analytics Server" and "WSO2 Application Server"?
- How to pass a value from inSequence to outSequence in WSO2 ESB?
- Import Backend services description into WSO2 APIM
- Is there a way to add username in API Log in WSO2 APIM?