Skip to content

Managing Permissions with APIs

The following section describes the RemoteAuthorizationManager API and the operations that come with it.

About permissions

  • A permission is an authorization to perform a specific action on a resource. For instance, a user role can have permission (authorization) to add and delete (actions) service providers (resource).
  • The following set of actions can be performed on a resource.
    • get
    • add
    • delete
    • edit
    • login
    • man_config
    • man_lc_config
    • man_sec
    • up_serv
    • man_serv
    • man_media
    • mon_sys
    • del_id
    • authorize
    • inv_ser
    • ui_execute
    • subscribe
    • publish
    • consume
    • change_permission
    • browse
    • sqs_send_message
    • sqs_receive_message
    • sqs_delete_message
    • sqs_change_message_visibility
    • sqs_get_queue_attributes
  • Permissions can be assigned to user roles.

The following operations are available in this API.

API operations

authorizeRole

Description This operation authorizes the given role to perform the specified action on the given resource.
Input Parameters
  • roleName: This is the name of the role, e.g. role1.
  • resourceId: This is the resource path, e.g., /permission/admin/login.
  • action: This is the name of the action to be performed on the resource, e.g., ui.execute.
Request 
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ser="http://service.ws.um.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:authorizeRole>
 <!­­--Optional:­­-->
 <ser:roleName>role1</ser:roleName>
 <!--­­Optional:­­-->
 <ser:resourceId>/permission/admin/login</ser:resourceId>
 <!--­­Optional:­­-->
 <ser:action>ui.execute</ser:action>
</ser:authorizeRole>
</soapenv:Body>
</soapenv:Envelope>
Response No response on success
Error Codes
  • Invalid data provided
  • Error in connection rollback
  • Error! DB error occurred while checking is existing system role for : roleName & tenant id : tenantId
  • Error! Error occurred while getting UI permission ID for resource id : resourceId & action : action
  • Error! Error occurred while adding UI permission ID for resource id : resourceId & action : action
  • Error! Using sql : sqlStmt
  • Error! Error while authorizing role: roleName in permission tree for resource id: resourceId for action: action
  • Error! Error while denying role: roleName in permission tree for resource id: resourceId for action: action

clearAllRoleAuthorization

Description This operation clears all authorizations of the role.
Input Parameters
  • roleName: This is the name of the role, e.g., role1.
Request 
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ser="http://service.ws.um.carbon.wso2.org">
 <soapenv:Header/>
 <soapenv:Body>
  <ser:clearAllRoleAuthorization>
   <!­­--Optional:­­-->
   <ser:roleName>role1</ser:roleName>
  </ser:clearAllRoleAuthorization>
 </soapenv:Body>
</soapenv:Envelope>
Response No response on success
Error Codes
  • Error occurred while clearing role authorizations for role : roleName

clearResourceAuthorizations

Description This operation clears all the authorizations for the given resource.
Input Parameters
  • resourceId: This is the resource path, e.g., /permission/admin/login.
Request 
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ser="http://service.ws.um.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:clearResourceAuthorizations>
 <!--­­Optional:­­-->
 <ser:resourceId>/permission/admin/login</ser:resourceId>
</ser:clearResourceAuthorizations>
</soapenv:Body>
</soapenv:Envelope>
Response No response on success
Error Codes
  • Error occurred while clearing resource authorizations for resource id : resourceId

clearRoleActionOnAllResources

Description This operation removes the authorization from the role to perform the specified action on all the resources.
Input Parameters
  • action: This is the action name of the action to be performed on the resource, e.g., ui.execute.
Request 
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ser="http://service.ws.um.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:clearRoleActionOnAllResources>
 <!--­­Optional:­­-->
 <ser:action>ui.execute</ser:action>
</ser:clearRoleActionOnAllResources>
</soapenv:Body>
</soapenv:Envelope>
Response No response on success
Error Codes
  • Error occurred while clearing role action on all resources for role : roleName & action : action

clearRoleAuthorization

Description This operation clears the authorization of the specified role to perform the given action on the resource.
Input Parameters
  • roleName : This is the name of the role, e.g., role1".
  • resourceId: This is the resource path e.g., /permission/admin/login.
  • action: This is the action name of the action to be performed on the resource, e.g., ui.execute.
Request 
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ser="http://service.ws.um.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:clearRoleAuthorization>
 <!­­--Optional:­­-->
 <ser:roleName>role1</ser:roleName>
 <!--­­Optional:­­-->
 <ser:resourceId>/permission/admin/login</ser:resourceId>
 <!--­­Optional:­­-->
 <ser:action>ui.execute</ser:action>
</ser:clearRoleAuthorization>
</soapenv:Body>
</soapenv:Envelope>
Response No response on success
Error Codes
  • Error occurred while clearing role authorizations for role : roleName + & resource id : resourceId & action : action

denyRole

Description This operation removes the authorization of the role to perform the given action on the specified resource.
Input Parameters
  • roleName : This is the name of the role, e.g., role1.
  • resourceId: This is the resource path, e.g., /permission/admin/login.
  • action: This is the action name of the action to be performed on the resource, e.g., ui.execute.
Request 
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ser="http://service.ws.um.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:denyRole>
 <!­­--Optional:­­-->
 <ser:roleName>role1</ser:roleName>
 <!--­­Optional:­­-->
 <ser:resourceId>/permission/admin/login</ser:resourceId>
 <!--­­Optional:­­-->
 <ser:action>ui.execute</ser:action>
</ser:denyRole>
</soapenv:Body>
</soapenv:Envelope>
Response No response on success
Error Codes
  • Invalid data provided

getAllowedRolesForResource

Description This operation retrieves the list of authorized roles to perform the given action on the specified resource.
Input Parameters
  • resourceId: This is the resource path, e.g., /permission/admin/login.
  • action: This is the action name of the action to be performed on the resource, e.g., ui.execute.
Request 
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ser="http://service.ws.um.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:getAllowedRolesForResource>
 <!--­­Optional:­­-->
 <ser:resourceId>/permission/admin/login</ser:resourceId>
 <!--­­Optional:­­-->
 <ser:action>ui.execute</ser:action>
</ser:getAllowedRolesForResource>
</soapenv:Body>
</soapenv:Envelope>
Response 
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:getAllowedRolesForResourceResponse xmlns:ns="http://service.ws.um.carbon.wso2.org"
xmlns:ax2599="http://core.user.carbon.wso2.org/xsd"
xmlns:ax2600="http://api.user.carbon.wso2.org/xsd">
 <ns:return>admin</ns:return>
 <ns:return>myrole</ns:return>
</ns:getAllowedRolesForResourceResponse>
</soapenv:Body>
</soapenv:Envelope>
Error Codes
  • Error loading authorizations. Please check the database. Error message is + errorMessage
  • Error! Error while authorizing role: roleName in permission tree for resource id: resourceId for action: action
  • Error! Error while denying role: roleName in permission tree for resource id: resourceId for action: action

getAllowedUIResourcesForUser

Description This operation retrieves the list of UI resources in the specified root patch for which the user has authorization.
Input Parameters
  • userName: This is the username of the specific user, e.g., admin.
  • permissionRootPath: This is the permission root path.
Request 
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ser="http://service.ws.um.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:getAllowedUIResourcesForUser>
 <!--­­Optional:­­-->
 <ser:userName>admin</ser:userName>
 <!--­­Optional:­­-->
 <ser:permissionRootPath>/</ser:permissionRootPath>
</ser:getAllowedUIResourcesForUser>
</soapenv:Body>
</soapenv:Envelope>
Response 
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:getAllowedUIResourcesForUserResponse xmlns:ns="http://service.ws.um.carbon.wso2.org"
xmlns:ax2599="http://core.user.carbon.wso2.org/xsd"
xmlns:ax2600="http://api.user.carbon.wso2.org/xsd">
 <ns:return>/permission</ns:return>
 <ns:return>/permission/admin/configure/</ns:return>
 <ns:return>/permission/admin/login/</ns:return>
 <ns:return>/permission/admin/manage/</ns:return>
 <ns:return>/permission/admin/monitor/</ns:return>
 <ns:return>/permission/protected/</ns:return>
 <ns:return>/permission/testlogin/</ns:return>
</ns:getAllowedRolesForResourceResponse>
</soapenv:Body>
</soapenv:Envelope>
Error Codes
  • Invalid Permission root path provided
  • Error loading authorizations. Please check the database. Error message is message

getAllowedUIResourcesForRole

Description This function retrieves the list of UI resources in the specified root path for a given role.
Input Parameters
  • roleName: The name of the specific role, e.g., admin.
  • permissionRootPath: The permission root path.
Request 
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.ws.um.carbon.wso2.org">
      <soapenv:Header/>
      <soapenv:Body>
          <ser:getAllowedUIResourcesForRole>
            <ser:roleName>admin</ser:roleName>
            <ser:permissionRootPath>/</ser:permissionRootPath>
          </ser:getAllowedUIResourcesForRole>
      </soapenv:Body>
    </soapenv:Envelope>
Response 
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <ns:getAllowedUIResourcesForRoleResponse xmlns:ns="http://service.ws.um.carbon.wso2.org" xmlns:ax2716="http://core.user.carbon.wso2.org/xsd" xmlns:ax2717="http://api.user.carbon.wso2.org/xsd">
         <ns:return>/permission</ns:return>
         <ns:return>/permission/admin/configure/security/usermgt</ns:return>
         <ns:return>/permission/admin/login</ns:return>
         <ns:return>/permission/admin/manage/identity/applicationmgt</ns:return>
      </ns:getAllowedUIResourcesForRoleResponse>
   </soapenv:Body>
</soapenv:Envelope>

isRoleAuthorized

Description This operation checks whether the given role is authorized to perform the action on the specified resource.
Input Parameters
  • roleName: This is the name of the role, e.g., role1.
  • resourceId: This is the resource path, e.g., /permission/admin/login.
  • action: This is the action name of the action to be performed on the resource, e.g., ui.execute.
Request 
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ser="http://service.ws.um.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:isRoleAuthorized>
 <!­­--Optional:­­-->
 <ser:roleName>role1</ser:roleName>
 <!--­­Optional:­­-->
 <ser:resourceId>/permission/admin/login</ser:resourceId>
 <!--­­Optional:­­-->
 <ser:action>ui.execute</ser:action>
</ser:isRoleAuthorized>
</soapenv:Body>
</soapenv:Envelope>
Response 
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:isRoleAuthorized xmlns:ns="http://service.ws.um.carbon.wso2.org">
 <ns:return>false</ns:return>
</ns:isRoleAuthorized>
</soapenv:Body>
</soapenv:Envelope>
Error Codes
  • Error loading authorizations. Please check the database. Error message is + errorMessage
Top