Managing Permissions with APIs
The following section describes the RemoteAuthorizationManager API and the operations that come with it.
About permissions
A permission is an authorization to perform a specific action on a resource . For instance, a user role can have permission (authorization) to add and delete (actions) service providers (resource).
The following set of actions can be performed on a resource.
get
add
delete
edit
login
man_config
man_lc_config
man_sec
up_serv
man_serv
man_media
mon_sys
del_id
authorize
inv_ser
ui_execute
subscribe
publish
consume
change_permission
browse
sqs_send_message
sqs_receive_message
sqs_delete_message
sqs_change_message_visibility
sqs_get_queue_attributes
Permissions can be assigned to user roles.
The following operations are available in this API.
API operations
authorizeRole
Description
This operation authorizes the given role to perform the specified action on the given resource.
Input Parameters
roleName
: This is the name of the role, e.g. role1
.
resourceId
: This is the resource path, e.g., /permission/admin/login
.
action
: This is the name of the action to be performed on the resource, e.g., ui.execute
.
Request
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ser="http://service.ws.um.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:authorizeRole>
<!--Optional:-->
<ser:roleName>role1</ser:roleName>
<!--Optional:-->
<ser:resourceId>/permission/admin/login</ser:resourceId>
<!--Optional:-->
<ser:action>ui.execute</ser:action>
</ser:authorizeRole>
</soapenv:Body>
</soapenv:Envelope>
Response
No response on success
Error Codes
Invalid data provided
Error in connection rollback
Error! DB error occurred while checking is existing system role for : roleName
& tenant id : tenantId
Error! Error occurred while getting UI permission ID for resource id : resourceId
& action : action
Error! Error occurred while adding UI permission ID for resource id : resourceId
& action : action
Error! Using sql : sqlStmt
Error! Error while authorizing role: roleName in permission tree for resource id: resourceId
for action: action
Error! Error while denying role: roleName in permission tree for resource id: resourceId
for action: action
clearAllRoleAuthorization
Description
This operation clears all authorizations of the role.
Input Parameters
roleName
: This is the name of the role, e.g., role1
.
Request
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ser="http://service.ws.um.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:clearAllRoleAuthorization>
<!--Optional:-->
<ser:roleName>role1</ser:roleName>
</ser:clearAllRoleAuthorization>
</soapenv:Body>
</soapenv:Envelope>
Response
No response on success
Error Codes
Error occurred while clearing role authorizations for role : roleName
clearResourceAuthorizations
Description
This operation clears all the authorizations for the given resource.
Input Parameters
resourceId
: This is the resource path, e.g., /permission/admin/login
.
Request
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ser="http://service.ws.um.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:clearResourceAuthorizations>
<!--Optional:-->
<ser:resourceId>/permission/admin/login</ser:resourceId>
</ser:clearResourceAuthorizations>
</soapenv:Body>
</soapenv:Envelope>
Response
No response on success
Error Codes
Error occurred while clearing resource authorizations for resource id : resourceId
clearRoleActionOnAllResources
Description
This operation removes the authorization from the role to perform the specified action on all the resources.
Input Parameters
action
: This is the action name of the action to be performed on the resource, e.g., ui.execute
.
Request
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ser="http://service.ws.um.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:clearRoleActionOnAllResources>
<!--Optional:-->
<ser:action>ui.execute</ser:action>
</ser:clearRoleActionOnAllResources>
</soapenv:Body>
</soapenv:Envelope>
Response
No response on success
Error Codes
Error occurred while clearing role action on all resources for role : roleName
& action : action
clearRoleAuthorization
Description
This operation clears the authorization of the specified role to perform the given action on the resource.
Input Parameters
roleName
: This is the name of the role, e.g., role1"
.
resourceId
: This is the resource path e.g., /permission/admin/login
.
action
: This is the action name of the action to be performed on the resource, e.g., ui.execute
.
Request
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ser="http://service.ws.um.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:clearRoleAuthorization>
<!--Optional:-->
<ser:roleName>role1</ser:roleName>
<!--Optional:-->
<ser:resourceId>/permission/admin/login</ser:resourceId>
<!--Optional:-->
<ser:action>ui.execute</ser:action>
</ser:clearRoleAuthorization>
</soapenv:Body>
</soapenv:Envelope>
Response
No response on success
Error Codes
Error occurred while clearing role authorizations for role : roleName
+ & resource id : resourceId
& action : action
denyRole
Description
This operation removes the authorization of the role to perform the given action on the specified resource.
Input Parameters
roleName
: This is the name of the role, e.g., role1
.
resourceId
: This is the resource path, e.g., /permission/admin/login
.
action
: This is the action name of the action to be performed on the resource, e.g., ui.execute
.
Request
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ser="http://service.ws.um.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:denyRole>
<!--Optional:-->
<ser:roleName>role1</ser:roleName>
<!--Optional:-->
<ser:resourceId>/permission/admin/login</ser:resourceId>
<!--Optional:-->
<ser:action>ui.execute</ser:action>
</ser:denyRole>
</soapenv:Body>
</soapenv:Envelope>
Response
No response on success
Error Codes
getAllowedRolesForResource
Description
This operation retrieves the list of authorized roles to perform the given action on the specified resource.
Input Parameters
resourceId
: This is the resource path, e.g., /permission/admin/login
.
action
: This is the action name of the action to be performed on the resource, e.g., ui.execute
.
Request
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ser="http://service.ws.um.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:getAllowedRolesForResource>
<!--Optional:-->
<ser:resourceId>/permission/admin/login</ser:resourceId>
<!--Optional:-->
<ser:action>ui.execute</ser:action>
</ser:getAllowedRolesForResource>
</soapenv:Body>
</soapenv:Envelope>
Response
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:getAllowedRolesForResourceResponse xmlns:ns="http://service.ws.um.carbon.wso2.org"
xmlns:ax2599="http://core.user.carbon.wso2.org/xsd"
xmlns:ax2600="http://api.user.carbon.wso2.org/xsd">
<ns:return>admin</ns:return>
<ns:return>myrole</ns:return>
</ns:getAllowedRolesForResourceResponse>
</soapenv:Body>
</soapenv:Envelope>
Error Codes
Error loading authorizations. Please check the database. Error message is + errorMessage
Error! Error while authorizing role: roleName
in permission tree for resource id: resourceId
for action: action
Error! Error while denying role: roleName
in permission tree for resource id: resourceId for action: action
getAllowedUIResourcesForUser
Description
This operation retrieves the list of UI resources in the specified root patch for which the user has authorization.
Input Parameters
userName
: This is the username of the specific user, e.g., admin
.
permissionRootPath
: This is the permission root path.
Request
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ser="http://service.ws.um.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:getAllowedUIResourcesForUser>
<!--Optional:-->
<ser:userName>admin</ser:userName>
<!--Optional:-->
<ser:permissionRootPath>/</ser:permissionRootPath>
</ser:getAllowedUIResourcesForUser>
</soapenv:Body>
</soapenv:Envelope>
Response
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:getAllowedUIResourcesForUserResponse xmlns:ns="http://service.ws.um.carbon.wso2.org"
xmlns:ax2599="http://core.user.carbon.wso2.org/xsd"
xmlns:ax2600="http://api.user.carbon.wso2.org/xsd">
<ns:return>/permission</ns:return>
<ns:return>/permission/admin/configure/</ns:return>
<ns:return>/permission/admin/login/</ns:return>
<ns:return>/permission/admin/manage/</ns:return>
<ns:return>/permission/admin/monitor/</ns:return>
<ns:return>/permission/protected/</ns:return>
<ns:return>/permission/testlogin/</ns:return>
</ns:getAllowedRolesForResourceResponse>
</soapenv:Body>
</soapenv:Envelope>
Error Codes
Invalid Permission root path provided
Error loading authorizations. Please check the database. Error message is message
getAllowedUIResourcesForRole
Description
This function retrieves the list of UI resources in the specified root path for a given role.
Input Parameters
roleName
: The name of the specific role, e.g., admin
.
permissionRootPath
: The permission root path.
Request
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.ws.um.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:getAllowedUIResourcesForRole>
<ser:roleName>admin</ser:roleName>
<ser:permissionRootPath>/</ser:permissionRootPath>
</ser:getAllowedUIResourcesForRole>
</soapenv:Body>
</soapenv:Envelope>
Response
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:getAllowedUIResourcesForRoleResponse xmlns:ns="http://service.ws.um.carbon.wso2.org" xmlns:ax2716="http://core.user.carbon.wso2.org/xsd" xmlns:ax2717="http://api.user.carbon.wso2.org/xsd">
<ns:return>/permission</ns:return>
<ns:return>/permission/admin/configure/security/usermgt</ns:return>
<ns:return>/permission/admin/login</ns:return>
<ns:return>/permission/admin/manage/identity/applicationmgt</ns:return>
</ns:getAllowedUIResourcesForRoleResponse>
</soapenv:Body>
</soapenv:Envelope>
isRoleAuthorized
Description
This operation checks whether the given role is authorized to perform the action on the specified resource.
Input Parameters
roleName
: This is the name of the role, e.g., role1
.
resourceId
: This is the resource path, e.g., /permission/admin/login
.
action
: This is the action name of the action to be performed on the resource, e.g., ui.execute
.
Request
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ser="http://service.ws.um.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:isRoleAuthorized>
<!--Optional:-->
<ser:roleName>role1</ser:roleName>
<!--Optional:-->
<ser:resourceId>/permission/admin/login</ser:resourceId>
<!--Optional:-->
<ser:action>ui.execute</ser:action>
</ser:isRoleAuthorized>
</soapenv:Body>
</soapenv:Envelope>
Response
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:isRoleAuthorized xmlns:ns="http://service.ws.um.carbon.wso2.org">
<ns:return>false</ns:return>
</ns:isRoleAuthorized>
</soapenv:Body>
</soapenv:Envelope>
Error Codes
Error loading authorizations. Please check the database. Error message is + errorMessage
Top