Configure the Authorization Manager¶
This documentation explains how to set up a repository for storing authorization information (role-based permissions) and how to change the relevant configurations.
According to the default configuration in WSO2 products, the users,
roles and permissions are stored in the same repository (i.e., the
default embedded H2 database). However, you can change this
configuration in such a way that the users and roles are stored in one
repository (userstore) and the permissions are stored in a separate
repository. A userstore can be a typical RDBMS, an LDAP or an external
Active Directory. See the related topics for
information on how userstores are configured.
The repository that stores permissions should always be an RDBMS. The
Authorization Manager configuration in the deployment.toml file stored in
the <IS_HOME>/repository/conf/ directory connects the system to this RDBMS.
Follow the instructions given below to set up and configure the Authorization Manager.
Step 1: Set up the repository¶
By default, the embedded H2 database is used for storing permissions.
Refer the related topics for detailed information on setting up databases and configuring datasources.
Step 2: Update the user realm configurations¶
Once you have set up a new RDBMS and configured the datasource, the
deployment.toml file (user realm configuration) should
be updated as explained below.
Set up the database connection¶
Update the datasource information using the
data_source element under
realm_manager . Given below are the properties
that are set by default.
Property Name |
Description |
Mandatory/Optional |
|---|---|---|
[realm_manager] |
This is the jndi name of the datasource that is used for referring to the datasource. In the following example, the jndi name of the default datasource defined in the |
Mandatory |
|
This property is set to 'true' by default, which enables cascade delete for the UM_USER_PERMISSION and UM_ROLE_PERMISSION tables when a permission gets deleted from the UM_PERMISSION table. That is, if a record in the parent table is deleted, the corresponding records in the child table will be automatically deleted. | Mandatory |
You can add more optional configurations using the
<Property> element:
Property Name |
Description |
Mandatory/Optional |
|---|---|---|
testOnBorrow |
It is recommended to set this property to 'true' so that object connections will be validated before being borrowed from the JDBC pool. For this property to be effective, the |
Optional |
Configure the authorization manager¶
To enable the authorization manager, configure the following properties in the <IS_HOME>/repository/conf/deployment.toml file.
[authorization_manager]
class = "org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager"
[authorization_manager.properties]
AdminRoleManagementPermissions = "permission"
AuthorizationCacheEnabled = true
GetAllRolesOfUserEnabled = true- The
org.wso2.carbon.user.core.authorization.JDBCAuthorizationManagerclass enables the Authorization Manager. - The
AdminRoleManagementPermissionsproperty sets the registry path where the authorization information (role-based permissions) are stored. Note that this links to the repository that you defined in Step 1. -
It is recommended to enable the
GetAllRolesOfUserEnabledproperty inAuthorizationManageras follows:[authorization_manager] GetAllRolesOfUserEnabled = trueAlthough using the userstore manager does not depend on this property, you must consider enabling this if there are any performance issues in your production environment. Enabling this property affects the performance when the user logs in. This depends on the users, roles, and permission stats.
-
By default, the rules linked to a permission (role name, action, resource) are not case sensitive. If you want to make them case sensitive, enable the following property.
[user_store] case_sensitive_authorization_rules = true