Skip to content
Identity Server Documentation
Fine grained access control
6.1.0
Show all
Get Started
Guides
Setup
APIs
SDKs
References
Report Issues
WSO2 Identity Server Documentation
wso2/docs-is
Home
Get Started
Get Started
Introduction
Quickstart
Quickstart
Quick Setup
Try a Sample Scenario
Try a Sample Scenario
Sample Scenario
Use Cases
Use Cases
Single Sign-On
Multi-Factor Authentication
Federated Authentication
Self Sign-Up
Guides
Guides
Overview
Authentication
Authentication
Overview
Login
Login
Overview
Web Application
Web Application
OIDC
SAML
WS-Federation
SaaS Applications
SaaS Applications
Google
WordPress
OpenCart
Workday
SimpleSAMLphp
Salesforce
Salesforce
Salesforce with IS
Salesforce with Facebook
Salesforce with IWA
Office365
Office365
Office365 with IS
Office365 with SAML2
Office365 with SAML2 for Multiple Domains
Office365 with WS federation
PaaS Applications
PaaS Applications
Drupal
Microsoft Sharepoint
Magento
Microsoft Dynamics CRM with WS Federation
OIDC Flows
OIDC Flows
Overview
OIDC Auth Code Flow
OIDC Auth Code Flow with PKCE for public clients
OIDC Auth Code Flow with PKCE
OIDC Implicit Flow
OIDC Hybrid Flow
Pass Parameters as a Request Object
Manage Scopes and Claims
Encrypt ID Tokens
Decrypt ID Tokens
Discover OpenID Connect Provider
Obtain Key Set Using JWKS
Validate JWT based on JWKS
SAML Flows
SAML Flows
Use SAML Artifact Binding
Query SAML Assertions
Use SAML Metadata
Advanced Settings
Advanced Settings
OIDC Advanced
OIDC Advanced
Advanced Configurations
Use Advanced Parameters in the Authentication Request
SAML Advanced
SAML Advanced
Advanced Configurations
Use Advanced Parameters in the Authentication Request
Skip User Consent
SaaS Applications
Use Certificates with Applications
Session Timeout
Multi-Attribute Login
Single Sign On
Single Sign On
Enable Single Sign On
OIDC Applications
SAML Applications
reCAPTCHA for SSO
Single Logout
Single Logout
Overview
OIDC Flows
OIDC Flows
Overview
Back-Channel Logout
Federated IdP-Initiated Logout
Session Management and Logout
Logout URL Redirection
SAML Flows
SAML Flows
Front-Channel Logout
Back-Channel Logout
Cross Protocol Logout
Request Path Authentication
Request Path Authentication
Overview
Basic Auth Request Path Authentication
OAuth Request Path Authentication
Passwordless Authentication
Passwordless Authentication
Overview
FIDO
FIDO
FIDO Passwordless Authentication
FIDO2 Attestation Validations
Magic Link
Multi-Factor Authentication
Multi-Factor Authentication
Overview
Username and Password
Email OTP
SMS OTP
TOTP
X509
FIDO
Advanced configs
Advanced configs
Email OTP configs
TOTP configs
SMS OTP configs
Adaptive Authentication
Adaptive Authentication
Overview
Adaptive Authentication Scenarios
Adaptive Authentication Scenarios
Overview
Role-Based
User Age-Based
Tenant-Based
User store-Based
IP-Based
Device-Based
Login Attempts-Based
ACR-Based
Elk analytics-Based
TypingDNA-Based
Using Function Library
Limiting Active User Sessions
Identity Federation
Identity Federation
Overview
Enterprise Identity Federation
Enterprise Identity Federation
Overview
SAML
OpenID Connect
ADFS
WS-Federation
WS-Trust
Shibboleth
Social Login
Social Login
Overview
Log in with Facebook
Log in with Google
Log in with Twitter
Log in with Microsoft Live
Log in with IWA
Log in with Apple
Access Delegation
Access Delegation
Overview
OAuth 2.0 Grant Types
OAuth 2.0 Grant Types
Authorization Code Grant
Client Credentials Grant
Device Flow Grant
Refresh Tokens
Implicit Grant
Password Grant
Microprofile JWT
SAML2 Bearer Assertion Profile
Kerberos
JWT Grant
OAuth 2.0 Introspection
OAuth 2.0 Dynamic Client Registration
OAuth 2.0 Client Authentication
OAuth 2.0 Transaction Logs
OAuth 2.0 Token Hashing
Revoke OAuth Tokens
Mutual TLS for OAuth clients
Consent Management
Consent Management
Manage user consent
Manage consent puposes
User Management
User Management
Overview
Onboard Users
Onboard Users
Overview
Create User
Invite User
User Self-Registration
Lite User Registration
Bulk Import Users
Manage Users
Manage Users
Overview
List/Search Users
Delete Users
View/Update User Profiles
Add Multiple User Profiles
Manage User Attributes
Track User Deletion
Manage Roles
Manage Roles
Overview
Add User Roles
Edit/Delete Roles
Role-Based Permissions
Manage Accounts
Manage Accounts
Overview
Admin-initiated Account Locking
Lock Accounts by Failed Login Attempts
Lock Accounts by Failed OTP Attempts
Lock Accounts per User
Associate Accounts
Suspend Accounts
Disable Accounts
Pending Account Status
Username Recovery
Resend Account Recovery Mail
Configure Emails with Special Characters
Send Notifications per User Operation
Manage Passwords
Manage Passwords
Overview
Password Policies
Admin-Initiated Password Reset
Password Recovery via Email
Password Recovery via Challenge Questions
Configure Email Masking Pattern for Notification Based Password Recovery
Password recovery via user preferred channel
Provisioning
Provisioning
Overview
Provisioning Patterns
Role Based Provisioning
Rule Based Provisioning
Outbound Provision Users
Outbound Provision Users
Overview
SCIM 2.0
Microsoft Azure AD
Google Directory
Salesforce
Hubspot
Inbound Provision Users
Inbound Provision Users
Overview
Configure User stores for SCIM 1.1
Configure User stores for SCIM 2.0
Configure Active Directory User stores for SCIM 1.1
Configure Active Directory User stores for SCIM 2.0
Setup Service Provider for Inbound Provisioning
Configure Account Confirmation Methods for Self-Registration
Enable Verification for Updated User Attributes
Enable Verification for Updated User Attributes
Enable Email Account Verification for an Updated Email Address
Enable Mobile Number Verification for an Updated Mobile Number
Sync User Accounts
Sync User Accounts
Overview
Hubspot
MailChimp
Pardot
Pipedrive CRM
Salesforce
Sendgrid
Zoho CRM
User Self-Service
User Self-Service
Overview
Manage Own Profile
Export User Profile
Link User Accounts
Reset Password
Recover User Account
Enroll MFA
Manage Active Sessions
Manage Consent
Analytics
Analytics
Overview
Access the Analytics Dashboard
Analyze Logins using Auth Dashboard
Analyze Sessions using Session Dashboard
ELK Alerts
Tenant Management
Claim Management
Claim Management
Overview
Add Claim Dialects
Edit Claim Dialects
Delete Claim Dialects
Configure Claims
Add Claim Mapping
Edit Claim Mapping
Delete Claim Mapping
Configure unique claims
Configure Email Address as the Username
Access Control
Access Control
Overview
Access Management
Access Management
Intro
Create a policy
Create a policy
Create a new policy
Customize an existing template
Edit a policy
Version control
Publish a policy
View status of a policy
Enable and Disable a policy
Clear cache
Configure the XACML Engine
Use the XACML Tryit tool
Use the XACML Tryit tool
Overview
Evaluate a XACML Policy
Fine-Grained Authorization
Fine-Grained Authorization
Using XACML
Using JSON
Multiple Decision Point
Multiple Decision Point
Introduction
MDP to authorize hierarchical resources
MDP with repeating attributes
MDP requests and responses
Setup
Setup
Install
Install
Install
Run
Get WSO2 Updates
Management Console
Management Console
Overview
Customize
MFA for management console
Configure
Configure
User Stores
User Stores
Overview
Configure the Authorization Manager
Configure the System Administrator
Configure User Stores
Configure User Stores
Overview
Configure the Primary User store
Configure the Primary User store
Overview
Configure a JDBC User store
Configure a Read-only LDAP User store
Configure a Read-write Active Directory User store
Configure a Read-write LDAP User store
Add High Availability for LDAP
Configure Secondary User stores
Work with Properties of User stores
Secure a JDBC user store with PBKDF2 hashing
Data Stores
Data Stores
Databases
Databases
Overview
Change the Carbon Database
Change the Carbon Database
Change to IBM DB2
Change to MariaDB
Change to MSSQL
Change to MySQL
Change to Oracle
Change to Oracle RAC
Change to PostgreSQL
Change to remote H2
Change the Default Datasource of BPS
Change the Default Datasource for Consent Management
Data Dictionary
Data Dictionary
Registry Related Tables
User Management Related Tables
Identity Related Tables
Service Provider Related Tables
Identity Provider Related Tables
Data Purging
Remove References to Deleted User Identities
Session Persistence
Analytics
Analytics
Configure ELK Analytics
Configure SSO in ELK Analytics
Configure ELK Alerts
Configure ELK for Adaptive Authentication
Configure an SP and IdP Using Configuration Files
Email Notifications
Email Notifications
Configure Email Sender
Customize Email Templates
Tenant Loading Policy
CORS
reCAPTCHA
Secure
Secure
Mitigate Attacks
Mitigate Attacks
Mitigate Cross Site Request Forgery Attacks
Mitigate Authorization Code Interception Attacks
Mitigate Brute Force Attacks
Mitigate Replay Attacks
SameSite Attribute Support
Prevent Browser Caching
Work with Tokens
Work with Tokens
Add Logs for Tokens
Token Persistence
Remove Unused Tokens from the Database
Enable Assertions In Access Tokens
Enable HostName Verification
Configure TLS Termination
Maintain Logins and Passwords
Secure Passwords in Configuration Files
Secure Passwords in Configuration Files
Encrypt Passwords with Cipher Tool
Resolve Encrypted Passwords
Customize Secure Vault
Set Passwords using Environment Variables/System Properties
Enable HTTP Strict Transport Security (HSTS) Headers
Configure Transport Level Security
Enable Java Security Manager
Security Guidelines
Security Guidelines
Overview
Product-Level
OS-Level
Network-Level
Encryption
Encryption
Asymmetric Encryption
Asymmetric Encryption
Use Asymmetric Encryption
Create New Keystores
Configure Keystores
Renew a CA-Signed Certificate in a Keystore
Manage Keystores via UI
Add Multiple Keys to the Primary Keystore
Symmetric Encryption
Symmetric Encryption
Overview
Configurations Related to Symmetric Key Encryption
Symmetric Data Encryption Key Rotation
Deploy
Deploy
Deployment Patterns
Set up WSO2 clusters with Nginx
Set up Separate Databases for Clustering
Change the hostname
Enable adaptive authentication
Configure Hazelcast
Deployment Checklist
Backup and Recovery Recommendations
Troubleshoot in Production Environments
Configure External PEP Endpoints Notifications
Enable XACML Policy Updates Notifications
Performance
Performance
Performance Tuning Recommendations
Configure Cache Layers
Improve PDP performance
Environment Compatibility
Monitor
Monitor
Overview
Monitor Logs
Monitor Logs
Overview
HTTP Access Logging
Mask Sensitive Information in Logs
Mask Sensitive Information in Logs
Overview
Configure Log Masking with Filebeat
Configure Log Masking with Log4j
Log Claims in Audit Logs
System Statistics
Monitor TCP-Based Messages
Monitor TCP-Based Messages
Monitor TCP-based Messages
Message Monitoring with TCPMon
Other Usages of TCPMon
Monitor Server Health
JMX-Based Monitoring
Work with Product Observability
Upgrade WSO2 Identity Server
APIs
APIs
Overview
Authentication API
Session management API
Entitlement management API
User management
User management
SCIM 1.1 API
SCIM 2.0 API
SCIM 2.0 API
SCIM 2.0 API Definition
SCIM 2.0 Patch Operations
SCIM 2.0 Batch Operations
Account recovery API
Associated accounts API
Challenge question API
Challenge answers API
Self Sign-Up API
Identity provider API
IdP session extension API
Self-service
Self-service
FIDO API
TOTP API
User discoverable application API
Approvals management API
Application management
Application management
Application management API
Authorized apps
Authorized apps
Authorized apps API V1
Authorized apps API V2
OAuth 2.0 scope management API
OpenID Connect scope management API
OIDC Dynamic Client Registration API
Script Library management API
Claim management API
Server management
Server management
Configuration management
Configuration management
Configuration management API
Retrieve Tenant Resources Based on Search Parameters
Identity governance API
Keystore management API
User store management API
Tenant management API
CORS API
Consent management
Consent management
Overview
Consent management API
Email templates API
Workflow engine management API
Notification sender management API
Server configuration API
Permission management API
User Functionality management API
Admin services
Admin services
Call admin services
One way operations
SDKs
SDKs
Overview
Integrate a React app
Integrate an Angular app
Integrate a JS app
Integrate your Spring Boot app
References
References
Overview
About this Release
Feature Deprecation
WSO2 IS Architecture
WSO2 IS Architecture
Architecture
Provisioning Architecture
User Management Architecture
WSO2 IS Concepts
WSO2 IS Concepts
Users, Roles, Permissions
Users, Roles, Permissions
Overview
Users
Roles and Permissions
User stores
User stores
User stores
Realms
Claims
Access control
Service Providers
Service Providers
Overview
Register a Service Provider
Configure a Service Provider
Configure a Service Provider
Claims
Roles and Permissions
Inbound Authentication
Local and Outbound Authentication
Inbound Provisioning
Outbound Provisioning
Manage a Service Provider
Set up a Resident Service Provider
Identity Providers
Identity Providers
Overview
Register an IdP
Configure an IdP
Configure an IdP
Roles of an IdP
Claims of an IdP
Federated Authenticators
JIT Provisioning
Outbound Provisioning Connectors
Manage an IdP
Resident IdP
Resident IdP
Set up a Resident IdP
Inbound Authentication
Inbound Provisioning
JIT Consent Purposes
Tenants
WSO2 IS Extensions
WSO2 IS Extensions
Authentication
Authentication
OAuth2
OAuth2
Write a Custom OAuth2 Grant Type
X509 Authenticator
Adaptive authentication
Adaptive authentication
Write Custom Functions for Adaptive Authentication
Authentication endpoint
Localization
Host authentication endpoint on a different server
Identity Federation
Identity Federation
Write a Custom Federated Authenticator
Write a Custom OAuth 2.0 Federated Authenticator
Write a Custom Local Authenticator
Access Control
Access Control
XACML policy writing
XACML policy writing
XACML policy language structure and syntax
Write a XACML 2 policy
Write a XACML 2 policy
Introduction
XACML 2 sample policy 1
XACML 2 sample policy 2
XACML 2 sample policy 3
XACML 2 sample policy 4
XACML 2 sample policy 5
XACML 2 sample policy 6
Write a XACML 3 policy
Write a XACML 3 policy
Introduction
XACML 3 sample policy 1
XACML 3 sample policy 2
XACML 3 sample policy 3
XACML 3 sample policy 4
XACML 3 sample policy 5
XACML 3 sample policy 6
XACML 3 policy using XPath
User Management
User Management
Write a Custom Claim Handler
Write a Custom Event Handler
User store Listeners
Write a Post-Authentication Handler
Write a Custom Global Scope Validator
User Management Errors Event Listener
User provisioning
User provisioning
Extend SCIM 2.0 User Schemas
Add SCIM2 Custom User Schema Support
Write an Outbound Provisioning Connector
User self-service
User self-service
Customize the UI
Configure the Application
Workflow management
Workflow management
Extend the workflow event handler
Write a cutom workflow template
User Stores
User Stores
Write a Custom User Store Manager
User interfaces (Rebrand)
User interfaces (Rebrand)
Re-brand WSO2 Identity Server UIs
Re-brand the Default Login Page
Re-brand the SSO Redirection Page
Customize Login Pages
Errors
Errors
Error messages
Error Pages
WSO2 IS Configurations
WSO2 IS Configurations
Configuration Model
Default Ports of WSO2 Products
Product Startup Options
Directory Structure of WSO2 Products
WSO2 IS Best Practices
WSO2 IS Best Practices
Usernames in WSO2 Identity Server
WSO2 IS Troubleshooting
WSO2 IS Troubleshooting
Error Codes and Descriptions
REST API error catalog
Adaptive Authentication JS API
Scopes for REST APIs
Permissions for Admin Services
IAM Topics
IAM Topics
Evolution of Identity Federation Standards
Authentication
Authentication
Introduction
Authentication Protocols
Authentication Protocols
Introduction
OIDC
OIDC
Introduction
OIDC Client Profiles
OIDC Client Profiles
Introduction
Basic Client Profile
Implicit Profile
Hybrid Profile
OIDC Tokens
OIDC Tokens
Overview
ID Tokens
End-User Authentication
End-User Authentication
Overview
Request Object
Traditional Authentication Request
User Information
Scopes and Claims
Discovery
JWKS
Dynamic Client Registration
Session Management and Logout
Back-Channel Logout
Microprofile JWT 1.0
SAML
SAML
Introduction
SAML2 Artifact Binding
SAML Front-Channel Logout
SAML Back-Channel Logout
WS-Federation
WS-Federation
Introduction
WS-Trust
WS-Trust
Introduction
Adaptive Authentication
Multi Factor Authentication
FIDO
Authorization
Authorization
OAuth 2.0
OAuth 2.0
Introduction
OAuth 2.0 Client Types
Grant Types
Grant Types
Overview
Authorization Code Grant Type
Implicit Grant Type
Resource Owner Password Credentials Grant Type
Client Credentials Grant Type
Refresh Token Grant Type
Device Flow Grant Type
JWT Bearer Grant Type
SAML2 Bearer Assertion Profile
Kerberos Grant Type
Tokens
Tokens
Access Tokens
Refresh Tokens
Client Authentication
Token Introspection
User Managed Access (UMA)
User Managed Access (UMA)
Introduction to UMA
Resource Registration Endpoint
Permission Endpoint
Single Sign On
Identity Bus
Identity Federation
Identity Provisioning
Identity Provisioning
Introduction
Provisioning Framework
JIT Provisioning
Consent Management
Identity Anti-Patterns and the Identity Bus
Integrated Windows Authentication
Master Data Management
IAM Compliance
IAM Compliance
Overview
Accessibility Compliance
GDPR
eIDAS
CCPA
toc
On this page
configure access control for a service provider
Fine grained access control
¶
configure access control for a service provider
¶
Top