Skip to content

API authorization for organizations

WSO2 Identity Server allows organizations to authorize user access to an application's API resources based on the API permissions, roles, and groups assigned to the users. See API authorization for more information.

API resources are created and authorized for applications on the organization (root). If the application consuming the API resources is shared with the organization, all application-specific configurations of API resources are inherited by the organization.

The relationship between terms

Prerequisites

You need to configure your API resources on the organization (root)

  1. Register an API resource
  2. Authorize the API resource to an app
  3. Create roles and associate to application

Organizations have the roles associated with their shared applications. Shared roles of organizations inherit the permission assignment to the role from the organization (root).

Roles of an organization

The shared roles in organizations will inherit the permission to role assignments from the organization (root). Users and group assignment to the roles should be done separately for the organization, as the organization does not inherit the users or groups from the organization (root).

Roles inherited from the organization (root)

Organization administrators cannot create new roles, modify name or permissions of the shared roles, or delete the shared roles, but you can assign these roles to your organization users and groups.

Assign organization users to roles

To assign roles to users of the organization:

  1. On the WSO2 Identity Server Console, switch to the organization.
  2. Go to User Management > Roles.
  3. Select the role you wish to assign to a user and click Edit.
  4. Go to Users and click Assign Users.
  5. Select the user who should be assigned to the selected role.
  6. Click Update to complete the role to user assignment.

Assign organization groups to roles

Organizations maintain the following types of groups, and you can assign your application roles to any of these groups.

  • Groups - A collection of organization users.
  • Federated IdP Groups - These groups are federated from connections on the organization. For example, groups federated from the Google connection.

Assign user groups to roles

To assign roles to user groups of the organization:

  1. On the WSO2 Identity Server Console, switch to the organization.
  2. Go to User Management > Roles.
  3. Select the role you wish to assign to a group and click Edit.
  4. Go to Groups and click Assign Groups.
  5. Select the group which should be assigned to the selected role.
  6. Click Update to complete the role to group assignment.

Assign federated IdP groups to roles

To assign roles to federated IdP Groups:

Before you begin

To get started,

  1. On the WSO2 Identity Server Console, switch to the organization.
  2. Go to User Management > Roles.
  3. Select the role you wish to assign to a group and click Edit.
  4. Select the federated IdP from which you select groups.
  5. Select the group which should be assigned to the selected role.
  6. Click Update to complete the role to group assignment.

Try it out

Follow the steps given below to try out the RBAC flow:

Note

Note that we are using WSO2 Identity Server's B2B Guardio insurance application for this scenario.

To request scopes for the user:

  1. Add the new scopes to the APIScope parameter of the config.js file of the sample application. You need to request these new scopes in addition to the OIDC scopes of your application.

To get the scopes:

  1. On the WSO2 Identity Server Console, log in to the organization(root).
  2. Go to Applications and select your application.

  3. Copy the scopes listed at the end of the API Authorization section

    Additional scopes to access the API resource

    Tip

    When you add scopes to the configuration file, add them as comma-separated values.

  4. Access the application URL.

  5. Try to log in as a user with a group and permission to access the API resource.

    If you have disabled Skip login consent in your application's settings, upon successful login, you will see the permission (scopes) allowed for the user on the user consent page. Click Allow. You will now be redirected to the application.

  6. You will be able to see the assigned permissions on the allowedScopes parameter of the authentication response.

If you are switching organizations

If the user switches the organization to another organization, the scopes will be updated according to the roles assigned to the user in the switched organization.