Manage Groups and Roles with WSO2 Identity Server-5.11.0 onwards

Anuradha Karunarathna
Identity Beyond Borders
4 min readSep 20, 2021

Cheatsheet for Groups and Roles SCIM requests

Groups and Role Separation

Relationship with users-groups-roles-permissions

Prior to WSO2 Identity Server (IS)-5.11.0, both groups and roles were considered as roles in the server. They were managed either roles section in the management console or SCIM2.0 /Groups endpoint.

Even though we supported both Groups and Roles together those two terms have different meanings when comes to computer science security.

Group — A collection of users.

Role — A collection of rights/permissions. The roles can be assigned to groups/users. The roles assigned to a group will be transitively applied to all users in the group too. The users inherit the permissions once they work under a particular role.

The same meaning is applicable for the Group vs Role separation in WSO2 IS-5.11.0.

However, groups in WSO2 IS are considered as a group in a userstore. In other words, a group can have only the users in that particular userstore to which group belongs. Roles in the new model can be mapped to hybrid roles in the earlier model.

Relationship with Users-Groups-Roles-Permissions

User-Group:

  • A user can belong to zero or many(multiple) groups.
  • A group can have zero or many(multiple) users.

Group-Role:

  • A group can have zero or many(multiple) roles.
  • A role can be assigned to zero or many(multiple) groups.

User-Role:

  • A user can have zero or many(multiple) roles.
  • A role can be assigned to zero or many(multiple) users.

Role-Permission:

  • A role can have zero or many(multiple) permissions.
  • A permission can be assigned to zero or many(multiple) roles.

Implementation related to this feature can be found at https://github.com/wso2/product-is/issues/8123

Here I’ll gather the most important SCIM requests to manage Groups and Roles in WSO2 IS.

NOTE: Change the hostname, port, authorization header value, group/role/user ids as per your setup

1. SCIM requests to manage Groups

1.1 Create a group without members

1.2 Create a group with members

1.3 Assign a member to the group

1.4 Remove a member from the group

  • Specify the member who needs to be removed by user id
  • Specify the member who needs to be removed by username

1.5 List all groups

  • List all groups including all details of every group
  • List all the groups excluding members details

1.6 Retrieve only specific group by id

1.7 Search groups

  • Search groups that contain “eng” in their name. Also, only need to return the display names of those groups.
  • Using GET request:
  • Using POST request:

1.8 Delete a group

2. SCIM requests to manage Roles

Since Role Resource is a custom resource for WSO2 IS, I’ll brief its’ attribute characteristics here.

2.1 Create a role without users/groups/permissions

2.2 Create a role with users, groups and permissions

2.3 Assign a user to the role

2.4 Assign a group to the role

2.5 Remove a user from the role

  • Specify the user who needs to be removed by user id
  • Specify the user who needs to be removed by username

2.6 Remove a group from the role

  • Specify the group that needs to be removed by user id
  • Specify the group that needs to be removed by group’s name

2.7 Update permissions of the role

  • Adding/ Removing permissions are not allowed. Only replace operation is supported to update permissions of a role.

2.8 List all roles

2.9 Retrieve only specific role by id

You can specify which attributes need to be returned using attributes param or excludedAttributes params.

2.10 Search roles

  • Using GET request
  • using POST request

2.11 Delete a role

From here you can download all these requests as a postman collection: https://app.getpostman.com/run-collection/cc7c5854cdd5ec041562

Reference:

--

--

Anuradha Karunarathna
Identity Beyond Borders

Technical Lead @ WSO2 | Computer Science and Engineering graduate@ University of Moratuwa, SriLanka