Friday, November 20, 2015

Prgrammatically Control WSO2 Registry Resources' Permission

  1. Open $EMM_Home/repository/conf/cartbon.xml and change the value of HideAdminServiceWSDLs to false
  2. Start the WSO2 EMM
  3. You can check the ResourceAdminService wsdl file by browsing https://<host>:9443/services/ResourceAdminService?wsdl
  4. Create a new soap project in the SoapUI using the ResourceAdminService.wsdl
  5. Send a changeRolePermissions request. Sample Soap request will be looks as follows
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://services.resource.registry.carbon.wso2.org">
       <soapenv:Header/>
       <soapenv:Body>
          <ser:changeRolePermissions>
             <ser:resourcePath>/_system/governance/mobileapps/admin/android/TestApp</ser:resourcePath>
            <ser:permissionsInput>internal/everyone:ra^true:wa^true:da^true:aa^true|internal/private_admin:ra^true</ser:permissionsInput>
          </ser:changeRolePermissions>
       </soapenv:Body>
    </soapenv:Envelope>
    
In the request
  • resourcePath should be the registry resource that you want to manipulate
  • permissionsInput must be in following format
    roleName:<permission_id>^true:<permission_id>^true:...:<permission_id>^true|roleName2:<permission_id>^true:<permission_id>^true|roleName3:<permission_id>^true
    
Permission can be as follows
PermissionPermission ID
Allow Readra
Deny Readrd
Allow Writewa
Deny Writewd
Allow Deleteda
Deny Deletedd
Allow Authorizeaa
Deny Authorizead
For example
internal/everyone:ra^true:wa^true:da^true:aa^true|internal/private_admin:ra^true:wd^true:dd^true:ad^true
This will allow read/write/delete/authorize permissions to the internal/everyone role and only read permission to internal/private_admin. Write/Delete/Authorize permissions of the internal/private_admin will be set to deny.
Note that if you don't specifically set all 4 permission, then the missing permission will be reset.
You can create a simple client using the ResourceAdminService wsdl and programmatically manipulate the permission.

No comments:

Post a Comment