Reputation: 833
WSO2 Identity Server - Internal role vs. role in external
We are considering storing our roles in WSO2 in the Internal database - on a temporary basis.
As I understand it, these internal roles are stored in table UM_HYBRID_ROLE. What I want to confirm is that these roles are treated the same way as roles configured in an external LDAP with respects to XACML policies, claims mgt, etc.
In other words, can we assume that policices/claims tied to internal roles will behave the same as when tied to external roles?
Are there any differences between how WSO2 treats internal/external roles (besides where it persists them), that I should be aware of?
Thanks, Mike
Upvotes: 2
Views: 1631
Answers (2)
Reputation: 5821
Both internal and external roles are treated as same in API level. Only different is that, you would see Internal prefix with internal roles. Say, if you create a role with name foo. It would be named as Internal/foo.
When it comes to XACML, you do not want to do any thing, You can retrieve both type of roles using same claim uri. i.e http://wso2.org/claims/role. It would return all the roles that is assigned to user regardless of the user store (internal or external).
Also, Let me give some more about internal roles,
Internal roles are the roles that are maintained internally by Carbon server. It means, that these roles are not mapped with the groups in the user store. They are created in an internal database table of Carbon Server. Internal roles are used in following use cases..
When Carbon server wants to create a role internally, It always create an internal role. Ex- "everyone" role is an internal role. It is created by Carbon server when server is startup. Because, Carbon server can not create roles in the user store always. Because It is not good to create role in cooperate user store unintentionally and If cooperate user store has been connected as read-only mode, roles can not be created by Carbon servers.
If user store has been connected as read-only mode. You can not assign users to roles using Identity Server management console or APIs. In that case, You can use internal roles.
When multiple user store has been configured with Carbon servers, you may need to assign users from different users stores in to one role. This can be done by creating an internal role. Users from different user store can be assigned to an internal role. (As you can not assign user from one user store to group in another user store)
Upvotes: 8
Reputation: 1592
This is used when the user store does not support roles, for example a read-only LDAP. In my experience, this will behave the same when using external roles. You might just need to rewrite the role field in the xml policy so that IS knows you are referring it to an external one. As long as the user store, acting as policy information point, is properly configured, it does not matter if user data is stored internally or externally.
Upvotes: 0
Related Questions
- WSO2 API Manager with separate, external Identity Server
- Create external permission and add to wso2 Role by API
- WSO2 IS 5.4: Add a custom ROLE to Service Provider level
- WSO2 roles & Permission Identity server for OAuth2
- WSO2 RemoteUserStoreManagerService add user auto assign "Internal/everyone" role
- Role hierachy in WSO2 IS
- WSO2 Identity Server Authorization Service
- WSO2 Identity Server Authentication
- Manage external custom permissions with WSO2 Identity Server?
- DB role in a WSO2 Identity Server Clustered Deployment