RBAC(Role back access control) in wso2 API manager and Identity server












0















I am evaluating WS02 Api manager and Identity server.
My requirement is as follows:
1) We have to develop a web portal where all the APIs will be exposed in wso2 api manager in which multiple end user types will login to portal say A, B ,C, d and all needs to have different API access
2) All the backend API related to portal/application will be exposed via wso2 API manager/gateway.
3) End User Authentication , Authorization and RBAC has to be performed by WSO2 layer means admin should be authorized to see only admin related stuff normal user will have restricted access.
4) I know I can create an app in wso2 API store get the token and call all the backend apis in secured way and get access to application but how login user based authentication and authorization is going to happen.



Solution which I read from docs is.
1) I can use wso2 Identity server as key manager so that and keep user data in custom db say mssql.



https://docs.wso2.com/display/CLUSTER44x/Configuring+the+Identity+Server+5.2.0+as+a+Key+Manager+with+API+Manager+2.0.0



But not sure how how user can be restricted to use only certain contents in portal. Please help me on this.



http://movingaheadblog.blogspot.com/2014/02/securing-your-web-service-with-oauth2.html



@gusto can you help me on this.
Thanks






wso2 wso2is wso2-am







share|improve this question





























    0















    I am evaluating WS02 Api manager and Identity server.
    My requirement is as follows:
    1) We have to develop a web portal where all the APIs will be exposed in wso2 api manager in which multiple end user types will login to portal say A, B ,C, d and all needs to have different API access
    2) All the backend API related to portal/application will be exposed via wso2 API manager/gateway.
    3) End User Authentication , Authorization and RBAC has to be performed by WSO2 layer means admin should be authorized to see only admin related stuff normal user will have restricted access.
    4) I know I can create an app in wso2 API store get the token and call all the backend apis in secured way and get access to application but how login user based authentication and authorization is going to happen.



    Solution which I read from docs is.
    1) I can use wso2 Identity server as key manager so that and keep user data in custom db say mssql.



    https://docs.wso2.com/display/CLUSTER44x/Configuring+the+Identity+Server+5.2.0+as+a+Key+Manager+with+API+Manager+2.0.0



    But not sure how how user can be restricted to use only certain contents in portal. Please help me on this.



    http://movingaheadblog.blogspot.com/2014/02/securing-your-web-service-with-oauth2.html



    @gusto can you help me on this.
    Thanks






    wso2 wso2is wso2-am







    share|improve this question



























      0












      0








      0








      I am evaluating WS02 Api manager and Identity server.
      My requirement is as follows:
      1) We have to develop a web portal where all the APIs will be exposed in wso2 api manager in which multiple end user types will login to portal say A, B ,C, d and all needs to have different API access
      2) All the backend API related to portal/application will be exposed via wso2 API manager/gateway.
      3) End User Authentication , Authorization and RBAC has to be performed by WSO2 layer means admin should be authorized to see only admin related stuff normal user will have restricted access.
      4) I know I can create an app in wso2 API store get the token and call all the backend apis in secured way and get access to application but how login user based authentication and authorization is going to happen.



      Solution which I read from docs is.
      1) I can use wso2 Identity server as key manager so that and keep user data in custom db say mssql.



      https://docs.wso2.com/display/CLUSTER44x/Configuring+the+Identity+Server+5.2.0+as+a+Key+Manager+with+API+Manager+2.0.0



      But not sure how how user can be restricted to use only certain contents in portal. Please help me on this.



      http://movingaheadblog.blogspot.com/2014/02/securing-your-web-service-with-oauth2.html



      @gusto can you help me on this.
      Thanks






      wso2 wso2is wso2-am







      share|improve this question
















      I am evaluating WS02 Api manager and Identity server.
      My requirement is as follows:
      1) We have to develop a web portal where all the APIs will be exposed in wso2 api manager in which multiple end user types will login to portal say A, B ,C, d and all needs to have different API access
      2) All the backend API related to portal/application will be exposed via wso2 API manager/gateway.
      3) End User Authentication , Authorization and RBAC has to be performed by WSO2 layer means admin should be authorized to see only admin related stuff normal user will have restricted access.
      4) I know I can create an app in wso2 API store get the token and call all the backend apis in secured way and get access to application but how login user based authentication and authorization is going to happen.



      Solution which I read from docs is.
      1) I can use wso2 Identity server as key manager so that and keep user data in custom db say mssql.



      https://docs.wso2.com/display/CLUSTER44x/Configuring+the+Identity+Server+5.2.0+as+a+Key+Manager+with+API+Manager+2.0.0



      But not sure how how user can be restricted to use only certain contents in portal. Please help me on this.



      http://movingaheadblog.blogspot.com/2014/02/securing-your-web-service-with-oauth2.html



      @gusto can you help me on this.
      Thanks






      wso2 wso2is wso2-am




      wso2 wso2is wso2-am






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 21 '18 at 15:50







      atiwari

















      asked Nov 20 '18 at 18:40









      atiwariatiwari

      325




      325
























          1 Answer
          1






          active

          oldest

          votes


















          0














          You can use https://docs.wso2.com/display/AM260/Enabling+Role-Based+Access+Control+Using+XACML to use XACML based policies for access control for your applications.



          When a particular API is invoked in the APIM side, APIM will ask IS to evaluate the XACML policy against parameters of the request (username, application name, API name) and return whether it is permitted or not.



          You can find more information about writing XAML policy here, https://docs.wso2.com/display/IS570/Creating+a+XACML+Policy






          share|improve this answer
























          • I understand this we can do RBAC via Oauth2.0 or Xacml.but my question is that does this work for End user who are login/registration into web/mobile app. I want my end user to authenticate and authorize, not the user who have subscribed to the application and their API.Also I am trying to configure IS as Key Manager in conjunction with API Manager. Please let me know how I can achieve to authenticate and user authorization and authentication with RBAC?

            – atiwari
            Nov 27 '18 at 3:41













          • You can control during the authorization time as well. For that, you refer docs.wso2.com/display/IS570/…

            – senthalan
            Nov 28 '18 at 17:14











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53399478%2frbacrole-back-access-control-in-wso2-api-manager-and-identity-server%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          You can use https://docs.wso2.com/display/AM260/Enabling+Role-Based+Access+Control+Using+XACML to use XACML based policies for access control for your applications.



          When a particular API is invoked in the APIM side, APIM will ask IS to evaluate the XACML policy against parameters of the request (username, application name, API name) and return whether it is permitted or not.



          You can find more information about writing XAML policy here, https://docs.wso2.com/display/IS570/Creating+a+XACML+Policy






          share|improve this answer
























          • I understand this we can do RBAC via Oauth2.0 or Xacml.but my question is that does this work for End user who are login/registration into web/mobile app. I want my end user to authenticate and authorize, not the user who have subscribed to the application and their API.Also I am trying to configure IS as Key Manager in conjunction with API Manager. Please let me know how I can achieve to authenticate and user authorization and authentication with RBAC?

            – atiwari
            Nov 27 '18 at 3:41













          • You can control during the authorization time as well. For that, you refer docs.wso2.com/display/IS570/…

            – senthalan
            Nov 28 '18 at 17:14
















          0














          You can use https://docs.wso2.com/display/AM260/Enabling+Role-Based+Access+Control+Using+XACML to use XACML based policies for access control for your applications.



          When a particular API is invoked in the APIM side, APIM will ask IS to evaluate the XACML policy against parameters of the request (username, application name, API name) and return whether it is permitted or not.



          You can find more information about writing XAML policy here, https://docs.wso2.com/display/IS570/Creating+a+XACML+Policy






          share|improve this answer
























          • I understand this we can do RBAC via Oauth2.0 or Xacml.but my question is that does this work for End user who are login/registration into web/mobile app. I want my end user to authenticate and authorize, not the user who have subscribed to the application and their API.Also I am trying to configure IS as Key Manager in conjunction with API Manager. Please let me know how I can achieve to authenticate and user authorization and authentication with RBAC?

            – atiwari
            Nov 27 '18 at 3:41













          • You can control during the authorization time as well. For that, you refer docs.wso2.com/display/IS570/…

            – senthalan
            Nov 28 '18 at 17:14














          0












          0








          0







          You can use https://docs.wso2.com/display/AM260/Enabling+Role-Based+Access+Control+Using+XACML to use XACML based policies for access control for your applications.



          When a particular API is invoked in the APIM side, APIM will ask IS to evaluate the XACML policy against parameters of the request (username, application name, API name) and return whether it is permitted or not.



          You can find more information about writing XAML policy here, https://docs.wso2.com/display/IS570/Creating+a+XACML+Policy






          share|improve this answer













          You can use https://docs.wso2.com/display/AM260/Enabling+Role-Based+Access+Control+Using+XACML to use XACML based policies for access control for your applications.



          When a particular API is invoked in the APIM side, APIM will ask IS to evaluate the XACML policy against parameters of the request (username, application name, API name) and return whether it is permitted or not.



          You can find more information about writing XAML policy here, https://docs.wso2.com/display/IS570/Creating+a+XACML+Policy







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 23 '18 at 11:51









          senthalansenthalan

          297111




          297111













          • I understand this we can do RBAC via Oauth2.0 or Xacml.but my question is that does this work for End user who are login/registration into web/mobile app. I want my end user to authenticate and authorize, not the user who have subscribed to the application and their API.Also I am trying to configure IS as Key Manager in conjunction with API Manager. Please let me know how I can achieve to authenticate and user authorization and authentication with RBAC?

            – atiwari
            Nov 27 '18 at 3:41













          • You can control during the authorization time as well. For that, you refer docs.wso2.com/display/IS570/…

            – senthalan
            Nov 28 '18 at 17:14



















          • I understand this we can do RBAC via Oauth2.0 or Xacml.but my question is that does this work for End user who are login/registration into web/mobile app. I want my end user to authenticate and authorize, not the user who have subscribed to the application and their API.Also I am trying to configure IS as Key Manager in conjunction with API Manager. Please let me know how I can achieve to authenticate and user authorization and authentication with RBAC?

            – atiwari
            Nov 27 '18 at 3:41













          • You can control during the authorization time as well. For that, you refer docs.wso2.com/display/IS570/…

            – senthalan
            Nov 28 '18 at 17:14

















          I understand this we can do RBAC via Oauth2.0 or Xacml.but my question is that does this work for End user who are login/registration into web/mobile app. I want my end user to authenticate and authorize, not the user who have subscribed to the application and their API.Also I am trying to configure IS as Key Manager in conjunction with API Manager. Please let me know how I can achieve to authenticate and user authorization and authentication with RBAC?

          – atiwari
          Nov 27 '18 at 3:41







          I understand this we can do RBAC via Oauth2.0 or Xacml.but my question is that does this work for End user who are login/registration into web/mobile app. I want my end user to authenticate and authorize, not the user who have subscribed to the application and their API.Also I am trying to configure IS as Key Manager in conjunction with API Manager. Please let me know how I can achieve to authenticate and user authorization and authentication with RBAC?

          – atiwari
          Nov 27 '18 at 3:41















          You can control during the authorization time as well. For that, you refer docs.wso2.com/display/IS570/…

          – senthalan
          Nov 28 '18 at 17:14





          You can control during the authorization time as well. For that, you refer docs.wso2.com/display/IS570/…

          – senthalan
          Nov 28 '18 at 17:14




















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53399478%2frbacrole-back-access-control-in-wso2-api-manager-and-identity-server%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          How to send String Array data to Server using php in android

          Image
          0 I have a String array which contains value string array = {6,37,38,837,7,...} and I have also used some string values. I want to send that all string values and string array to my database which is located at server side. When I am click on submit button the data will stored in table. On the PHP side I want to read this array as it is,other thing i will do at background means PHP side. See my below code then you will get it what I am says. Here is my code: public class Hotels extends Activity { // Declare Variables JSONArray jsonarray = null; private static final String TAG_ID = "id"; public static final String TAG_NAME = "name"; public static final String TAG_LOCATION = "location"; public static final String TAG_DESC = "description"; String f_date, l_date;...
          Read more

          Title Spacing in Bjornstrup Chapter, Removing Chapter Number From Contents

          Image
          up vote 5 down vote favorite 2 I would like to make it so that the vertical space below the title of each chapter is the same when using the Bjornstrup package (i.e. so that the descenders do not affect the spacing - as shown by the red arrow in the picture below). I think I'm fairly happy with the spacing around "A chapter", so I'd really like titles without descenders (e.g. "Contents") to have the same vertical spacing as "A chapter" below the title. I would also like to remove the large "0" in the contents title. Any help appreciated, as always. documentclass[11pt,a4paper]{book} % Packages[![enter image description here][1]][1] usepackage[left=3.5cm, right=3.5cm, top=4.3cm, bottom=4.25cm]{geometry} usepackage[utf8]{inputenc} usepackage{libertine} usepackage[libertine]{newtx...
          Read more

          Is anime1.com a legal site for watching anime?

          Image
          up vote 4 down vote favorite 1 Other anime streaming sites are blocking my IP because I'm Iranian while anime1.com isn't. I wanted to know if it's legal to watch/stream anime from this site. Thanks. anime-production share | improve this question edited Nov 27 at 22:38 W. Are 1,599 2 23 asked Nov 27 at 20:36 mhnajafi 23 3 add a comment ...
          Read more