diff --git a/components/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt/src/main/java/org/wso2/carbon/identity/api/resource/mgt/constant/APIResourceManagementConstants.java b/components/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt/src/main/java/org/wso2/carbon/identity/api/resource/mgt/constant/APIResourceManagementConstants.java index 9caa1964bd86..00aa6e30e067 100644 --- a/components/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt/src/main/java/org/wso2/carbon/identity/api/resource/mgt/constant/APIResourceManagementConstants.java +++ b/components/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt/src/main/java/org/wso2/carbon/identity/api/resource/mgt/constant/APIResourceManagementConstants.java @@ -31,6 +31,7 @@ public class APIResourceManagementConstants { public static final String IDENTIFIER = "identifier"; public static final String TYPE = "type"; public static final String RBAC_AUTHORIZATION = "RBAC"; + public static final String NO_POLICY = "NO POLICY"; public static final String ASC = "ASC"; public static final String SYSTEM_API_FILTER = "type sw SYSTEM"; public static final String ME_API_FILTER = "name eq Me API and type sw SYSTEM"; @@ -47,6 +48,7 @@ public class APIResourceManagementConstants { public static final String LT = "lt"; public static final String BEFORE_GT = "before gt "; public static final String AFTER_LT = "after lt "; + public static final String ME_API = "Me API"; private static final Map attributeColumnMap = new HashMap<>(); private static final Map scopeAttributeColumnMap = new HashMap<>(); public static final Map ATTRIBUTE_COLUMN_MAP = Collections.unmodifiableMap(attributeColumnMap); diff --git a/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/listener/AuthorizedAPIManagementListener.java b/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/listener/AuthorizedAPIManagementListener.java index bbaecacd64f4..7465eb355a89 100644 --- a/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/listener/AuthorizedAPIManagementListener.java +++ b/components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/listener/AuthorizedAPIManagementListener.java @@ -147,13 +147,17 @@ private void authorizeSystemAPIToConsole(String tenantDomain) { return; } for (APIResource apiResource : apiResources) { + String policyId = APIResourceManagementConstants.RBAC_AUTHORIZATION; + if (APIResourceManagementConstants.ME_API.equals(apiResource.getName())) { + policyId = APIResourceManagementConstants.NO_POLICY; + } List scopes = ApplicationManagementServiceComponentHolder.getInstance() .getAPIResourceManager().getAPIScopesById(apiResource.getId(), tenantDomain); AuthorizedAPI authorizedAPI = new AuthorizedAPI.AuthorizedAPIBuilder() .apiId(apiResource.getId()) .appId(applicationBasicInfo.getApplicationResourceId()) .scopes(scopes) - .policyId(APIResourceManagementConstants.RBAC_AUTHORIZATION) + .policyId(policyId) .build(); authorizedAPIManagementService.addAuthorizedAPI(applicationBasicInfo.getApplicationResourceId(), authorizedAPI, tenantDomain); @@ -208,7 +212,7 @@ private void authorizeMeAPIToMyAccount(String tenantDomain) { .apiId(apiResource.getId()) .appId(applicationBasicInfo.getApplicationResourceId()) .scopes(scopes) - .policyId(APIResourceManagementConstants.RBAC_AUTHORIZATION) + .policyId(APIResourceManagementConstants.NO_POLICY) .build(); authorizedAPIManagementService.addAuthorizedAPI(applicationBasicInfo.getApplicationResourceId(), authorizedAPI, tenantDomain); diff --git a/features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xml b/features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xml index ffe8fe1c5421..2f7be71200d5 100644 --- a/features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xml +++ b/features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xml @@ -201,9 +201,9 @@ identifier="/api/server/v1/identity-governance" requiresAuthorization="true" description="API representation of the Identity Governance Management API"> - + + name="internal_governance_update" /> + name="internal_org_governance_view" /> + name="internal_org_governance_update" /> - - - - + + + + - - - - + + + + + - - - - + + + + + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xml.j2 b/features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xml.j2 index e9c0bc088629..038da4a7770f 100644 --- a/features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xml.j2 +++ b/features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xml.j2 @@ -28,24 +28,24 @@ {% endfor %} + identifier="/api/server/v1/admin-advisory-management/banner" requiresAuthorization="true" + description="API representation of the Admin Advisory Management API"> + identifier="/o/api/server/v1/admin-advisory-management/banner" requiresAuthorization="true" + description="API representation of the Admin Advisory Management API" + type="SYSTEM_ORG"> + name="internal_org_admin_advisory_mgt_update" /> + requiresAuthorization="true" + description="API representation of the API Resource Management API"> @@ -54,65 +54,65 @@ + requiresAuthorization="true" + description="API representation of the Application Management API"> + name="internal_application_mgt_create" /> + name="internal_application_mgt_update" /> + name="internal_application_mgt_delete" /> + identifier="/o/api/server/v1/applications" requiresAuthorization="true" + description="API representation of the Application Management API" + type="SYSTEM_ORG"> + name="internal_org_application_mgt_view" /> + name="internal_org_application_mgt_delete" /> + requiresAuthorization="true" + description="API representation of the Authenticators Management API"> + identifier="/o/api/server/v1/authenticators" requiresAuthorization="true" + description="API representation of the Authenticators Management API" + type="SYSTEM_ORG"> + name="internal_org_authenticator_view" /> + identifier="/api/server/v1/branding-preference" requiresAuthorization="true" + description="API representation of the Branding Preference Management API"> + name="internal_branding_preference_update" /> + identifier="/o/api/server/v1/branding-preference" requiresAuthorization="true" + description="API representation of the Branding Preference Management API" + type="SYSTEM_ORG"> + name="internal_org_branding_preference_update" /> + requiresAuthorization="true" + description="API representation of the Challenges Management API"> @@ -121,7 +121,7 @@ + requiresAuthorization="true" description="API representation of the Claim Management API"> @@ -130,9 +130,9 @@ + identifier="/o/api/server/v1/claim-dialects" requiresAuthorization="true" + description="API representation of the Claim Management API" + type="SYSTEM_ORG"> @@ -141,7 +141,7 @@ + requiresAuthorization="true" description="API representation of the Config Management API"> @@ -150,8 +150,8 @@ + requiresAuthorization="true" description="API representation of the Config Management API" + type="SYSTEM_ORG"> @@ -160,45 +160,45 @@ + requiresAuthorization="true" description="API representation of the CORS Management API"> + identifier="/api/server/v1/expired-password-identification" requiresAuthorization="true" + description="API representation of the Expired Password Identification Management API"> + identifier="/o/api/server/v1/expired-password-identification" requiresAuthorization="true" + description="API representation of the Expired Password Identification Management API" + type="SYSTEM_ORG"> + requiresAuthorization="true" + description="API representation of the Extension Management API"> + identifier="/o/api/server/v1/extensions" + requiresAuthorization="true" + description="API representation of the Extension Management API" + type="SYSTEM_ORG"> + requiresAuthorization="true" + description="API representation of the Remote Fetch Management API"> @@ -207,44 +207,44 @@ + identifier="/api/server/v1/identity-governance" requiresAuthorization="true" + description="API representation of the Identity Governance Management API"> - + + name="internal_governance_update" /> + identifier="/o/api/server/v1/identity-governance" requiresAuthorization="true" + description="API representation of the Identity Governance Management API" + type="SYSTEM_ORG"> + name="internal_org_governance_view" /> + name="internal_org_governance_update" /> + identifier="/api/idle-account-identification/v1/inactive-users" requiresAuthorization="true" + description="API representation of the Idle Account Identification Management API"> + identifier="/o/api/idle-account-identification/v1/inactive-users" + requiresAuthorization="true" + description="API representation of the Idle Account Identification Management API" + type="SYSTEM_ORG"> + identifier="/api/server/v1/identity-providers" requiresAuthorization="true" + description="API representation of the Identity Provider Management API"> @@ -253,22 +253,22 @@ + identifier="/o/api/server/v1/identity-providers" requiresAuthorization="true" + description="API representation of the Identity Provider Management API" + type="SYSTEM_ORG"> + name="internal_org_idp_create" /> + name="internal_org_idp_update" /> + name="internal_org_idp_delete" /> + requiresAuthorization="true" + description="API representation of the Identity Verifier Management API"> @@ -277,89 +277,89 @@ + requiresAuthorization="true" description="API representation of the Validation Rules API"> + name="internal_validation_rule_mgt_update" /> + identifier="/o/api/server/v1/validation-rules" + requiresAuthorization="true" + description="API representation of the Validation Rules API" + type="SYSTEM_ORG"> + name="internal_org_validation_rule_mgt_update" /> + requiresAuthorization="true" description="API representation of the Keystore Management API"> + identifier="/api/server/v1/notification-senders/email" requiresAuthorization="true" + description="API representation of the Notification Sender Management API"> + name="internal_notification_senders_create" /> + name="internal_notification_senders_update" /> + name="internal_notification_senders_delete" /> + requiresAuthorization="true" + description="API representation of the OIDC Scope Management API"> - - - - + + + + + requiresAuthorization="true" description="API representation of the Tenant Management API"> + identifier="/api/server/v1/organizations/discovery" + requiresAuthorization="true" + description="API representation of the Organization Management API"> + name="internal_organization_discovery_view" /> + name="internal_organization_discovery_update" /> + name="internal_organization_discovery_delete" /> + identifier="/o/api/server/v1/organizations/discovery" + requiresAuthorization="true" + description="API representation of the Organization Discovery API" + type="SYSTEM_ORG"> + name="internal_org_organization_discovery_view" /> + name="internal_org_organization_discovery_update" /> + name="internal_org_organization_discovery_delete" /> + requiresAuthorization="true" + description="API representation of the Organization Management API"> @@ -368,10 +368,10 @@ + identifier="/o/api/server/v1/organizations" + requiresAuthorization="true" + description="API representation of the Organization Management API" + type="SYSTEM_ORG"> @@ -380,9 +380,9 @@ + identifier="/api/server/v1/organizations/{organization-id}/roles" + requiresAuthorization="true" + description="API representation of the Organization Role Management API"> @@ -391,70 +391,70 @@ + identifier="/o/api/server/v1/organizations/{organization-id}/roles" + requiresAuthorization="true" + description="API representation of the Organization Role Management API" + type="SYSTEM_ORG"> + name="internal_org_organization_role_create" /> + name="internal_org_organization_role_update" /> + name="internal_org_organization_role_delete" /> + identifier="/api/server/v1/organization-configs/discovery" requiresAuthorization="true" + description="API representation of the Organization Config Management API"> + name="internal_organization_config_delete" /> + identifier="/o/api/server/v1/organization-configs/discovery" requiresAuthorization="true" + description="API representation of the Organization Config Management API" + type="SYSTEM_ORG"> + name="internal_org_organization_config_view" /> + name="internal_org_organization_config_add" /> + name="internal_org_organization_config_delete" /> + identifier="/api/server/v1/self-service" requiresAuthorization="true" + description="API representation of the Self Service API"> + identifier="/api/server/v1/self-service" requiresAuthorization="true" + description="API representation of the Self Service API" + type="SYSTEM_ORG"> + identifier="/api/server/v1/permission-management/permissions" requiresAuthorization="true" + description="API representation of the Permission Management API"> + requiresAuthorization="true" + description="API representation of the Script Library Management API"> @@ -463,8 +463,8 @@ + requiresAuthorization="true" + description="API representation of the Secret Type Management API"> @@ -473,7 +473,7 @@ + requiresAuthorization="true" description="API representation of the Secret Management API"> @@ -482,8 +482,8 @@ + requiresAuthorization="true" + description="API representation of the Userstore Management API"> @@ -492,10 +492,10 @@ + identifier="/o/api/server/v1/userstore" + requiresAuthorization="true" + description="API representation of the Userstore Management API" + type="SYSTEM_ORG"> @@ -504,32 +504,32 @@ + requiresAuthorization="true" description="API representation of the Workflow Management API"> + identifier="/api/users/v1/{user-id}/(.*)associations" requiresAuthorization="true" + description="API representation of the Association Management API"> + identifier="/api/users/v(.*)/{user-id}/authorized-apps" requiresAuthorization="true" + description="API representation of the Authorized Application Management V2 API"> + name="internal_user_authorizedapp_view" /> + name="internal_user_authorizedapp_delete" /> + requiresAuthorization="true" + description="API representation of the Challenge Management API"> @@ -538,17 +538,17 @@ + identifier="/api/users/v1/{user-id}/user-functionality/{function-id}" + requiresAuthorization="true" + description="API representation of the Functionality Management API"> + requiresAuthorization="true" + description="API representation of the IDV Claim Management API"> @@ -557,10 +557,10 @@ + identifier="/o/api/users/v1/{user-id}/idv" + requiresAuthorization="true" + description="API representation of the IDV Claim Management API" + type="SYSTEM_ORG"> @@ -569,31 +569,31 @@ + requiresAuthorization="true" description="API representation of the Session Management API"> + identifier="/o/api/users/v1/(.*)sessions" + requiresAuthorization="true" + description="API representation of the Session Management API" + type="SYSTEM_ORG"> + requiresAuthorization="true" + description="API representation of the Account Recovery V1/V2 API"> + description="API representation of the SCIM2 Groups API"> @@ -602,43 +602,42 @@ + requiresAuthorization="true" + description="API representation of the SCIM2 Groups API" type="SYSTEM_ORG"> + name="internal_org_group_mgt_view" /> + name="internal_org_group_mgt_create" /> + name="internal_org_group_mgt_update" /> + name="internal_org_group_mgt_delete" /> + description="API representation of the SCIM2 Users API"> - - - - + + + + + + requiresAuthorization="true" + description="API representation of the SCIM2 Users API" type="SYSTEM_ORG"> - - - - + + + + + + description="API representation of the SCIM2 Roles API"> @@ -647,20 +646,20 @@ + requiresAuthorization="true" + description="API representation of the SCIM2 Roles API" type="SYSTEM_ORG"> + name="internal_org_role_mgt_create" /> + name="internal_org_role_mgt_update" /> + name="internal_org_role_mgt_delete" /> + description="API representation of the SCIM2 Bulk API"> @@ -669,21 +668,21 @@ + requiresAuthorization="true" + description="API representation of the SCIM2 Bulk API" type="SYSTEM_ORG"> + name="internal_org_bulk_user_mgt_create" /> + name="internal_org_bulk_user_mgt_view" /> + name="internal_org_bulk_user_mgt_update" /> + name="internal_org_bulk_user_mgt_delete" /> + requiresAuthorization="true" description="API representation of the Code Management API"> @@ -692,16 +691,16 @@ + identifier="/api/identity/user/v1.0/pi-info" requiresAuthorization="true" + description="API representation of the User Personal Identification API"> + name="internal_pi_info_view" /> + requiresAuthorization="true" + description="API representation of the Configuration Management API"> @@ -711,25 +710,25 @@ + requiresAuthorization="true" description="API representation of the Consent Management API"> + identifier="/o/api/identity/consent-mgt/v1.0/consents" requiresAuthorization="true" + description="API representation of the Consent Management API" + type="SYSTEM_ORG"> + name="internal_org_consent_mgt_add" /> + name="internal_org_consent_mgt_delete" /> + requiresAuthorization="true" description="API representation of the Identity Recovery API"> @@ -738,9 +737,9 @@ + requiresAuthorization="true" + description="API representation of the Identity Recovery API" + type="SYSTEM_ORG"> @@ -749,8 +748,8 @@ + requiresAuthorization="true" + description="API representation of the OAuth DCR (Dynamic Client Registration) API"> @@ -759,8 +758,8 @@ + requiresAuthorization="true" + description="API representation of the OAuth2.0 Scope Management API"> @@ -769,8 +768,8 @@ + identifier="/api/server/v1/email/template-types" requiresAuthorization="true" + description="API representation of the Email Template Management API"> @@ -779,29 +778,29 @@ + identifier="/o/api/server/v1/email/template-types" requiresAuthorization="true" + description="API representation of the Email Template Management API" + type="SYSTEM_ORG"> + name="internal_org_email_mgt_view" /> + name="internal_org_email_mgt_create" /> + name="internal_org_email_mgt_update" /> + name="internal_org_email_mgt_delete" /> + requiresAuthorization="true" + description="API representation of the Entitlement Management API"> + requiresAuthorization="true" description="API representation of the Media Management API"> @@ -829,37 +828,110 @@ + requiresAuthorization="true" + description="API representation of the OAuth2 Introspection API"> + requiresAuthorization="true" description="API representation of the Identity Register API"> + requiresAuthorization="true" description="API representation of the User Management API"> + requiresAuthorization="true" + description="API representation of the User Management API" + type="SYSTEM_ORG"> - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +