Enable role management in organization level

components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/impl/SCIMRoleManagerV2.java

@@ -39,6 +39,7 @@
 import org.wso2.carbon.identity.role.v2.mgt.core.model.Role;
 import org.wso2.carbon.identity.role.v2.mgt.core.model.RoleBasicInfo;
 import org.wso2.carbon.identity.role.v2.mgt.core.model.UserBasicInfo;
+import org.wso2.carbon.identity.role.v2.mgt.core.util.RoleManagementUtils;
 import org.wso2.carbon.identity.role.v2.mgt.core.util.UserIDResolver;
 import org.wso2.carbon.identity.scim2.common.internal.SCIMCommonComponentHolder;
 import org.wso2.carbon.identity.scim2.common.utils.SCIMCommonConstants;
@@ -117,10 +118,6 @@ public RoleV2 createRole(RoleV2 role)
             throws CharonException, ConflictException, NotImplementedException, BadRequestException {
 
         try {
-            if (!isRoleModificationAllowedForTenant(tenantDomain)) {
-                throw new BadRequestException("Role creation is not allowed for organizations.",
-                        ResponseCodeConstants.INVALID_VALUE);
-            }
             // Check if the role already exists.
             if (roleManagementService.isExistingRole(role.getId(), tenantDomain)) {
                 String error = "Role with id: " + role.getId() + " already exists in the tenantDomain: "
@@ -313,8 +310,8 @@ private List<MultiValuedComplexType> convertPermissionsToMultiValuedComplexType(
     public void deleteRole(String roleID) throws CharonException, NotFoundException, BadRequestException {
 
         try {
-            if (!isRoleModificationAllowedForTenant(tenantDomain)) {
-                throw new BadRequestException("Role deletion is not allowed for organizations.",
+            if (isSharedRole(roleID)) {
+                throw new BadRequestException("Shared role deletion is not allowed.",
                         ResponseCodeConstants.INVALID_VALUE);
             }
             roleManagementService.deleteRole(roleID, tenantDomain);
@@ -408,16 +405,16 @@ public RoleV2 patchRole(String roleId, Map<String, List<PatchOperation>> patchOp
         }
 
         if (CollectionUtils.isNotEmpty(displayNameOperations)) {
-            if (!isRoleModificationAllowedForTenant(tenantDomain)) {
-                throw new BadRequestException("Role name modification is not allowed for organizations.",
+            if (isSharedRole(roleId)) {
+                throw new BadRequestException("Role name modification is not allowed for shared roles.",
                         ResponseCodeConstants.INVALID_VALUE);
             }
             String newRoleName = (String) displayNameOperations.get(displayNameOperations.size() - 1).getValues();
             updateRoleName(roleId, currentRoleName, newRoleName);
         }
         if (CollectionUtils.isNotEmpty(permissionOperations)) {
-            if (!isRoleModificationAllowedForTenant(tenantDomain)) {
-                throw new BadRequestException("Role's permission change is not allowed for organizations.",
+            if (isSharedRole(roleId)) {
+                throw new BadRequestException("Role permission modification is not allowed for shared roles.",
                         ResponseCodeConstants.INVALID_VALUE);
             }
             updatePermissions(roleId, permissionOperations);
@@ -697,8 +694,8 @@ private void doUpdateRoleName(RoleV2 oldRole, RoleV2 newRole)
         if (!StringUtils.equals(oldRoleDisplayName, newRoleDisplayName)) {
             // Update role name.
             try {
-                if (!isRoleModificationAllowedForTenant(tenantDomain)) {
-                    throw new BadRequestException("Role name update is not allowed for organizations.",
+                if (isSharedRole(roleId)) {
+                    throw new BadRequestException("Role name update is not allowed for shared roles.",
                             ResponseCodeConstants.INVALID_VALUE);
                 }
                 roleManagementService.updateRoleName(oldRole.getId(), newRoleDisplayName, tenantDomain);
@@ -821,8 +818,8 @@ private void doUpdatePermissions(RoleV2 oldRole, RoleV2 newRole) throws BadReque
 
         // Update the role with added permissions and deleted permissions.
         if (isNotEmpty(deletePermissionValuesList) || isNotEmpty(addedPermissionValuesList)) {
-            if (!isRoleModificationAllowedForTenant(tenantDomain)) {
-                throw new BadRequestException("Role's permission modification is not allowed for organizations.",
+            if (isSharedRole(oldRole.getId())) {
+                throw new BadRequestException("Role's permission modification is not allowed for shared roles.",
                         ResponseCodeConstants.INVALID_VALUE);
             }
             if (LOG.isDebugEnabled()) {
@@ -1420,4 +1417,13 @@ private IdpGroup convertToIdpGroup(IdPGroup idpGroup) {
         convertedGroup.setGroupName(idpGroup.getIdpGroupName());
         return convertedGroup;
     }
+
+    private boolean isSharedRole(String roleId) throws CharonException {
+
+        try {
+            return RoleManagementUtils.isSharedRole(roleId, tenantDomain);
+        } catch (IdentityRoleManagementException e) {
+            throw new CharonException("Error while checking whether the role is a shared role.", e);
+        }
+    }
 }

pom.xml

@@ -279,7 +279,7 @@
         <inbound.auth.oauth.version>6.5.3</inbound.auth.oauth.version>
         <commons-collections.version>3.2.0.wso2v1</commons-collections.version>
         <carbon.kernel.version>4.10.16</carbon.kernel.version>
-        <identity.framework.version>7.0.112</identity.framework.version>
+        <identity.framework.version>7.5.86</identity.framework.version>
         <junit.version>4.13.1</junit.version>
         <commons.lang.version>20030203.000129</commons.lang.version>
         <identity.governance.version>1.8.12</identity.governance.version>