WSO2 Identity Server - How to assign an existing role to a WSO2 IS user?

Question

I am using WSO2 Identity Server 4.1.0. My requirement is to assign an existing role to a user created in the WSO2 default identity store. I have tried the following:

1. Create a user with a role assigned to him:

   curl -v -k --user admin:admin --data "{"schemas":[],"name":{"familyName":"FN_atest2","givenName":"LN_atest2"},"userName":"atest2","password":"perf","groups":[{"value":"c83dc72c-15c2-40f2-bddd-4acb086b9e17","display":"Employee"}]}" --header "Content-Type:application/json" `https://localhost:9443/wso2/scim/Users`
   

2. Update the user after it is created:

   curl -v -k --user admin:admin -X PUT --data "{"schemas":[],"name":{"familyName":"FN_atest2","givenName":"LN_atest2"},"userName":"atest2","password":"perf","groups":[{"value":"c83dc72c-15c2-40f2-bddd-4acb086b9e17","display":"FleetPlanner"}]}" --header "Content-Type:application/json" `https://localhost:9443/wso2/scim/Users/17ebb35d-62af-4cd3-b440-21bcf80714fc`
   

Neither one of the above assigns the user to the "FleetPlanner" role. How do I assign an existing role to a newly created or an existing WSO2 IS user?

Answer 1

I assume you have the SCIM Id for the role and it is 'c83dc72c-15c2-40f2-bddd-4acb086b9e17'. And user store is configured properly so the user and role is in the same user store.

If the above conditions are true, you can do the following to achieve the task.

1. Create the user with curl command (here you are using SCIM)
2. Update the group with the PUT method with the user's SCIM ID.

For example,

curl -v -k --user admin:admin -X PUT -d "{"displayName": 'Engineer' ,"members": [{"value":"334d988a-5e68-4594-8b96-356adeec29f1","display": "venura"}, {"value":"p09okhyt-5e68-4594-8mkj-356ade12we34","display": "testUser"}]}" --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Groups/c83dc72c-15c2-40f2-bddd-4acb086b9e17

For more details please check the below link [1] in order to get a clear idea on how you can use PUT to update the role/ group.

[1] http://hasini-gunasinghe.blogspot.com/2012/11/wso2-identity-server-as-scim-service.html

Answer 2

Use PATCH operation:

Nodejs Sample code for SCIM2 (WSO2 Identity server 5.6):

//roleId is GUID generated after creating group. 
// token is the bearer token generated via client credential or password credential

function assignRoleToUser(token, user, roleId) {
var groupId = roleId;
var rp = require('request-promise');
var options = {
    uri: <identity_provider_hostname:port/scim2/Groups> + '/' + groupId,
    method: 'PATCH',
    json: true,
    headers: {
        'Content-Type': 'application/json',
        'Authorization': token
    },
    body:
    {
        schemas: ['urn:ietf:params:scim:api:messages:2.0:PatchOp'],
        Operations: [
            {
                op: 'add',
                value: {
                    members: [
                        {
                            display: user.userName,
                            value: user.id
                        }
                    ]

                }
            }]
    }
};
return rp(options);

}

Only drawback of this API is that, it returns array containing all members of that group after success. Not optimized if group has thousands or millions of users.