Restricted User for SOAP API on WSO2IS

Question

First of all, yes i know how to use the SOAP APIs and OAuth2 of WSO2IS (4.6.0).

What i would like to acomplish, is to have a restricted web-service-user that is only allowed to talk to a few methods on the RemoteUserStoreManagerService (ie. read-only).

if possible this should be doable without installing API Manager nor ESB.

i have created a user named 'websvc'.

It will only work with the web-services if i add it to the 'admin' role, without it i get permission denied.

i'd like to permit/deny access thru XACML, but it seams the IS APIs are not enforced by it.

can someone point me in the right direction ?

Answer 1

For admin services we define a permission level and through a permission handler we check whether user is assigned to a particular role which has requested permission in that service.

Customizing AuthorizationManager we can engage policy base permission evaluation. (But this point we don't get service meta data, you try to access only the required permission level, and user) You can configure it in. [WSO2IS]/repository/conf/user-mgt.xml

But if you need to get the permit decision on service (instead on permission level) will have to use additional layer like (ex ESB)