Sunday, January 24, 2016

WSO2 API Manager 1.10.0 - API Lifecycle management based on user roles

WSO2 API manager user tasks can be categorized under three main  user roles. They are creator, publisher and subscriber. See Adding User Roles section in the product document for more information. Users with the creator and publisher roles can log in to the API manager publisher application and work on the API creation and management. 

Users with publisher permissions can change the lifecycle states of an api. He can deprecate the api, or block the api or even retire the api. From API Manager 1.10 onward, user can limit this capability and assign their own roles for this lifecycle state management. This way if someone does not want a user with only publisher permission to block an api, he can do it with API Manager 1.10.0 easily using the Custom Lifecycle Inclusion feature.

Scenario

The owner of the api does not want to give every one the permission to put his API in to Blocked state. He wants to assign it to a separate group. 

Steps:

1. Create a new role. 

See Adding User Roles. Here I create a new role "blockrole" for this scenario. You can assign any permission for this. I'll keep that empty since the grouping is done based on the role name.

2. Modify the existing lifecycle.  

For that Log in to API manager management console (https://localhost:9443/carbon) and navigate to 

Update the 'Published' state with the following

      <state id="Published">
              <datamodel>

                  <data name="transitionExecution">
                      <execution forEvent="Block"
                                       class="org.wso2.carbon.apimgt.impl.executors.APIExecutor">
                      </execution>
                      <execution forEvent="Deprecate"
                                       class="org.wso2.carbon.apimgt.impl.executors.APIExecutor">
                      </execution>
                      <execution forEvent="Demote to Created"
                                       class="org.wso2.carbon.apimgt.impl.executors.APIExecutor">
                      </execution>
                      <execution forEvent="Deploy as a Prototype"
                                       class="org.wso2.carbon.apimgt.impl.executors.APIExecutor">
                      </execution>

                  </data>
                        
                  <data name="transitionPermission">
                     <permission forEvent="Block" roles="blockrole" />
                  </data>

              </datamodel>
              <transition event="Block" target="Blocked"/>
              <transition event="Deploy as a Prototype" target="Prototyped"/>
              <transition event="Demote to Created" target="Created"/>
              <transition event="Deprecate" target="Deprecated"/>
              <transition event="Publish" target="Published"/>
       </state>


Note the newly added data element "transitionPermission" . The newly created role "blockrole" is assign for the event "Block".  

      <data name="transitionPermission">
          <permission forEvent="Block" roles="blockrole" />
      </data>


Test

Now log in to the API manager publisher (I will use the default admin user for this.)  and publish an api. Then go to the Overview section of the api and select the 'Lifecycle' tab and you will notice that the "Block" Operation is not there anymore.


The reason for this is the user admin does not have the role "blockrole". Now Log in the the Management console and assign the role "blockrole" to the admin user refresh the Lifecycle tab in the API manager publisher. You will notice the "Block" button in the tab.


You can extend this feature to provide different roles for different API Lifecycle states.

No comments:

Post a Comment