How to use WSO2 Carbon Admin services to assign permissions to user goups

This is the way of setting permissions for a role using a “carbon admin service”. Basically, this is an http post request.


The endpoint is : https://localhost:9445/services/UserAdmin.UserAdminHttpsSoap11Endpoint


Replace localhost and port according management console information

That should be like <esb host name>:<management console https port>


Request Payload :


<soapenv:Envelope xmlns:soapenv=”” xmlns:xsd=”http://org.apache.axis2/xsd“>
         <!–Zero or more repetitions:–>


Inside <xsd:roleName> element, the “Group Name” should be passed.

Inside < xsd:rawResources > element, the “Permission Path” should be passed. If you need to set many permissions for a role Then you can send many elements like this.


And set Basic Auth giving the username and the password of the admin user of the esb in the request. I’ll explain in the below section about this too, if you don’t know how to set basic auth in the request.


This is all about the request and that is all what you should do. But, for creating “Permission Path” string, you’ll need to understand the “Permission Tree” of the WSO2 carbon.


Permissions Tree


This is a predefined tree in wso2. If you need to see this tree, this is in the registry location,  /_system/governance/permission.


  1. Go to WSO2 management console Main -> Registry-> Browse
  2. Just paste this above “registry path”( /_system/governance/permission) on Location field in the registry.
  3. Expand the Properties section clicking on the “+” mark of the properties.(in the right most corner)
  4. You’ll see the Value “All Permissions”. That is the display name of that permission. We’ll need this display name later.
  5. In the Entries section, List of names(admin, protected) are permissions.


You can again click one of these permissions, you’ll get the child permissions list of this particular parent permission. You can go inside and inside until a leave gets found. And while, you are moving thru this, the Location path also getting changed. If you go a location like this /_system/governance/permission/admin/login ,  then, you won’t see any more permissions list inside login permission of the admin permission. Because, login permission is a leaf of this permission tree.


Permission Path


In the permission tree section, if you did that steps correctly, then, you should see the location path of the registry. If you remove the first two locations(/_system/governance) from that location path, the rest is the permission path. That is the string that you need to send in the above request.

Let’s say you are going to set the permissions for login to management console, The permission path for that permission is “/permission/admin/login”(without quotes).


You can give the permissions for the parents.


Suppose that you gave the permission to /permission/ of the permission tree, then, this role has every permission in the permission tree.

Suppose that you gave the permission to  /permission/admin/ then, this user has the permissions for the full tree of admin.




Once you send a request for setting a permission or set of permissions to a particular role, then, existing permissions of that particular role is not valid anymore. It set all the new permissions to that particular role sent in the new request. You have to list all the permissions if you need to update the permissions of a particular role like below.


Let’s say admin is the role name and it has following permissions





Now you’ll need to add the permission /permission/manage/manage_tiers also.


Then, you request body should be like.


<soapenv:Envelope xmlns:soapenv=”” xmlns:xsd=”http://org.apache.axis2/xsd“>
         <!–Zero or more repetitions:–>

         <xsd:rawResources>/permission/manage/manage_tiers </xsd:rawResources>


Setting Basic Auth


For setting this, you have set the a header of your request. Header name is “Authorization”(without quotes). And the value should be Basic<space><base64 encoded administrator username:password pair separated by a semi colon>. Let’s say, your user name and the password is admin/admin. Base64encode the “admin:admin”(without quotes) string. That is YWRtaW46YWRtaW4= . Then, the value of the header for this example,

Name = Authorization

Value  = Basic YWRtaW46YWRtaW4=




For validating, if the permission is set or not.


  1. Send a request correctly.
  2. Log-in to Management Console.
  3. Go to Configure -> Users and Roles
  4. Go to roles and click on the permissions of the particular role, you set the permissions.
  5. This displays the graphical permission tree.
  6. Permissions assigned should have been clicked already.


Here in this large graphical tree, it uses “display name” I described in the 4th step of Permissions Tree section.


Hope you all understood. If you have further questions, please contact me personally or simply reply here.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s