Skip to content

Introduce granular console permissions#1141

Open
mpmadhavig wants to merge 3 commits into
wso2:masterfrom
mpmadhavig:granular-console-scopes
Open

Introduce granular console permissions#1141
mpmadhavig wants to merge 3 commits into
wso2:masterfrom
mpmadhavig:granular-console-scopes

Conversation

@mpmadhavig

Copy link
Copy Markdown
Contributor

Purpose

Exposes the new granular console permission levels (create / update / delete) through the API Resource REST API, so the Console UI can read them when building the console role permission tree.

This is the REST-layer half of the granular console permissions work; the underlying model and scope resolution are introduced in the framework (see Related PRs).

Resolves: wso2/product-is#27974

Goals

  • Return create, update, and delete API resource lists in the API resource collection response, alongside the existing read and write lists.

Approach

  • APIResources.yaml — extended the APIResourceMap schema with three new array properties (create, update, delete), each an array of APIResourceCollectionItem, mirroring the existing read / write shape.
  • APIResourceMap (generated model) — regenerated to add the create / update / delete fields, fluent setters, addXItem helpers, and updated equals / hashCode / toString.
  • ServerAPIResourceCollectionManagementServicebuildAPIResourceMap now reads the create / update / delete entries from the framework's resolved apiResources map (using the new APIResourceCollectionManagementConstants.CREATE/UPDATE/DELETE keys) and populates them on the response.

The change is purely additive — read and write continue to be returned unchanged, so existing clients are unaffected.

@coderabbitai

coderabbitai Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e1cf401b-3c6f-4887-b3f2-f8328b59f41e

📥 Commits

Reviewing files that changed from the base of the PR and between 518658b and 5c1f39b.

📒 Files selected for processing (2)
  • components/org.wso2.carbon.identity.api.server.api.resource/org.wso2.carbon.identity.api.server.api.resource.v1/pom.xml
  • pom.xml
🚧 Files skipped from review as they are similar to previous changes (1)
  • components/org.wso2.carbon.identity.api.server.api.resource/org.wso2.carbon.identity.api.server.api.resource.v1/pom.xml

📝 Walkthrough

Summary

  • Extended the API Resource REST API’s APIResourceMap schema and generated model to include new create, update, and delete resource collections alongside existing read and write collections.
  • Updated ServerAPIResourceCollectionManagementService to conditionally populate the new granular create/update/delete collections from resolved API resources when ConsoleSettings.UseGranularConsolePermissions is enabled, while keeping read/write responses unchanged.
  • Added TestNG test coverage validating both granular-enabled (exposes create/update/delete) and granular-disabled (omits create/update/delete) behaviors.
  • Updated related build/test setup (test dependencies and testng.xml) and bumped the carbon.identity.framework.version property.

Walkthrough

The APIResourceMap schema now includes create, update, and delete arrays. The service populates these buckets only when granular console permissions are enabled, while read and write remain available. New TestNG coverage validates both flag states, with supporting test dependencies and suite configuration. SelfServiceMgtServiceTest now uses fewer constructor mocks and a concrete PropertyPatchReq. The root Maven framework version is updated from 7.11.159 to 7.11.160.

Sequence Diagram(s)

sequenceDiagram
    participant TestNG
    participant ServerAPIResourceCollectionManagementService
    participant APIResourceCollectionManagementUtil
    participant APIResourceMap

    TestNG->>ServerAPIResourceCollectionManagementService: buildAPIResourceMap(collection)
    ServerAPIResourceCollectionManagementService->>APIResourceCollectionManagementUtil: isGranularConsolePermissionsEnabled()
    APIResourceCollectionManagementUtil-->>ServerAPIResourceCollectionManagementService: permission flag
    ServerAPIResourceCollectionManagementService->>APIResourceMap: populate read/write buckets
    ServerAPIResourceCollectionManagementService->>APIResourceMap: populate create/update/delete when enabled
    APIResourceMap-->>TestNG: return mapped resource buckets
Loading
🚥 Pre-merge checks | ✅ 2 | ❌ 3

❌ Failed checks (3 warnings)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description covers purpose, goals, and approach, but omits many required sections like release note, docs, tests, security, and related PRs. Add the missing template sections or mark them N/A where appropriate, especially release note, documentation, automation tests, security checks, and related PRs.
Out of Scope Changes check ⚠️ Warning The SelfServiceMgtServiceTest changes in the organization.selfservice module are unrelated to granular console permissions and look out of scope. Move the unrelated self-service test adjustments into a separate PR unless they are required for this feature, and document the dependency if so.
Docstring Coverage ⚠️ Warning Docstring coverage is 28.57% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly matches the main change: exposing granular console permissions.
Linked Issues check ✅ Passed The code adds create/update/delete API resource lists needed to support the granular console permissions requested in #27974.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@mpmadhavig
mpmadhavig force-pushed the granular-console-scopes branch from d839d6e to ead3909 Compare July 9, 2026 08:40
@mpmadhavig
mpmadhavig force-pushed the granular-console-scopes branch from ead3909 to a6a4ec0 Compare July 9, 2026 08:41
@jenkins-is-staging

Copy link
Copy Markdown

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/29573931105

applicationManagementService,
apiResourceManager,
authorizedAPIManagementService
null,

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was this intentional?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this was intentional. applicationManagementService, apiResourceManager and authorizedAPIManagementService are only used in the self-service application create/authorize flow (doPostConfigurationUpdateprocessSelfServiceEnablement/authorizeAPItoSelfServiceApp), which runs only when enablePostListener is true. The two tests here cover getOrganizationGovernanceConfigs() and updateOrganizationGovernanceConfigs(..., false), so those three collaborators are never invoked — hence passing null instead of keeping unused mocks. Happy to restore the mocks if you prefer to keep them for future test coverage.

hwupathum
hwupathum previously approved these changes Jul 17, 2026
@jenkins-is-staging

Copy link
Copy Markdown

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/29573931105
Status: success

@jenkins-is-staging jenkins-is-staging left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving the pull request based on the successful pr build https://github.com/wso2/product-is/actions/runs/29573931105

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Granular Permissions in Console

3 participants