Remove unnecessary root org permissions from the roles in the sub org

components/application-mgt/org.wso2.carbon.identity.application.mgt/src/main/java/org/wso2/carbon/identity/application/mgt/listener/AdminRoleListener.java

@@ -24,6 +24,8 @@
 import org.wso2.carbon.identity.application.common.model.Scope;
 import org.wso2.carbon.identity.application.mgt.ApplicationConstants;
 import org.wso2.carbon.identity.application.mgt.internal.ApplicationManagementServiceComponentHolder;
+import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
+import org.wso2.carbon.identity.organization.management.service.util.OrganizationManagementUtil;
 import org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants;
 import org.wso2.carbon.identity.role.v2.mgt.core.RoleManagementService;
 import org.wso2.carbon.identity.role.v2.mgt.core.exception.IdentityRoleManagementException;
@@ -36,6 +38,9 @@
 import java.util.List;
 import java.util.stream.Collectors;
 
+import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.CONSOLE_ORG_SCOPE_PREFIX;
+import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.INTERNAL_ORG_SCOPE_PREFIX;
+
 /**
  * Admin role listener to populate organization admin role and console application Administrator role permissions.
  */
@@ -65,14 +70,28 @@
  .getAPIResourceManager().getSystemAPIScopes(tenantDomain);
  List<Permission> systemPermissions = systemScopes.stream().map(scope -> new Permission(scope.getName(),
  scope.getDisplayName(), scope.getApiID())).collect(Collectors.toList());
+ if (OrganizationManagementUtil.isOrganization(tenantDomain)) {
+ // Removing the scopes which are not valid for sub organization context.
+ systemPermissions =
+ systemPermissions.stream().filter(permission ->
+ isValidSubOrgPermission(permission.getName())).collect(Collectors.toList());
+ }
  role.setPermissions(systemPermissions);
  } catch (APIResourceMgtException e) {
  throw new IdentityRoleManagementException("Error while retrieving internal scopes for tenant " +
  "domain : " + tenantDomain, e);
+ } catch (OrganizationManagementException e) {
+ throw new IdentityRoleManagementException("Error while retrieving context for the sub org: " +
+ tenantDomain, e);
  }
  }
  }
 
+ private boolean isValidSubOrgPermission(String permission) {
+
+ return (permission.startsWith(INTERNAL_ORG_SCOPE_PREFIX) || permission.startsWith(CONSOLE_ORG_SCOPE_PREFIX));
+ }
+
  @Override
  public void postGetPermissionListOfRole(List<Permission> permissionListOfRole, String roleId, String tenantDomain)
  throws IdentityRoleManagementException {

components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/RoleConstants.java

@@ -70,6 +70,8 @@ private RoleConstants() {
 
  public static final String INTERNAL_SCOPE_PREFIX = "internal_";
  public static final String INTERNAL_ORG_SCOPE_PREFIX = "internal_org_";
+ public static final String CONSOLE_SCOPE_PREFIX = "console:";
+ public static final String CONSOLE_ORG_SCOPE_PREFIX = "console:org:";
 
  /**
  * Grouping of constants related to database table names.

components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/main/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAOImpl.java

@@ -88,6 +88,8 @@
 import static org.wso2.carbon.identity.organization.management.service.constant.OrganizationManagementConstants.
  ErrorMessages.ERROR_CODE_INVALID_ORGANIZATION_ID;
 import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.APPLICATION;
+import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.CONSOLE_ORG_SCOPE_PREFIX;
+import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.CONSOLE_SCOPE_PREFIX;
 import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.DB2;
 import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.Error.INVALID_LIMIT;
 import static org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants.Error.INVALID_OFFSET;
@@ -1649,7 +1651,8 @@ private List<Permission> getPermissionsOfSharedRole(String roleId, String tenant
  */
  private boolean isValidSubOrgPermission(String permission) {
 
- return permission.startsWith(INTERNAL_ORG_SCOPE_PREFIX) || !permission.startsWith(INTERNAL_SCOPE_PREFIX);
+ return permission.startsWith(INTERNAL_ORG_SCOPE_PREFIX) || permission.startsWith(CONSOLE_ORG_SCOPE_PREFIX) ||
+ (!permission.startsWith(INTERNAL_SCOPE_PREFIX) && !permission.startsWith(CONSOLE_SCOPE_PREFIX));
  }
 
  /**

components/role-mgt/org.wso2.carbon.identity.role.v2.mgt.core/src/test/java/org/wso2/carbon/identity/role/v2/mgt/core/dao/RoleDAOTest.java

@@ -65,6 +65,7 @@
 
 import java.io.IOException;
 import java.lang.reflect.Field;
+import java.lang.reflect.Method;
 import java.lang.reflect.Modifier;
 import java.nio.file.Paths;
 import java.sql.Connection;
@@ -758,6 +759,31 @@ public void testGetUserListOfRole() throws Exception {
  assertEquals(getUserNamesList(users), userNamesList);
  }
 
+ @Test
+ void testIsValidSubOrgPermission() throws Exception {
+
+ RoleDAOImpl roleDAO = spy(new RoleDAOImpl());
+ // Get the private method using reflection
+ Method isValidSubOrgPermissionMethod = RoleDAOImpl.class.getDeclaredMethod("isValidSubOrgPermission",
+ String.class);
+ isValidSubOrgPermissionMethod.setAccessible(true);
+
+ // Test case: permission starts with INTERNAL_ORG_SCOPE_PREFIX
+ assertTrue((Boolean) isValidSubOrgPermissionMethod.invoke(roleDAO, "internal_org_application_mgt_view"));
+
+ // Test case: permission starts with CONSOLE_ORG_SCOPE_PREFIX
+ assertTrue((Boolean) isValidSubOrgPermissionMethod.invoke(roleDAO, "console:org:applications"));
+
+ // Test case: permission does not start with INTERNAL_SCOPE_PREFIX or CONSOLE_SCOPE_PREFIX
+ assertTrue((Boolean) isValidSubOrgPermissionMethod.invoke(roleDAO, "read"));
+
+ // Test case: permission starts with INTERNAL_SCOPE_PREFIX
+ assertFalse((Boolean) isValidSubOrgPermissionMethod.invoke(roleDAO, "internal_application_mgt_view"));
+
+ // Test case: permission starts with CONSOLE_SCOPE_PREFIX
+ assertFalse((Boolean) isValidSubOrgPermissionMethod.invoke(roleDAO, "console:applications"));
+ }
+
  private List<String> getUserNamesList(List<UserBasicInfo> users) {
 
  List<String> userNames = new ArrayList<>();