API Manager - Restricted by tenant

We had a query on concept of 'Restricted by Tenant' in APIM Manager.

Question was: 
There is tenant1, where creator created an API and publisher published it.
* if API is set to "Public", everyone sees it, as expected.
* if API is set to "Restricted by tenant", no one sees it, not even the subscriber who is in the same tenant!

Why is it so:
As per the WSO2 APIM team - this option is not supported now (since APIM-1,5,0), but we have 'Public' and 'Restricted by Roles' options. 'Restricted by Roles' requires to enter the names of the role(s) which are permitted to view an API. Once the API is published, it will only be visible on the Store for people who are within the permitted role.

Of course this does not allow same API to be viewed among allowed tenants.

So how 'Restricted by Roles' works:

• When creating the API select "Restricted by Roles" for "Visibility" level.
• State 'publisher' role in the 'Visible to Roles' field.

• Login to 'API Publisher' from publisher's account and publish the API.

• Now login to API Store using subscriber's account.

Subscriber would not see the above API among tenant's API.

API Manager 1.6.0 - tanancy

Came across a question on API Manager tenancy ...

As per docs [1]
"WSO2 API Manager supports creating multiple tenants and managing APIs in a tenant-isolated manner. When you create multiple tenants in an API Manager deployment, the API Stores of each tenant will be displayed in a muti-tenanted view for all users to browse and permitted users to subscribe to. "

Let's try it and see !!

Step 1 - Create a tenant

• Login to management console - https://localhost:9443/carbon/
• Create a new tenant from Home > Configure > Multitenancy > Add New Tenant - lets say my tenant is yumani.com. 
• Now if you check in API Store, you will see tenant domains there.

When you click on yumani.com above, you will be taken to yumani.com's API store.

Lets try working within a tenant and see;

Step 2 - Create users within the tenant

We need 3 user roles - creator, publisher and subscriber

• Login to management console, using tenant admin's credentials
• Create a new user role from Home > Configure > Users and Roles > Roles
• name - creator
• permissions - as given in [2]
• Create a role for subscriber
• name -subscriber
• permissions - login, Manage -> API ->Subscribe [3]
• Create a role for publisher
• name -publisher
• permissions -login, Manage -> API ->Publish [4]
• Create 3 users and assign them to each role.

Small test - if the permissions are correctly set as per above;

 

-  when you login to publisher (https://localhost:9443/publisher/) from creator's login- you should see an option to add APIs

 

 - When you login from publisher's login, you should not see an option to add APIs. You will only be able to list APIs and publish them.

 

- Finally, you will not have sufficient privileges to login to publisher using subscriber's login. 

Step 3 - Create and publish API

• Login to 'API Publisher' from creator's account and create a new API.

 Step 4 - View the API from store

• Now login to API Store using subscriber's account
• You will see the above API.

Another test: 

- Create another tenant, try login to tenant 1's (yumani.com) store, you are not allowed!

 

- Login to tenan 3's store and see if you see any of tenant 1's APIs. No! because of tenancy.

NOTE: In earlier versions of APIM (APIM-1.4.0), we had a concept of allowing selected tenant's view other tenant's APIs. But it is not available in latest releases.

 

[1] - http://docs.wso2.org/display/AM160/Configuring+Multiple+Tenants 

[2]- http://docs.wso2.org/display/AM160/User+Roles+in+the+API+Manager#UserRolesintheAPIManager-Addingthe creator role
[3] - http://docs.wso2.org/display/AM160/User+Roles+in+the+API+Manager#UserRolesintheAPIManager-Thedefault subscriber role
[4] - http://docs.wso2.org/display/AM160/User+Roles+in+the+API+Manager#UserRolesintheAPIManager-Addingthe publisher role