From 77823e2839c67db35b1163ed9884f7e74899307e Mon Sep 17 00:00:00 2001
From: pramilaniroshan <pramila@entgra.io>
Date: Fri, 6 Oct 2023 08:04:38 +0530
Subject: [PATCH 1/8] Modify get Geofence API to get total count

---
 .../impl/GeoLocationBasedServiceImpl.java     |  8 ++++++
 .../service/GeoLocationProviderService.java   |  7 +++++
 .../core/device/mgt/core/dao/GeofenceDAO.java |  8 ++++++
 .../dao/impl/AbstractGeofenceDAOImpl.java     | 24 +++++++++++++++++
 .../GeoLocationProviderServiceImpl.java       | 26 +++++++++++++++++++
 5 files changed, 73 insertions(+)

diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/impl/GeoLocationBasedServiceImpl.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/impl/GeoLocationBasedServiceImpl.java
index b45725c5c1..837e9ea9e7 100644
--- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/impl/GeoLocationBasedServiceImpl.java
+++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/impl/GeoLocationBasedServiceImpl.java
@@ -870,6 +870,14 @@ public class GeoLocationBasedServiceImpl implements GeoLocationBasedService {
         PaginationResult paginationResult = new PaginationResult();
         paginationResult.setData(geofenceList);
         paginationResult.setRecordsTotal(geofenceList.size());
+        try {
+            GeoLocationProviderService geoService = DeviceMgtAPIUtils.getGeoService();
+            paginationResult.setTotalDeviceCount(geoService.getGeoFenceCount());
+        } catch (GeoLocationBasedServiceException e) {
+            String msg = "Failed to retrieve geofence data";
+            log.error(msg, e);
+            return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(msg).build();
+        }
         return Response.status(Response.Status.OK).entity(paginationResult).build();
     }
 
diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.common/src/main/java/io/entgra/device/mgt/core/device/mgt/common/geo/service/GeoLocationProviderService.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.common/src/main/java/io/entgra/device/mgt/core/device/mgt/common/geo/service/GeoLocationProviderService.java
index 920cdac80e..c214971604 100644
--- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.common/src/main/java/io/entgra/device/mgt/core/device/mgt/common/geo/service/GeoLocationProviderService.java
+++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.common/src/main/java/io/entgra/device/mgt/core/device/mgt/common/geo/service/GeoLocationProviderService.java
@@ -171,4 +171,11 @@ public interface GeoLocationProviderService {
      * @throws GeoLocationBasedServiceException any errors occurred while reading event records to geofence
      */
     List<EventConfig> getEventsOfGeoFence(int geoFenceId) throws GeoLocationBasedServiceException;
+
+    /**
+     * Get geo fence count by tenant id
+     * @return returns the geofence count of tenant.
+     * @throws GeoLocationBasedServiceException any errors occurred while reading event records to geofence
+     */
+    int getGeoFenceCount() throws GeoLocationBasedServiceException;
 }
diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/dao/GeofenceDAO.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/dao/GeofenceDAO.java
index a6fcf172e5..1546d4034e 100644
--- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/dao/GeofenceDAO.java
+++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/dao/GeofenceDAO.java
@@ -174,4 +174,12 @@ public interface GeofenceDAO {
      * @throws DeviceManagementDAOException
      */
     GeofenceData getGeofence(int fenceId, boolean requireGroupData) throws DeviceManagementDAOException;
+
+    /**
+     * This method is used to get the geofence count by tenant id.
+     * @param tenantId tenant id.
+     * @return returns the geofence count of tenant.
+     * @throws DeviceManagementDAOException
+     */
+    int getGeofenceCount(int tenantId) throws DeviceManagementDAOException;
 }
diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/dao/impl/AbstractGeofenceDAOImpl.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/dao/impl/AbstractGeofenceDAOImpl.java
index c575ea60dc..393a11bf20 100644
--- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/dao/impl/AbstractGeofenceDAOImpl.java
+++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/dao/impl/AbstractGeofenceDAOImpl.java
@@ -644,4 +644,28 @@ public abstract class AbstractGeofenceDAOImpl implements GeofenceDAO {
             throw new DeviceManagementDAOException(msg, e);
         }
     }
+
+    @Override
+    public int getGeofenceCount(int tenantId) throws DeviceManagementDAOException {
+        try {
+            Connection conn = this.getConnection();
+            String sql = "SELECT COUNT(*) AS geofence_count " +
+                    "FROM DM_GEOFENCE " +
+                    "WHERE TENANT_ID = ?";
+            try (PreparedStatement stmt = conn.prepareStatement(sql)) {
+                stmt.setInt(1, tenantId);
+                try (ResultSet rst = stmt.executeQuery()) {
+                    if (rst.next()) {
+                        return rst.getInt("geofence_count");
+                    }
+                }
+            }
+            return 0; // Return 0 if no records found for the given tenantId.
+        } catch (SQLException e) {
+            String msg = "Error occurred while retrieving Geofence count of the tenant " + tenantId;
+            log.error(msg, e);
+            throw new DeviceManagementDAOException(msg, e);
+        }
+    }
+
 }
diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/geo/service/GeoLocationProviderServiceImpl.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/geo/service/GeoLocationProviderServiceImpl.java
index ac5c6fac5b..edac4eaa09 100644
--- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/geo/service/GeoLocationProviderServiceImpl.java
+++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/geo/service/GeoLocationProviderServiceImpl.java
@@ -1747,6 +1747,32 @@ public class GeoLocationProviderServiceImpl implements GeoLocationProviderServic
         }
     }
 
+    @Override
+    public int getGeoFenceCount() throws GeoLocationBasedServiceException {
+        int tenantId;
+        try {
+            tenantId = DeviceManagementDAOUtil.getTenantId();
+        } catch (DeviceManagementDAOException e) {
+            String msg = "Error occurred while retrieving tenant id while get geofence data";
+            log.error(msg, e);
+            throw new GeoLocationBasedServiceException(msg, e);
+        }
+        try {
+            EventManagementDAOFactory.openConnection();
+            return geofenceDAO.getGeofenceCount(tenantId);
+        } catch (DeviceManagementDAOException e) {
+            String msg = "Error occurred while retrieving geofence data for the tenant " + tenantId;
+            log.error(msg, e);
+            throw new GeoLocationBasedServiceException(msg, e);
+        } catch (SQLException e) {
+            String msg = "Failed to open the DB connection to retrieve Geofence";
+            log.error(msg, e);
+            throw new GeoLocationBasedServiceException(msg, e);
+        } finally {
+            EventManagementDAOFactory.closeConnection();
+        }
+    }
+
     /**
      * Delete events of geofence
      *

From d63f2a3f24503229e8b0071a40414de41807bf5d Mon Sep 17 00:00:00 2001
From: Viranga Gunarathna <virangagunarathna98@gmail.com>
Date: Thu, 12 Oct 2023 15:25:20 +0530
Subject: [PATCH 2/8] mapping permissions with scopes

---
 .../api/ActivityInfoProviderService.java      |  2 +-
 .../jaxrs/service/api/DeviceAgentService.java | 16 +++++++-------
 .../api/DeviceEventManagementService.java     |  4 ++--
 .../service/api/DeviceManagementService.java  | 18 +++++++--------
 .../service/api/GroupManagementService.java   | 12 +++++-----
 .../api/NotificationManagementService.java    |  2 +-
 .../service/api/PolicyManagementService.java  | 18 +++++++--------
 .../service/api/RoleManagementService.java    | 14 ++++++------
 .../service/api/UserManagementService.java    | 22 +++++++++----------
 .../ApplicationManagementAdminService.java    |  4 ++--
 .../admin/DeviceManagementAdminService.java   |  2 +-
 .../admin/GroupManagementAdminService.java    |  2 +-
 .../api/admin/UserManagementAdminService.java |  4 ++--
 .../mgt/core/DeviceManagementConstants.java   |  3 ++-
 .../modules/business-controllers/device.js    |  2 +-
 .../type-view.hbs                             |  2 +-
 16 files changed, 64 insertions(+), 63 deletions(-)

diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/ActivityInfoProviderService.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/ActivityInfoProviderService.java
index a1846536a1..b1fd4c9791 100644
--- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/ActivityInfoProviderService.java
+++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/ActivityInfoProviderService.java
@@ -78,7 +78,7 @@ import java.util.List;
                 description = "Get activities",
                 key = "dm:activity:get",
                 roles = {"Internal/devicemgt-user"},
-                permissions = {"/device-mgt/devices/owning-device/view"}
+                permissions = {"/device-mgt/devices/owning-device/activities/view"}
                 )
         }
 )
diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/DeviceAgentService.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/DeviceAgentService.java
index 50f7c1e465..5e43b5e274 100644
--- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/DeviceAgentService.java
+++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/DeviceAgentService.java
@@ -91,21 +91,21 @@ import java.util.Map;
                         description = "Disenroll a device",
                         key = "dm:device:disenroll",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/devices/owning-device/remove"}
+                        permissions = {"/device-mgt/devices/owning-device/disenroll"}
                 ),
                 @Scope(
                         name = "Publish Event",
                         description = "publish device event",
                         key = "dm:device:event:publish",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/devices/owning-device/event"}
+                        permissions = {"/device-mgt/devices/owning-device/event/publish"}
                 ),
                 @Scope(
                         name = "Getting Device Operation Details",
                         description = "Getting Device Operation Details",
-                        key = "dm:ops:view",
+                        key = "dm:devices:ops:view",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/devices/owning-device/view"}
+                        permissions = {"/device-mgt/devices/owning-device/operations/view"}
                 )
         }
 )
@@ -394,7 +394,7 @@ public interface DeviceAgentService {
             tags = "Device Agent Management",
             extensions = {
                     @Extension(properties = {
-                            @ExtensionProperty(name = Constants.SCOPE, value = "dm:ops:view")
+                            @ExtensionProperty(name = Constants.SCOPE, value = "dm:devices:ops:view")
                     })
             }
     )
@@ -453,7 +453,7 @@ public interface DeviceAgentService {
             tags = "Device Agent Management",
             extensions = {
                     @Extension(properties = {
-                            @ExtensionProperty(name = Constants.SCOPE, value = "dm:ops:view")
+                            @ExtensionProperty(name = Constants.SCOPE, value = "dm:devices:ops:view")
                     })
             }
     )
@@ -511,7 +511,7 @@ public interface DeviceAgentService {
             tags = "Device Agent Management",
             extensions = {
                     @Extension(properties = {
-                            @ExtensionProperty(name = Constants.SCOPE, value = "dm:ops:view")
+                            @ExtensionProperty(name = Constants.SCOPE, value = "dm:devices:ops:view")
                     })
             }
     )
@@ -630,7 +630,7 @@ public interface DeviceAgentService {
             tags = "Device Agent Management",
             extensions = {
                     @Extension(properties = {
-                            @ExtensionProperty(name = Constants.SCOPE, value = "dm:ops:view")
+                            @ExtensionProperty(name = Constants.SCOPE, value = "dm:devices:ops:view")
                     })
             }
     )
diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/DeviceEventManagementService.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/DeviceEventManagementService.java
index 8d8ad05607..ab9bf2aa53 100644
--- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/DeviceEventManagementService.java
+++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/DeviceEventManagementService.java
@@ -71,14 +71,14 @@ import java.util.List;
                         description = "Add or Delete Event Definition for device type",
                         key = "dm:device-type:event:modify",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/device-type/add"}
+                        permissions = {"/device-mgt/devices/owning-device/event/modify"}
                 ),
                 @Scope(
                         name = "Get Events Details of a Device Type",
                         description = "Get Events Details of a Device Type",
                         key = "dm:device-type:event:view",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/devices/owning-device/view"}
+                        permissions = {"/device-mgt/devices/owning-device/event/view"}
                 )
         }
 )
diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/DeviceManagementService.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/DeviceManagementService.java
index f4dd947cc2..eeb7caeeb3 100644
--- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/DeviceManagementService.java
+++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/DeviceManagementService.java
@@ -99,63 +99,63 @@ import java.util.Map;
                         description = "Getting Details of a Device",
                         key = "dm:devices:details",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/devices/owning-device/view"}
+                        permissions = {"/device-mgt/devices/owning-device/details/view"}
                 ),
                 @Scope(
                         name = "Update the device specified by device id",
                         description = "Update the device specified by device id",
                         key = "dm:devices:update",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/devices/owning-device/view"}
+                        permissions = {"/device-mgt/devices/owning-device/update"}
                 ),
                 @Scope(
                         name = "Delete the device specified by device id",
                         description = "Delete the device specified by device id",
                         key = "dm:devices:delete",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/devices/owning-device/view"}
+                        permissions = {"/device-mgt/devices/owning-device/delete"}
                 ),
                 @Scope(
                         name = "Getting Feature Details of a Device",
                         description = "Getting Feature Details of a Device",
                         key = "dm:devices:features:view",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/devices/owning-device/view"}
+                        permissions = {"/device-mgt/devices/owning-device/features/view"}
                 ),
                 @Scope(
                         name = "Advanced Search for Devices",
                         description = "Advanced Search for Devices",
                         key = "dm:devices:search",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/devices/owning-device/view"}
+                        permissions = {"/device-mgt/devices/owning-device/search"}
                 ),
                 @Scope(
                         name = "Getting Installed Application Details of a Device",
                         description = "Getting Installed Application Details of a Device",
                         key = "dm:devices:app:view",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/devices/owning-device/view"}
+                        permissions = {"/device-mgt/devices/owning-device/apps/view"}
                 ),
                 @Scope(
                         name = "Getting Device Operation Details",
                         description = "Getting Device Operation Details",
                         key = "dm:devices:ops:view",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/devices/owning-device/view"}
+                        permissions = {"/device-mgt/devices/owning-device/operations/view"}
                 ),
                 @Scope(
                         name = "Get the details of the policy that is enforced on a device.",
                         description = "Get the details of the policy that is enforced on a device.",
                         key = "dm:devices:policy:view",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/devices/owning-device/view"}
+                        permissions = {"/device-mgt/devices/owning-device/policies/view"}
                 ),
                 @Scope(
                         name = "Getting Policy Compliance Details of a Device",
                         description = "Getting Policy Compliance Details of a Device",
                         key = "dm:devices:compliance:view",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/devices/owning-device/view"}
+                        permissions = {"/device-mgt/devices/owning-device/compliance/view"}
                 ),
                 @Scope(
                         name = "Change device status.",
diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/GroupManagementService.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/GroupManagementService.java
index 63ce185bfa..36c85323c6 100644
--- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/GroupManagementService.java
+++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/GroupManagementService.java
@@ -91,7 +91,7 @@ import java.util.List;
                         description = "Get the count of groups belongs to current user.",
                         key = "gm:groups:count",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/groups/view"}
+                        permissions = {"/device-mgt/groups/count"}
                 ),
                 @Scope(
                         name = "Add new device group to the system.",
@@ -105,7 +105,7 @@ import java.util.List;
                         description = "View group specified",
                         key = "gm:groups:groups-view",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/groups/view"}
+                        permissions = {"/device-mgt/groups/specified-groups/view"}
                 ),
                 @Scope(
                         name = "Update a group",
@@ -147,7 +147,7 @@ import java.util.List;
                         description = "View list of device count in the device group",
                         key = "gm:devices:count",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/groups/devices/view"}
+                        permissions = {"/device-mgt/groups/devices/count"}
                 ),
                 @Scope(
                         name = "Add devices to group",
@@ -168,21 +168,21 @@ import java.util.List;
                         description = "Assign devices to groups",
                         key = "gm:devices:assign",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/groups/devices/add"}
+                        permissions = {"/device-mgt/groups/devices/assign"}
                 ),
                 @Scope(
                         name = "List of groups that have the device",
                         description = "List of groups that have the device",
                         key = "gm:groups:device:view",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/groups/devices/view"}
+                        permissions = {"/device-mgt/groups/device-groups/view"}
                 ),
                 @Scope(
                         name = "View whether the groups has relevant device types",
                         description = "View whether the groups has relevant device types",
                         key = "gm:devices-types:view",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/groups/device-types"}
+                        permissions = {"/device-mgt/groups/device-types/view"}
                 )
         }
 )
diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/NotificationManagementService.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/NotificationManagementService.java
index 3dad471bc0..749791619f 100644
--- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/NotificationManagementService.java
+++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/NotificationManagementService.java
@@ -80,7 +80,7 @@ import javax.ws.rs.core.Response;
                         description = "Updating the Device Notification Status",
                         key = "dm:notif:mark-checked",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/notifications/view"}
+                        permissions = {"/device-mgt/notifications/update"}
                 )
         }
 )
diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/PolicyManagementService.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/PolicyManagementService.java
index bcdb180e3d..8cce7e92b3 100644
--- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/PolicyManagementService.java
+++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/PolicyManagementService.java
@@ -79,7 +79,7 @@ import java.util.List;
                         description = "Adding a Policy",
                         key = "pm:policies:add",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/policies/manage"}
+                        permissions = {"/device-mgt/policies/add"}
                 ),
                 @Scope(
                         name = "Getting Details of Policies",
@@ -93,56 +93,56 @@ import java.util.List;
                         description = "Getting Details of a Policy",
                         key = "pm:policies:details:view",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/policies/view"}
+                        permissions = {"/device-mgt/policies/view-details"}
                 ),
                 @Scope(
                         name = "Updating a Policy",
                         description = "Updating a Policy",
                         key = "pm:policies:update",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/policies/manage"}
+                        permissions = {"/device-mgt/policies/update"}
                 ),
                 @Scope(
                         name = "Removing Multiple Policies",
                         description = "Removing Multiple Policies",
                         key = "pm:policies:remove",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/policies/manage"}
+                        permissions = {"/device-mgt/policies/remove"}
                 ),
                 @Scope(
                         name = "Activating Policies",
                         description = "Activating Policies",
                         key = "pm:policies:activate",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/policies/manage"}
+                        permissions = {"/device-mgt/policies/activate"}
                 ),
                 @Scope(
                         name = "Deactivating Policies",
                         description = "Deactivating Policies",
                         key = "pm:policies:deactivate",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/policies/manage"}
+                        permissions = {"/device-mgt/policies/deactivate"}
                 ),
                 @Scope(
                         name = "Applying Changes on Policies",
                         description = "Applying Changes on Policies",
                         key = "pm:policies:change",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/policies/manage"}
+                        permissions = {"/device-mgt/policies/apply-changes"}
                 ),
                 @Scope(
                         name = "Updating the Policy Priorities",
                         description = "Updating the Policy Priorities",
                         key = "pm:policies:priorities:update",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/policies/manage"}
+                        permissions = {"/device-mgt/policies/update-priority"}
                 ),
                 @Scope(
                         name = "Fetching the Effective Policy",
                         description = "Fetching the Effective Policy",
                         key = "pm:policies:effective-policy",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/policies/view"}
+                        permissions = {"/device-mgt/policies/view-effective-policy"}
                 )
         }
 )
diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/RoleManagementService.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/RoleManagementService.java
index d0cee93215..9be614674f 100644
--- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/RoleManagementService.java
+++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/RoleManagementService.java
@@ -60,49 +60,49 @@ import java.util.List;
                         description = "Getting Permission Details of a Role",
                         key = "rm:roles:permissions:view",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/roles/view"}
+                        permissions = {"/device-mgt/roles/view-permissions"}
                 ),
                 @Scope(
                         name = "Getting the List of Roles",
                         description = "Getting the List of Roles",
                         key = "rm:roles:details:view",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/roles/view"}
+                        permissions = {"/device-mgt/roles/view-details"}
                 ),
                 @Scope(
                         name = "Adding a Role",
                         description = "Adding a Role",
                         key = "rm:roles:add",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/roles/manage"}
+                        permissions = {"/device-mgt/roles/add"}
                 ),
                 @Scope(
                         name = "Adding a combined Role",
                         description = "Adding a combined Role",
                         key = "rm:roles:combined:add",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/roles/manage"}
+                        permissions = {"/device-mgt/roles/combined-role/add"}
                 ),
                 @Scope(
                         name = "Updating Role Details",
                         description = "Updating Role Details",
                         key = "rm:roles:update",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/roles/manage"}
+                        permissions = {"/device-mgt/roles/update"}
                 ),
                 @Scope(
                         name = "Deleting a Role",
                         description = "Deleting a Role",
                         key = "rm:roles:delete",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/roles/manage"}
+                        permissions = {"/device-mgt/roles/delete"}
                 ),
                 @Scope(
                         name = "Adding Users to a Role",
                         description = "Adding Users to a Role",
                         key = "rm:users:add",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/roles/manage"}
+                        permissions = {"/device-mgt/roles/assign-user"}
                 )
         }
 )
diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/UserManagementService.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/UserManagementService.java
index ded3961a62..afa5fdfc08 100644
--- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/UserManagementService.java
+++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/UserManagementService.java
@@ -82,35 +82,35 @@ import javax.ws.rs.core.Response;
                         description = "Adding a User",
                         key = "um:users:add",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/users/manage"}
+                        permissions = {"/device-mgt/users/add"}
                 ),
                 @Scope(
                         name = "Getting Details of a User",
                         description = "Getting Details of a User",
                         key = "um:users:details:view",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/users/view"}
+                        permissions = {"/device-mgt/users/details/view"}
                 ),
                 @Scope(
                         name = "Updating Details of a User",
                         description = "Updating Details of a User",
                         key = "um:users:update",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/users/manage"}
+                        permissions = {"/device-mgt/users/update"}
                 ),
                 @Scope(
                         name = "Deleting a User",
                         description = "Deleting a User",
                         key = "um:users:delete",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/users/manage"}
+                        permissions = {"/device-mgt/users/delete"}
                 ),
                 @Scope(
                         name = "Getting the Role Details of a User",
                         description = "Getting the Role Details of a User",
                         key = "um:roles:view",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/users/view"}
+                        permissions = {"/device-mgt/users/roles/view"}
                 ),
                 @Scope(
                         name = "Getting Details of Users",
@@ -124,42 +124,42 @@ import javax.ws.rs.core.Response;
                         description = "Getting the User Count",
                         key = "um:users:count",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/users/view"}
+                        permissions = {"/device-mgt/users/count"}
                 ),
                 @Scope(
                         name = "Getting the User existence status",
                         description = "Getting the User existence status",
                         key = "um:users:is-exist",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/users/view"}
+                        permissions = {"/device-mgt/users/existence/view"}
                 ),
                 @Scope(
                         name = "Searching for a User Name",
                         description = "Searching for a User Name",
                         key = "um:users:search",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/users/view"}
+                        permissions = {"/device-mgt/users/search"}
                 ),
                 @Scope(
                         name = "Changing the User Password",
                         description = "Adding a User",
                         key = "um:users:cred:change",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/login"}
+                        permissions = {"/login/password/update"}
                 ),
                 @Scope(
                         name = "Sending Enrollment Invitations to Users",
                         description = "Sending Enrollment Invitations to Users",
                         key = "um:users:invite",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/users/manage"}
+                        permissions = {"/device-mgt/users/invite"}
                 ),
                 @Scope(
                         name = "Get activities",
                         description = "Get activities",
                         key = "dm:activity:get",
                         roles = {"Internal/devicemgt-user"},
-                        permissions = {"/device-mgt/devices/owning-device/view"}
+                        permissions = {"/device-mgt/devices/owning-device/activities/view"}
                 ),
                 @Scope(
                         name = "Getting the Permissions of the User",
diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/admin/ApplicationManagementAdminService.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/admin/ApplicationManagementAdminService.java
index 1cb5325dcc..211390180f 100644
--- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/admin/ApplicationManagementAdminService.java
+++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/admin/ApplicationManagementAdminService.java
@@ -67,14 +67,14 @@ import javax.ws.rs.core.Response;
                         description = "Installing an Application (Internal API)",
                         key = "am:admin:app:install",
                         roles = {"Internal/devicemgt-admin"},
-                        permissions = {"/device-mgt/applications/manage"}
+                        permissions = {"/device-mgt/admin/applications/install"}
                 ),
                 @Scope(
                         name = "Uninstalling an Application (Internal API)",
                         description = "Uninstalling an Application (Internal API)",
                         key = "am:admin:app:uninstall",
                         roles = {"Internal/devicemgt-admin"},
-                        permissions = {"/device-mgt/applications/manage"}
+                        permissions = {"/device-mgt/admin/applications/uninstall"}
                 )
         }
 )
diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/admin/DeviceManagementAdminService.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/admin/DeviceManagementAdminService.java
index 9ebef18d15..21eae81189 100644
--- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/admin/DeviceManagementAdminService.java
+++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/admin/DeviceManagementAdminService.java
@@ -79,7 +79,7 @@ import java.util.List;
                         description = "Getting Details of a Device",
                         key = "dm:admin:devices:view",
                         roles = {"Internal/devicemgt-admin"},
-                        permissions = {"/device-mgt/devices/owning-device/view"}
+                        permissions = {"/device-mgt/admin/devices/view"}
                 ),
                 @Scope(
                         name = "Update the Device Owner",
diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/admin/GroupManagementAdminService.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/admin/GroupManagementAdminService.java
index cec3ce0237..7801afb3e3 100644
--- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/admin/GroupManagementAdminService.java
+++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/admin/GroupManagementAdminService.java
@@ -84,7 +84,7 @@ import javax.ws.rs.core.Response;
                         description = "",
                         key = "gm:admin:groups:count",
                         roles = {"Internal/devicemgt-admin"},
-                        permissions = {"/device-mgt/admin/groups/view"}
+                        permissions = {"/device-mgt/admin/groups/count"}
                 ),
                 @Scope(
                         name = "Add groups",
diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/admin/UserManagementAdminService.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/admin/UserManagementAdminService.java
index 7e5e5ce232..a62341756e 100644
--- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/admin/UserManagementAdminService.java
+++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/api/admin/UserManagementAdminService.java
@@ -53,14 +53,14 @@ import javax.ws.rs.core.Response;
                         description = "View Users",
                         key = "um:admin:users:view",
                         roles = {"Internal/devicemgt-admin"},
-                        permissions = {"/device-mgt/users/manage"}
+                        permissions = {"/device-mgt/admin/users/view"}
                 ),
                 @Scope(
                         name = "Delete Users Device Information",
                         description = "Delete users device details",
                         key = "um:admin:users:remove",
                         roles = {"Internal/devicemgt-admin"},
-                        permissions = {"/device-mgt/users/manage"}
+                        permissions = {"/device-mgt/admin/users/delete"}
                 )
         }
 )
diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/DeviceManagementConstants.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/DeviceManagementConstants.java
index ebf11e54ee..8fc2e2804a 100644
--- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/DeviceManagementConstants.java
+++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/DeviceManagementConstants.java
@@ -38,7 +38,7 @@ public final class DeviceManagementConstants {
         private ConfigurationManagement(){
             throw new AssertionError();
         }
-        public static final String SCOPES_FOR_TOKEN = "dm:ops:view dm:device:event:publish win:devices:enroll";
+        public static final String SCOPES_FOR_TOKEN = "dm:devices:ops:view dm:device:event:publish win:devices:enroll";
         public static final String IOT_GATEWAY_HOST = "iot.gateway.host";
         public static final String IOT_GATEWAY_HTTPS_PORT = "iot.gateway.https.port";
         public static final String IOT_CORE_HOST = "iot.core.host";
@@ -156,6 +156,7 @@ public final class DeviceManagementConstants {
                 new Permission("/permission/admin/device-mgt/devices/enroll", "ui.execute"),
                 new Permission("/permission/admin/device-mgt/devices/disenroll", "ui.execute"),
                 new Permission("/permission/admin/device-mgt/devices/owning-device/view", "ui.execute"),
+                new Permission("/permission/admin/device-mgt/devices/owning-device/operations/view", "ui.execute"),
                 new Permission("/permission/admin/device-mgt/metadata", "ui.execute"),
                 new Permission("/permission/admin/manage/portal", "ui.execute")
         };
diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/business-controllers/device.js b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/business-controllers/device.js
index 69995e840b..b01afcbf25 100644
--- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/business-controllers/device.js
+++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/business-controllers/device.js
@@ -409,7 +409,7 @@ deviceModule = function () {
 					var jwtClient = JWTClientManagerService.getJWTClient();
 					// returning access token by JWT grant type
 					var deviceScope = "device_" + type.replace(" ", "") + "_" + deviceId + " dm:device:enroll " +
-						"dm:device:disenroll dm:device:modify dm:ops:view dm:device:event:publish";
+						"dm:device:disenroll dm:device:modify dm:devices:ops:view dm:device:event:publish";
 					var tokenInfo = jwtClient.getAccessToken(config.clientId, config.clientSecret,
 						userName, deviceScope);
 					config.accessToken = tokenInfo.getAccessToken();
diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/units/cdmf.unit.default.device.type.type-view/type-view.hbs b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/units/cdmf.unit.default.device.type.type-view/type-view.hbs
index 410693a3b5..b94dd02644 100644
--- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/units/cdmf.unit.default.device.type.type-view/type-view.hbs
+++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/units/cdmf.unit.default.device.type.type-view/type-view.hbs
@@ -120,7 +120,7 @@
             -d '{  "applicationName":"testme", "isAllowedToAllDomains":false, "tags":["device_agent"]}'</code>
         </li>
         <li class="padding-top-double"><span><h4 class="uppercase">Generate Token</h4></span>
-            <code>curl -k -d "grant_type=password&username=%username%&password=%password%&scope=dm:device:enroll dm:device:disenroll dm:device:modify dm:ops:view dm:device:event:publish"
+            <code>curl -k -d "grant_type=password&username=%username%&password=%password%&scope=dm:device:enroll dm:device:disenroll dm:device:modify dm:devices:ops:view dm:device:event:publish"
             -H "Authorization: Basic Base64(client_id:client_secret)"
             -H "Content-Type: application/x-www-form-urlencoded" {{httpsGateway}}/token</code>
         </li>

From 49747efa180e5f47bd217d9326b19eaa18a5362e Mon Sep 17 00:00:00 2001
From: tcdlpds <tcdlpds@gmail.com>
Date: Fri, 13 Oct 2023 07:08:35 +0530
Subject: [PATCH 3/8] Add default perm config

---
 .../pom.xml                                   |  6 ++
 .../publisher/APIPublisherServiceImpl.java    | 31 +++----
 .../APIPublisherLifecycleListener.java        | 65 ++++++---------
 .../core/config/DeviceManagementConfig.java   | 12 +++
 .../config/permission/DefaultPermission.java  | 47 +++++++++++
 .../config/permission/DefaultPermissions.java | 38 +++++++++
 .../core/config/permission/ScopeMapping.java  | 58 +++++++++++++
 .../src/main/resources/conf/cdm-config.xml    | 82 +++++++++++++++++++
 .../repository/conf/cdm-config.xml.j2         | 82 +++++++++++++++++++
 9 files changed, 361 insertions(+), 60 deletions(-)
 create mode 100644 components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/config/permission/DefaultPermission.java
 create mode 100644 components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/config/permission/DefaultPermissions.java
 create mode 100644 components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/config/permission/ScopeMapping.java

diff --git a/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/pom.xml b/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/pom.xml
index f40935568f..c6ebef438f 100644
--- a/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/pom.xml
+++ b/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/pom.xml
@@ -130,6 +130,10 @@
             <groupId>org.json.wso2</groupId>
             <artifactId>json</artifactId>
         </dependency>
+        <dependency>
+            <groupId>io.entgra.device.mgt.core</groupId>
+            <artifactId>io.entgra.device.mgt.core.device.mgt.core</artifactId>
+        </dependency>
     </dependencies>
 
 
@@ -187,6 +191,8 @@
                             io.entgra.device.mgt.core.apimgt.webapp.publisher.lifecycle.util,
                             io.entgra.device.mgt.core.device.mgt.common.exceptions,
                             io.entgra.device.mgt.core.device.mgt.common.metadata.mgt,
+                            io.entgra.device.mgt.core.device.mgt.core.config,
+                            io.entgra.device.mgt.core.device.mgt.core.config.permission,
                             org.wso2.carbon.base;version="1.0",
                             org.wso2.carbon.context;version="4.6",
                             org.wso2.carbon;version="4.6",
diff --git a/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherServiceImpl.java b/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherServiceImpl.java
index d78de2c901..e76631e0cb 100644
--- a/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherServiceImpl.java
+++ b/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherServiceImpl.java
@@ -17,7 +17,6 @@
  */
 package io.entgra.device.mgt.core.apimgt.webapp.publisher;
 
-import io.entgra.device.mgt.core.apimgt.annotations.Scopes;
 import io.entgra.device.mgt.core.apimgt.extension.rest.api.APIApplicationServices;
 import io.entgra.device.mgt.core.apimgt.extension.rest.api.APIApplicationServicesImpl;
 import io.entgra.device.mgt.core.apimgt.extension.rest.api.PublisherRESTAPIServices;
@@ -40,6 +39,11 @@ import io.entgra.device.mgt.core.apimgt.webapp.publisher.dto.ApiScope;
 import io.entgra.device.mgt.core.apimgt.webapp.publisher.dto.ApiUriTemplate;
 import io.entgra.device.mgt.core.apimgt.webapp.publisher.exception.APIManagerPublisherException;
 import io.entgra.device.mgt.core.apimgt.webapp.publisher.internal.APIPublisherDataHolder;
+import io.entgra.device.mgt.core.device.mgt.core.config.DeviceConfigurationManager;
+import io.entgra.device.mgt.core.device.mgt.core.config.DeviceManagementConfig;
+import io.entgra.device.mgt.core.device.mgt.core.config.permission.DefaultPermission;
+import io.entgra.device.mgt.core.device.mgt.core.config.permission.DefaultPermissions;
+import io.entgra.device.mgt.core.device.mgt.core.config.permission.ScopeMapping;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -437,18 +441,8 @@ public class APIPublisherServiceImpl implements APIPublisherService {
     }
 
     public void addDefaultScopesIfNotExist() {
-        ArrayList<String> defaultScopes = new ArrayList<>();
-        defaultScopes.add("dm:devices:any:permitted");
-        defaultScopes.add("dm:device:api:subscribe");
-        defaultScopes.add("am:admin:lc:app:approve");
-        defaultScopes.add("am:admin:lc:app:create");
-        defaultScopes.add("am:admin:lc:app:reject");
-        defaultScopes.add("am:admin:lc:app:block");
-        defaultScopes.add("am:admin:lc:app:review");
-        defaultScopes.add("am:admin:lc:app:retire");
-        defaultScopes.add("am:admin:lc:app:deprecate");
-        defaultScopes.add("am:admin:lc:app:publish");
-
+        DeviceManagementConfig deviceManagementConfig = DeviceConfigurationManager.getInstance().getDeviceManagementConfig();
+        DefaultPermissions defaultPermissions = deviceManagementConfig.getDefaultPermissions();
         APIApplicationServices apiApplicationServices = new APIApplicationServicesImpl();
         try {
             APIApplicationKey apiApplicationKey =
@@ -460,12 +454,13 @@ public class APIPublisherServiceImpl implements APIPublisherService {
             PublisherRESTAPIServices publisherRESTAPIServices = new PublisherRESTAPIServicesImpl();
 
             Scope scope = new Scope();
-            for (String defaultScope: defaultScopes) {
+            for (DefaultPermission defaultPermission: defaultPermissions.getDefaultPermissions()) {
                 //todo check whether scope is available or not
-                scope.setName(defaultScope);
-                scope.setDescription(defaultScope);
-                scope.setKey(defaultScope);
-                scope.setRoles("Internal/devicemgt-user");
+                ScopeMapping scopeMapping = defaultPermission.getScopeMapping();
+                scope.setName(scopeMapping.getName());
+                scope.setDescription(scopeMapping.getName());
+                scope.setKey(scopeMapping.getKey());
+                scope.setRoles(scopeMapping.getDefaultRoles());
                 publisherRESTAPIServices.addNewSharedScope(apiApplicationKey, accessTokenInfo, scope);
             }
         } catch (BadRequestException | UnexpectedResponseException | APIServicesException e) {
diff --git a/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/lifecycle/listener/APIPublisherLifecycleListener.java b/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/lifecycle/listener/APIPublisherLifecycleListener.java
index 544b04637f..bbd2fd952e 100644
--- a/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/lifecycle/listener/APIPublisherLifecycleListener.java
+++ b/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/lifecycle/listener/APIPublisherLifecycleListener.java
@@ -18,17 +18,14 @@
 package io.entgra.device.mgt.core.apimgt.webapp.publisher.lifecycle.listener;
 
 import com.google.gson.Gson;
-import io.entgra.device.mgt.core.apimgt.extension.rest.api.APIApplicationServices;
-import io.entgra.device.mgt.core.apimgt.extension.rest.api.APIApplicationServicesImpl;
-import io.entgra.device.mgt.core.apimgt.extension.rest.api.PublisherRESTAPIServices;
-import io.entgra.device.mgt.core.apimgt.extension.rest.api.PublisherRESTAPIServicesImpl;
-import io.entgra.device.mgt.core.apimgt.extension.rest.api.dto.APIApplicationKey;
-import io.entgra.device.mgt.core.apimgt.extension.rest.api.dto.APIInfo.Scope;
-import io.entgra.device.mgt.core.apimgt.extension.rest.api.dto.AccessTokenInfo;
 import io.entgra.device.mgt.core.apimgt.webapp.publisher.dto.ApiScope;
 import io.entgra.device.mgt.core.device.mgt.common.exceptions.MetadataManagementException;
 import io.entgra.device.mgt.core.device.mgt.common.metadata.mgt.Metadata;
 import io.entgra.device.mgt.core.device.mgt.common.metadata.mgt.MetadataManagementService;
+import io.entgra.device.mgt.core.device.mgt.core.config.DeviceConfigurationManager;
+import io.entgra.device.mgt.core.device.mgt.core.config.DeviceManagementConfig;
+import io.entgra.device.mgt.core.device.mgt.core.config.permission.DefaultPermission;
+import io.entgra.device.mgt.core.device.mgt.core.config.permission.DefaultPermissions;
 import org.apache.catalina.Lifecycle;
 import org.apache.catalina.LifecycleEvent;
 import org.apache.catalina.LifecycleListener;
@@ -47,7 +44,10 @@ import org.wso2.carbon.user.api.UserStoreException;
 
 import javax.servlet.ServletContext;
 import java.io.IOException;
-import java.util.*;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
 
 @SuppressWarnings("unused")
 public class APIPublisherLifecycleListener implements LifecycleListener {
@@ -128,45 +128,26 @@ public class APIPublisherLifecycleListener implements LifecycleListener {
                                         "' and version '" + apiConfig.getVersion() + "'", e);
                             }
                         }
-                        apiPublisherDataHolder.setPermScopeMapping(permScopeMap);
 
-                        Map<String, String> permScopeMapping = apiPublisherDataHolder.getPermScopeMapping();
-                        if (!permScopeMapping.isEmpty()) {
-                            Metadata existingMetaData = metadataManagementService.retrieveMetadata("perm-scope" +
-                                    "-mapping");
-                            if (existingMetaData != null) {
-                                existingMetaData.setMetaValue(new Gson().toJson(apiPublisherDataHolder.getPermScopeMapping()
-                                ));
-                                metadataManagementService.updateMetadata(existingMetaData);
-                            } else {
-                                Metadata newMetaData = new Metadata();
-                                newMetaData.setMetaKey("perm-scope-mapping");
-                                permScopeMapping =
-                                        apiPublisherDataHolder.getPermScopeMapping();
+                        Metadata existingMetaData = metadataManagementService.retrieveMetadata("perm-scope" +
+                                "-mapping");
+                        if (existingMetaData != null) {
+                            existingMetaData.setMetaValue(new Gson().toJson(permScopeMap));
+                            metadataManagementService.updateMetadata(existingMetaData);
+                        } else {
+                            Metadata newMetaData = new Metadata();
+                            newMetaData.setMetaKey("perm-scope-mapping");
 
-                                //Todo fix this properly with a config
-                                Map<String, String> defaultScopePermMap = new HashMap<>();
-                                defaultScopePermMap.put("/permission/admin/device-mgt/devices/any-device/permitted-actions-under-owning-device", "dm:devices:any:permitted");
-                                defaultScopePermMap.put("/permission/admin/device-mgt/device/api/subscribe", "dm:device:api:subscribe");
-                                defaultScopePermMap.put("/permission/admin/app-mgt/life-cycle/application/approve", "am:admin:lc:app:approve");
-                                defaultScopePermMap.put("/permission/admin/app-mgt/life-cycle/application/create", "am:admin:lc:app:create");
-                                defaultScopePermMap.put("/permission/admin/app-mgt/life-cycle/application/reject", "am:admin:lc:app:reject");
-                                defaultScopePermMap.put("/permission/admin/app-mgt/life-cycle/application/block", "am:admin:lc:app:block");
-                                defaultScopePermMap.put("/permission/admin/app-mgt/life-cycle/application/review", "am:admin:lc:app:review");
-                                defaultScopePermMap.put("/permission/admin/app-mgt/life-cycle/application/retire", "am:admin:lc:app:retire");
-                                defaultScopePermMap.put("/permission/admin/app-mgt/life-cycle/application/deprecate", "am:admin:lc:app:deprecate");
-                                defaultScopePermMap.put("/permission/admin/app-mgt/life-cycle/application/publish", "am:admin:lc:app:publish");
+                            DeviceManagementConfig deviceManagementConfig = DeviceConfigurationManager.getInstance().getDeviceManagementConfig();
+                            DefaultPermissions defaultPermissions = deviceManagementConfig.getDefaultPermissions();
 
-                                for (Map.Entry<String,String> mapElement : defaultScopePermMap.entrySet()) {
-                                    String key = mapElement.getKey();
-                                    String value = mapElement.getValue();
-                                    permScopeMapping.put(key,value);
-                                }
-                                apiPublisherDataHolder.setPermScopeMapping(permScopeMapping);
-                                newMetaData.setMetaValue(new Gson().toJson(permScopeMapping));
-                                metadataManagementService.createMetadata(newMetaData);
+                            for (DefaultPermission defaultPermission : defaultPermissions.getDefaultPermissions()) {
+                                permScopeMap.put(defaultPermission.getName(), defaultPermission.getScopeMapping().getKey());
                             }
+                            newMetaData.setMetaValue(new Gson().toJson(permScopeMap));
+                            metadataManagementService.createMetadata(newMetaData);
                         }
+                        apiPublisherDataHolder.setPermScopeMapping(permScopeMap);
                     } catch (IOException e) {
                         log.error("Error encountered while discovering annotated classes", e);
                     } catch (ClassNotFoundException e) {
diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/config/DeviceManagementConfig.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/config/DeviceManagementConfig.java
index 08c08df5ed..94d873b192 100644
--- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/config/DeviceManagementConfig.java
+++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/config/DeviceManagementConfig.java
@@ -39,6 +39,7 @@ import io.entgra.device.mgt.core.device.mgt.core.config.push.notification.PushNo
 import io.entgra.device.mgt.core.device.mgt.core.config.remote.session.RemoteSessionConfiguration;
 import io.entgra.device.mgt.core.device.mgt.core.config.status.task.DeviceStatusTaskConfig;
 import io.entgra.device.mgt.core.device.mgt.core.config.task.TaskConfiguration;
+import io.entgra.device.mgt.core.device.mgt.core.config.permission.DefaultPermissions;
 
 import javax.xml.bind.annotation.XmlElement;
 import javax.xml.bind.annotation.XmlRootElement;
@@ -75,6 +76,8 @@ public final class DeviceManagementConfig {
     private MetaDataConfiguration metaDataConfiguration;
     private EnrollmentGuideConfiguration enrollmentGuideConfiguration;
 
+    private DefaultPermissions defaultPermissions;
+
     @XmlElement(name = "ManagementRepository", required = true)
     public DeviceManagementConfigRepository getDeviceManagementConfigRepository() {
         return deviceManagementConfigRepository;
@@ -287,5 +290,14 @@ public final class DeviceManagementConfig {
     public void setEnrollmentGuideConfiguration(EnrollmentGuideConfiguration enrollmentGuideConfiguration) {
         this.enrollmentGuideConfiguration = enrollmentGuideConfiguration;
     }
+
+    @XmlElement(name = "DefaultPermissions", required = true)
+    public DefaultPermissions getDefaultPermissions() {
+        return defaultPermissions;
+    }
+
+    public void setDefaultPermissions(DefaultPermissions defaultPermissions) {
+        this.defaultPermissions = defaultPermissions;
+    }
 }
 
diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/config/permission/DefaultPermission.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/config/permission/DefaultPermission.java
new file mode 100644
index 0000000000..d8ee628924
--- /dev/null
+++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/config/permission/DefaultPermission.java
@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 2018 - 2023, Entgra (Pvt) Ltd. (http://www.entgra.io) All Rights Reserved.
+ *
+ * Entgra (Pvt) Ltd. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package io.entgra.device.mgt.core.device.mgt.core.config.permission;
+
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlRootElement;
+
+@XmlRootElement(name = "DefaultPermission")
+public class DefaultPermission {
+
+    private String name;
+    private ScopeMapping scopeMapping;
+
+    @XmlElement(name = "Name", required = true)
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    @XmlElement(name = "MappedScopeDetails", required = true)
+    public ScopeMapping getScopeMapping() {
+        return scopeMapping;
+    }
+
+    public void setScopeMapping(ScopeMapping scopeMapping) {
+        this.scopeMapping = scopeMapping;
+    }
+}
diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/config/permission/DefaultPermissions.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/config/permission/DefaultPermissions.java
new file mode 100644
index 0000000000..c04695b111
--- /dev/null
+++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/config/permission/DefaultPermissions.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (c) 2018 - 2023, Entgra (Pvt) Ltd. (http://www.entgra.io) All Rights Reserved.
+ *
+ * Entgra (Pvt) Ltd. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package io.entgra.device.mgt.core.device.mgt.core.config.permission;
+
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlRootElement;
+import java.util.List;
+
+@XmlRootElement(name = "DefaultPermissions")
+public class DefaultPermissions {
+
+    private List<DefaultPermission> defaultPermissions;
+
+    @XmlElement(name = "DefaultPermission", required = true)
+    public List<DefaultPermission> getDefaultPermissions() {
+        return defaultPermissions;
+    }
+
+    public void setDefaultPermissions(List<DefaultPermission> defaultPermissions) {
+        this.defaultPermissions = defaultPermissions;
+    }
+}
diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/config/permission/ScopeMapping.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/config/permission/ScopeMapping.java
new file mode 100644
index 0000000000..e745126502
--- /dev/null
+++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/config/permission/ScopeMapping.java
@@ -0,0 +1,58 @@
+/*
+ * Copyright (c) 2018 - 2023, Entgra (Pvt) Ltd. (http://www.entgra.io) All Rights Reserved.
+ *
+ * Entgra (Pvt) Ltd. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package io.entgra.device.mgt.core.device.mgt.core.config.permission;
+
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlRootElement;
+
+@XmlRootElement(name = "MappedScopeDetails")
+public class ScopeMapping {
+
+    private String name;
+    private String key;
+
+    private String defaultRoles;
+
+    @XmlElement(name = "Name", required = true)
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    @XmlElement(name = "Key", required = true)
+    public String getKey() {
+        return key;
+    }
+
+    public void setKey(String key) {
+        this.key = key;
+    }
+
+    @XmlElement(name = "DefaultRoles", required = true)
+    public String getDefaultRoles() {
+        return defaultRoles;
+    }
+
+    public void setDefaultRoles(String defaultRoles) {
+        this.defaultRoles = defaultRoles;
+    }
+}
diff --git a/features/device-mgt/io.entgra.device.mgt.core.device.mgt.basics.feature/src/main/resources/conf/cdm-config.xml b/features/device-mgt/io.entgra.device.mgt.core.device.mgt.basics.feature/src/main/resources/conf/cdm-config.xml
index c40cefc413..97c4ca9a3e 100644
--- a/features/device-mgt/io.entgra.device.mgt.core.device.mgt.basics.feature/src/main/resources/conf/cdm-config.xml
+++ b/features/device-mgt/io.entgra.device.mgt.core.device.mgt.basics.feature/src/main/resources/conf/cdm-config.xml
@@ -211,5 +211,87 @@
         <Enable>false</Enable>
         <Mail>Replace with mail</Mail>
     </EnrollmentGuideConfiguration>
+    <DefaultPermissions>
+        <DefaultPermission>
+            <Name>/permission/admin/device-mgt/devices/any-device/permitted-actions-under-owning-device</Name>
+            <MappedScopeDetails>
+                <Name>Apply permitted actions on any device</Name>
+                <Key>dm:devices:any:permitted</Key>
+                <DefaultRoles>Internal/devicemgt-user</DefaultRoles>
+            </MappedScopeDetails>
+        </DefaultPermission>
+        <DefaultPermission>
+            <Name>/permission/admin/device-mgt/device/api/subscribe</Name>
+            <MappedScopeDetails>
+                <Name>Subscribe APIs</Name>
+                <Key>dm:device:api:subscribe</Key>
+                <DefaultRoles>Internal/devicemgt-user</DefaultRoles>
+            </MappedScopeDetails>
+        </DefaultPermission>
+        <DefaultPermission>
+            <Name>/permission/admin/app-mgt/life-cycle/application/approve</Name>
+            <MappedScopeDetails>
+                <Name>Approve Applications</Name>
+                <Key>am:admin:lc:app:approve</Key>
+                <DefaultRoles>Internal/devicemgt-user</DefaultRoles>
+            </MappedScopeDetails>
+        </DefaultPermission>
+        <DefaultPermission>
+            <Name>/permission/admin/app-mgt/life-cycle/application/create</Name>
+            <MappedScopeDetails>
+                <Name>Create Applications</Name>
+                <Key>am:admin:lc:app:create</Key>
+                <DefaultRoles>Internal/devicemgt-user</DefaultRoles>
+            </MappedScopeDetails>
+        </DefaultPermission>
+        <DefaultPermission>
+            <Name>/permission/admin/app-mgt/life-cycle/application/reject</Name>
+            <MappedScopeDetails>
+                <Name>Reject Applications</Name>
+                <Key>am:admin:lc:app:reject</Key>
+                <DefaultRoles>Internal/devicemgt-user</DefaultRoles>
+            </MappedScopeDetails>
+        </DefaultPermission>
+        <DefaultPermission>
+            <Name>/permission/admin/app-mgt/life-cycle/application/block</Name>
+            <MappedScopeDetails>
+                <Name>Block Applications</Name>
+                <Key>am:admin:lc:app:block</Key>
+                <DefaultRoles>Internal/devicemgt-user</DefaultRoles>
+            </MappedScopeDetails>
+        </DefaultPermission>
+        <DefaultPermission>
+            <Name>/permission/admin/app-mgt/life-cycle/application/review</Name>
+            <MappedScopeDetails>
+                <Name>Review Applications</Name>
+                <Key>am:admin:lc:app:review</Key>
+                <DefaultRoles>Internal/devicemgt-user</DefaultRoles>
+            </MappedScopeDetails>
+        </DefaultPermission>
+        <DefaultPermission>
+            <Name>/permission/admin/app-mgt/life-cycle/application/retire</Name>
+            <MappedScopeDetails>
+                <Name>Retire Applications</Name>
+                <Key>am:admin:lc:app:retire</Key>
+                <DefaultRoles>Internal/devicemgt-user</DefaultRoles>
+            </MappedScopeDetails>
+        </DefaultPermission>
+        <DefaultPermission>
+            <Name>/permission/admin/app-mgt/life-cycle/application/deprecate</Name>
+            <MappedScopeDetails>
+                <Name>Deprecate Application</Name>
+                <Key>am:admin:lc:app:deprecate</Key>
+                <DefaultRoles>Internal/devicemgt-user</DefaultRoles>
+            </MappedScopeDetails>
+        </DefaultPermission>
+        <DefaultPermission>
+            <Name>/permission/admin/app-mgt/life-cycle/application/publish</Name>
+            <MappedScopeDetails>
+                <Name>Publish Applications</Name>
+                <Key>am:admin:lc:app:publish</Key>
+                <DefaultRoles>Internal/devicemgt-user</DefaultRoles>
+            </MappedScopeDetails>
+        </DefaultPermission>
+    </DefaultPermissions>
 </DeviceMgtConfiguration>
 
diff --git a/features/device-mgt/io.entgra.device.mgt.core.device.mgt.basics.feature/src/main/resources/conf_templates/templates/repository/conf/cdm-config.xml.j2 b/features/device-mgt/io.entgra.device.mgt.core.device.mgt.basics.feature/src/main/resources/conf_templates/templates/repository/conf/cdm-config.xml.j2
index 2fe1494e09..bd6961e7d8 100644
--- a/features/device-mgt/io.entgra.device.mgt.core.device.mgt.basics.feature/src/main/resources/conf_templates/templates/repository/conf/cdm-config.xml.j2
+++ b/features/device-mgt/io.entgra.device.mgt.core.device.mgt.basics.feature/src/main/resources/conf_templates/templates/repository/conf/cdm-config.xml.j2
@@ -383,5 +383,87 @@
             <Mail>Replace with mail</Mail>
             {% endif %}
     </EnrollmentGuideConfiguration>
+    <DefaultPermissions>
+            <DefaultPermission>
+                <Name>/permission/admin/device-mgt/devices/any-device/permitted-actions-under-owning-device</Name>
+                <MappedScopeDetails>
+                    <Name>Apply permitted actions on any device</Name>
+                    <Key>dm:devices:any:permitted</Key>
+                    <DefaultRoles>Internal/devicemgt-user</DefaultRoles>
+                </MappedScopeDetails>
+            </DefaultPermission>
+            <DefaultPermission>
+                <Name>/permission/admin/device-mgt/device/api/subscribe</Name>
+                <MappedScopeDetails>
+                    <Name>Subscribe APIs</Name>
+                    <Key>dm:device:api:subscribe</Key>
+                    <DefaultRoles>Internal/devicemgt-user</DefaultRoles>
+                </MappedScopeDetails>
+            </DefaultPermission>
+            <DefaultPermission>
+                <Name>/permission/admin/app-mgt/life-cycle/application/approve</Name>
+                <MappedScopeDetails>
+                    <Name>Approve Applications</Name>
+                    <Key>am:admin:lc:app:approve</Key>
+                    <DefaultRoles>Internal/devicemgt-user</DefaultRoles>
+                </MappedScopeDetails>
+            </DefaultPermission>
+            <DefaultPermission>
+                <Name>/permission/admin/app-mgt/life-cycle/application/create</Name>
+                <MappedScopeDetails>
+                    <Name>Create Applications</Name>
+                    <Key>am:admin:lc:app:create</Key>
+                    <DefaultRoles>Internal/devicemgt-user</DefaultRoles>
+                </MappedScopeDetails>
+            </DefaultPermission>
+            <DefaultPermission>
+                <Name>/permission/admin/app-mgt/life-cycle/application/reject</Name>
+                <MappedScopeDetails>
+                    <Name>Reject Applications</Name>
+                    <Key>am:admin:lc:app:reject</Key>
+                    <DefaultRoles>Internal/devicemgt-user</DefaultRoles>
+                </MappedScopeDetails>
+            </DefaultPermission>
+            <DefaultPermission>
+                <Name>/permission/admin/app-mgt/life-cycle/application/block</Name>
+                <MappedScopeDetails>
+                    <Name>Block Applications</Name>
+                    <Key>am:admin:lc:app:block</Key>
+                    <DefaultRoles>Internal/devicemgt-user</DefaultRoles>
+                </MappedScopeDetails>
+            </DefaultPermission>
+            <DefaultPermission>
+                <Name>/permission/admin/app-mgt/life-cycle/application/review</Name>
+                <MappedScopeDetails>
+                    <Name>Review Applications</Name>
+                    <Key>am:admin:lc:app:review</Key>
+                    <DefaultRoles>Internal/devicemgt-user</DefaultRoles>
+                </MappedScopeDetails>
+            </DefaultPermission>
+            <DefaultPermission>
+                <Name>/permission/admin/app-mgt/life-cycle/application/retire</Name>
+                <MappedScopeDetails>
+                    <Name>Retire Applications</Name>
+                    <Key>am:admin:lc:app:retire</Key>
+                    <DefaultRoles>Internal/devicemgt-user</DefaultRoles>
+                </MappedScopeDetails>
+            </DefaultPermission>
+            <DefaultPermission>
+                <Name>/permission/admin/app-mgt/life-cycle/application/deprecate</Name>
+                <MappedScopeDetails>
+                    <Name>Deprecate Application</Name>
+                    <Key>am:admin:lc:app:deprecate</Key>
+                    <DefaultRoles>Internal/devicemgt-user</DefaultRoles>
+                </MappedScopeDetails>
+            </DefaultPermission>
+            <DefaultPermission>
+                <Name>/permission/admin/app-mgt/life-cycle/application/publish</Name>
+                <MappedScopeDetails>
+                    <Name>Publish Applications</Name>
+                    <Key>am:admin:lc:app:publish</Key>
+                    <DefaultRoles>Internal/devicemgt-user</DefaultRoles>
+                </MappedScopeDetails>
+            </DefaultPermission>
+        </DefaultPermissions>
 </DeviceMgtConfiguration>
 

From 3a63f948a02da3b22eba06a582edea2ddc8473a4 Mon Sep 17 00:00:00 2001
From: Rajitha Kumara <rajithakumaraprog@gmail.com>
Date: Sun, 15 Oct 2023 14:25:37 +0530
Subject: [PATCH 4/8] Add admin role when adding shared scopes

---
 .../apimgt/extension/rest/api/util/ScopeUtils.java | 14 +++++++++++++-
 .../webapp/publisher/APIPublisherServiceImpl.java  |  9 +++++----
 .../src/main/resources/dbscripts/cdm/h2.sql        |  2 +-
 .../src/main/resources/dbscripts/cdm/mysql.sql     |  2 +-
 4 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.extension.rest.api/src/main/java/io/entgra/device/mgt/core/apimgt/extension/rest/api/util/ScopeUtils.java b/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.extension.rest.api/src/main/java/io/entgra/device/mgt/core/apimgt/extension/rest/api/util/ScopeUtils.java
index e8f602f992..58cff08553 100644
--- a/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.extension.rest.api/src/main/java/io/entgra/device/mgt/core/apimgt/extension/rest/api/util/ScopeUtils.java
+++ b/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.extension.rest.api/src/main/java/io/entgra/device/mgt/core/apimgt/extension/rest/api/util/ScopeUtils.java
@@ -18,6 +18,9 @@
 
 package io.entgra.device.mgt.core.apimgt.extension.rest.api.util;
 
+import java.util.HashSet;
+import java.util.Set;
+
 /**
  * This class represents the scope data.
  */
@@ -53,7 +56,7 @@ public class ScopeUtils {
     }
 
     public void setRoles(String roles) {
-        this.roles = roles;
+        this.roles = removeDuplicatesFromRoleString(roles);
     }
 
     public String getDescription() {
@@ -75,4 +78,13 @@ public class ScopeUtils {
                 "}";
         return jsonString;
     }
+
+    private static String removeDuplicatesFromRoleString(String roleString) {
+        String[] roles = roleString.split(",");
+        Set<String> roleSet = new HashSet<>();
+        for(String role : roles) {
+            roleSet.add(role.trim());
+        }
+        return String.join(",", roleSet);
+    }
 }
diff --git a/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherServiceImpl.java b/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherServiceImpl.java
index e76631e0cb..be4def9da6 100644
--- a/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherServiceImpl.java
+++ b/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherServiceImpl.java
@@ -100,6 +100,7 @@ public class APIPublisherServiceImpl implements APIPublisherService {
     public static final String SUBSCRIPTION_TO_CURRENT_TENANT = "CURRENT_TENANT";
     public static final String API_GLOBAL_VISIBILITY = "PUBLIC";
     public static final String API_PRIVATE_VISIBILITY = "PRIVATE";
+    private static final String ADMIN_ROLE_KEY = ",admin";
 
     private static final Log log = LogFactory.getLog(APIPublisherServiceImpl.class);
 
@@ -186,7 +187,7 @@ public class APIPublisherServiceImpl implements APIPublisherService {
                                     scope.setName(apiScope.getName());
                                     scope.setDescription(apiScope.getDescription());
                                     scope.setKey(apiScope.getKey());
-                                    scope.setRoles(apiScope.getRoles());
+                                    scope.setRoles(apiScope.getRoles() + ADMIN_ROLE_KEY);
                                     publisherRESTAPIServices.addNewSharedScope(apiApplicationKey, accessTokenInfo, scope);
                                 }
                             }
@@ -259,7 +260,7 @@ public class APIPublisherServiceImpl implements APIPublisherService {
                                             scope.setName(apiScope.getName());
                                             scope.setDescription(apiScope.getDescription());
                                             scope.setKey(apiScope.getKey());
-                                            scope.setRoles(apiScope.getRoles());
+                                            scope.setRoles(apiScope.getRoles() + ADMIN_ROLE_KEY);
                                             publisherRESTAPIServices.addNewSharedScope(apiApplicationKey, accessTokenInfo, scope);
 
                                         }
@@ -280,7 +281,7 @@ public class APIPublisherServiceImpl implements APIPublisherService {
                                         scope.setName(apiScope.getName());
                                         scope.setDescription(apiScope.getDescription());
                                         scope.setKey(apiScope.getKey());
-                                        scope.setRoles(apiScope.getRoles());
+                                        scope.setRoles(apiScope.getRoles() + ADMIN_ROLE_KEY);
                                         publisherRESTAPIServices.addNewSharedScope(apiApplicationKey, accessTokenInfo, scope);
                                     }
                                 }
@@ -460,7 +461,7 @@ public class APIPublisherServiceImpl implements APIPublisherService {
                 scope.setName(scopeMapping.getName());
                 scope.setDescription(scopeMapping.getName());
                 scope.setKey(scopeMapping.getKey());
-                scope.setRoles(scopeMapping.getDefaultRoles());
+                scope.setRoles(scopeMapping.getDefaultRoles() + ADMIN_ROLE_KEY);
                 publisherRESTAPIServices.addNewSharedScope(apiApplicationKey, accessTokenInfo, scope);
             }
         } catch (BadRequestException | UnexpectedResponseException | APIServicesException e) {
diff --git a/features/device-mgt/io.entgra.device.mgt.core.device.mgt.basics.feature/src/main/resources/dbscripts/cdm/h2.sql b/features/device-mgt/io.entgra.device.mgt.core.device.mgt.basics.feature/src/main/resources/dbscripts/cdm/h2.sql
index 4d87dbdcca..4f9f9fa5dc 100644
--- a/features/device-mgt/io.entgra.device.mgt.core.device.mgt.basics.feature/src/main/resources/dbscripts/cdm/h2.sql
+++ b/features/device-mgt/io.entgra.device.mgt.core.device.mgt.basics.feature/src/main/resources/dbscripts/cdm/h2.sql
@@ -594,7 +594,7 @@ CREATE TABLE IF NOT EXISTS DM_METADATA (
     METADATA_ID INT AUTO_INCREMENT NOT NULL,
     DATA_TYPE VARCHAR(16) NOT NULL,
     METADATA_KEY VARCHAR(128) NOT NULL,
-    METADATA_VALUE VARCHAR(20000) NOT NULL,
+    METADATA_VALUE VARCHAR(65535) NOT NULL,
     TENANT_ID INTEGER NOT NULL,
     PRIMARY KEY (METADATA_ID),
     CONSTRAINT METADATA_KEY_TENANT_ID UNIQUE (METADATA_KEY, TENANT_ID)
diff --git a/features/device-mgt/io.entgra.device.mgt.core.device.mgt.basics.feature/src/main/resources/dbscripts/cdm/mysql.sql b/features/device-mgt/io.entgra.device.mgt.core.device.mgt.basics.feature/src/main/resources/dbscripts/cdm/mysql.sql
index 1ea355fb81..2f4bd489f0 100644
--- a/features/device-mgt/io.entgra.device.mgt.core.device.mgt.basics.feature/src/main/resources/dbscripts/cdm/mysql.sql
+++ b/features/device-mgt/io.entgra.device.mgt.core.device.mgt.basics.feature/src/main/resources/dbscripts/cdm/mysql.sql
@@ -656,7 +656,7 @@ CREATE TABLE IF NOT EXISTS DM_METADATA (
     METADATA_ID INTEGER NOT NULL AUTO_INCREMENT,
     DATA_TYPE VARCHAR(16) NOT NULL,
     METADATA_KEY VARCHAR(128) NOT NULL,
-    METADATA_VALUE VARCHAR(8000) NOT NULL,
+    METADATA_VALUE VARCHAR(65535) NOT NULL,
     TENANT_ID INTEGER NOT NULL,
     PRIMARY KEY (METADATA_ID),
     UNIQUE KEY METADATA_KEY_TENANT_ID (METADATA_KEY,TENANT_ID)

From 4418caa631793c9a7a20035e0f4f090d61576505 Mon Sep 17 00:00:00 2001
From: Rajitha Kumara <rajithakumaraprog@gmail.com>
Date: Sun, 15 Oct 2023 16:03:06 +0530
Subject: [PATCH 5/8] Update db scripts

---
 .../src/main/resources/dbscripts/cdm/oracle.sql                | 3 ++-
 .../src/main/resources/dbscripts/cdm/postgresql.sql            | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/features/device-mgt/io.entgra.device.mgt.core.device.mgt.basics.feature/src/main/resources/dbscripts/cdm/oracle.sql b/features/device-mgt/io.entgra.device.mgt.core.device.mgt.basics.feature/src/main/resources/dbscripts/cdm/oracle.sql
index f19645cdb7..f85e4349e5 100644
--- a/features/device-mgt/io.entgra.device.mgt.core.device.mgt.basics.feature/src/main/resources/dbscripts/cdm/oracle.sql
+++ b/features/device-mgt/io.entgra.device.mgt.core.device.mgt.basics.feature/src/main/resources/dbscripts/cdm/oracle.sql
@@ -998,7 +998,8 @@ CREATE TABLE DM_METADATA (
     METADATA_ID NUMBER(10) NOT NULL,
     DATA_TYPE VARCHAR2(16) NOT NULL,
     METADATA_KEY VARCHAR2(128) NOT NULL,
-    METADATA_VALUE VARCHAR2(8000) NOT NULL,
+    -- Can be upgrade to 32767 bytes if the MAX_STRING_SIZE initialization parameter is set to EXTENDED --
+    METADATA_VALUE VARCHAR2(4000) NOT NULL,
     TENANT_ID INTEGER NOT NULL,
     CONSTRAINT PK_DM_METADATA PRIMARY KEY (METADATA_ID),
     CONSTRAINT METADATA_KEY_TENANT_ID UNIQUE (METADATA_KEY, TENANT_ID)
diff --git a/features/device-mgt/io.entgra.device.mgt.core.device.mgt.basics.feature/src/main/resources/dbscripts/cdm/postgresql.sql b/features/device-mgt/io.entgra.device.mgt.core.device.mgt.basics.feature/src/main/resources/dbscripts/cdm/postgresql.sql
index 51361a90d3..2d72a7b423 100644
--- a/features/device-mgt/io.entgra.device.mgt.core.device.mgt.basics.feature/src/main/resources/dbscripts/cdm/postgresql.sql
+++ b/features/device-mgt/io.entgra.device.mgt.core.device.mgt.basics.feature/src/main/resources/dbscripts/cdm/postgresql.sql
@@ -660,7 +660,7 @@ CREATE TABLE IF NOT EXISTS DM_METADATA (
     METADATA_ID BIGSERIAL PRIMARY KEY,
     DATA_TYPE VARCHAR(16) NOT NULL,
     METADATA_KEY VARCHAR(128) NOT NULL,
-    METADATA_VALUE VARCHAR(8000) NOT NULL,
+    METADATA_VALUE VARCHAR(65535) NOT NULL,
     TENANT_ID INTEGER NOT NULL,
     CONSTRAINT METADATA_KEY_TENANT_ID UNIQUE(METADATA_KEY, TENANT_ID)
 );

From 22b9897a4bdac688f2ff3963dacda0ca3567b8e3 Mon Sep 17 00:00:00 2001
From: akeela_azhar <akeela@entgra.io>
Date: Mon, 16 Oct 2023 08:00:42 +0530
Subject: [PATCH 6/8] Add permission updating logic

---
 .../webapp/publisher/APIPublisherService.java |   2 +-
 .../publisher/APIPublisherServiceImpl.java    | 105 +++++++++++-------
 .../device/mgt/api/jaxrs/beans/RoleInfo.java  |   8 ++
 .../impl/RoleManagementServiceImpl.java       |  11 +-
 4 files changed, 78 insertions(+), 48 deletions(-)

diff --git a/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherService.java b/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherService.java
index 94eae16cb8..2dc95d4f37 100644
--- a/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherService.java
+++ b/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherService.java
@@ -38,6 +38,6 @@ public interface APIPublisherService {
 
     void addDefaultScopesIfNotExist();
 
-    void updateScopeRoleMapping(String roleName, String[] permissions) throws APIManagerPublisherException;
+    void updateScopeRoleMapping(String roleName, String[] permissions, String[] removedPermissions) throws APIManagerPublisherException;
 
 }
diff --git a/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherServiceImpl.java b/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherServiceImpl.java
index be4def9da6..6d037525ae 100644
--- a/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherServiceImpl.java
+++ b/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherServiceImpl.java
@@ -626,7 +626,7 @@ public class APIPublisherServiceImpl implements APIPublisherService {
     }
 
     @Override
-    public void updateScopeRoleMapping(String roleName, String[] permissions) throws APIManagerPublisherException {
+    public void updateScopeRoleMapping(String roleName, String[] permissions, String[] removedPermissions) throws APIManagerPublisherException {
         APIApplicationServices apiApplicationServices = new APIApplicationServicesImpl();
         APIApplicationKey apiApplicationKey;
         AccessTokenInfo accessTokenInfo;
@@ -643,49 +643,14 @@ public class APIPublisherServiceImpl implements APIPublisherService {
         try {
             PublisherRESTAPIServices publisherRESTAPIServices = new PublisherRESTAPIServicesImpl();
             JSONObject scopeObject = publisherRESTAPIServices.getScopes(apiApplicationKey, accessTokenInfo);
-
             Map<String, String> permScopeMap = APIPublisherDataHolder.getInstance().getPermScopeMapping();
-            for (String permission : permissions) {
-                String scopeValue = permScopeMap.get(permission);
-                if (scopeValue == null) {
-                    String msg = "Found invalid permission: " + permission + ". Hence aborting the scope role " +
-                            "mapping process";
-                    log.error(msg);
-                    throw new APIManagerPublisherException(msg);
-                }
-
-                JSONArray scopeList = (JSONArray) scopeObject.get("list");
-                for (int i = 0; i < scopeList.length(); i++) {
-                    JSONObject scopeObj = scopeList.getJSONObject(i);
-                    if (scopeObj.getString("name").equals(scopeValue)) {
-                        Scope scope = new Scope();
-                        scope.setName(scopeObj.getString("name"));
-                        scope.setKey(scopeObj.getString("name"));
-                        scope.setDescription(scopeObj.getString("description"));
-                        scope.setId(scopeObj.getString("id"));
-
-                        // Including already existing roles
-                        JSONArray existingRolesArray = (JSONArray) scopeObj.get("bindings");
-                        List<String> existingRoleList = new ArrayList<String>();
-
-                        for (int j = 0; j < existingRolesArray.length(); j++) {
-                            existingRoleList.add((String) existingRolesArray.get(j));
-                        }
-                        if (!existingRoleList.contains(roleName)) {
-                            existingRoleList.add(roleName);
-                        }
-                        scope.setRoles(String.join(",", existingRoleList));
-
-                        if (publisherRESTAPIServices.isSharedScopeNameExists(apiApplicationKey, accessTokenInfo, scope.getKey())) {
-                            publisherRESTAPIServices.updateSharedScope(apiApplicationKey, accessTokenInfo, scope);
-                        } else {
-                            // todo: come to this level means, that scope is removed from API, but haven't removed from the scope-role-permission-mappings list
-                            log.warn(scope.getKey() + " not available as shared scope");
-                        }
-                        break;
-                    }
-                }
+            if (permissions.length != 0) {
+                updateScopes(roleName, publisherRESTAPIServices, apiApplicationKey, accessTokenInfo, scopeObject, permissions, permScopeMap, false);
+            }
+            if (removedPermissions.length != 0) {
+                updateScopes(roleName, publisherRESTAPIServices, apiApplicationKey, accessTokenInfo, scopeObject, removedPermissions, permScopeMap, true);
             }
+
             try {
                 updatePermissions(roleName, Arrays.asList(permissions));
             } catch (UserStoreException e) {
@@ -708,6 +673,62 @@ public class APIPublisherServiceImpl implements APIPublisherService {
         }
     }
 
+    private void updateScopes (String roleName, PublisherRESTAPIServices publisherRESTAPIServices,
+                      APIApplicationKey apiApplicationKey, AccessTokenInfo accessTokenInfo,
+                      JSONObject scopeObject, String[] permissions, Map<String, String> permScopeMap, boolean removingPermissions )
+            throws APIManagerPublisherException {
+        for (String permission : permissions) {
+            String scopeValue = permScopeMap.get(permission);
+            if (scopeValue == null) {
+                String msg = "Found invalid permission: " + permission + ". Hence aborting the scope role " +
+                        "mapping process";
+                log.error(msg);
+                throw new APIManagerPublisherException(msg);
+            }
+
+            JSONArray scopeList = (JSONArray) scopeObject.get("list");
+            for (int i = 0; i < scopeList.length(); i++) {
+                JSONObject scopeObj = scopeList.getJSONObject(i);
+                if (scopeObj.getString("name").equals(scopeValue)) {
+                    Scope scope = new Scope();
+                    scope.setName(scopeObj.getString("name"));
+                    scope.setKey(scopeObj.getString("name"));
+                    scope.setDescription(scopeObj.getString("description"));
+                    scope.setId(scopeObj.getString("id"));
+
+                    // Including already existing roles
+                    JSONArray existingRolesArray = (JSONArray) scopeObj.get("bindings");
+                    List<String> existingRoleList = new ArrayList<String>();
+
+                    for (int j = 0; j < existingRolesArray.length(); j++) {
+                        existingRoleList.add((String) existingRolesArray.get(j));
+                    }
+
+                    if (removingPermissions) {
+                        existingRoleList.remove(roleName);
+                    } else {
+                        if (!existingRoleList.contains(roleName)) {
+                            existingRoleList.add(roleName);
+                        }
+                    }
+                    scope.setRoles(String.join(",", existingRoleList));
+
+                    try {
+                        if (publisherRESTAPIServices.isSharedScopeNameExists(apiApplicationKey, accessTokenInfo, scope.getKey())) {
+                            publisherRESTAPIServices.updateSharedScope(apiApplicationKey, accessTokenInfo, scope);
+                        } else {
+                            // todo: come to this level means, that scope is removed from API, but haven't removed from the scope-role-permission-mappings list
+                            log.warn(scope.getKey() + " not available as shared scope");
+                        }
+                    } catch (APIServicesException | BadRequestException | UnexpectedResponseException  e) {
+                        log.error("Error occurred while updating role scope mapping via APIM REST endpoint.", e);
+                    }
+                    break;
+                }
+            }
+        }
+    }
+
     private void updatePermissions(String role, List<String> permissions) throws UserStoreException {
         AuthorizationManager authorizationManager = APIPublisherDataHolder.getInstance().getUserRealm()
                 .getAuthorizationManager();
diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/beans/RoleInfo.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/beans/RoleInfo.java
index 3ad90c07a6..374efeb6e0 100644
--- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/beans/RoleInfo.java
+++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/beans/RoleInfo.java
@@ -33,6 +33,11 @@ public class RoleInfo {
     @ApiModelProperty(name = "permissions", value = "Lists out all the permissions associated with roles.",
             required = true, dataType = "List[java.lang.String]")
     private String[] permissions;
+
+    @ApiModelProperty(name = "removedPermissions", value = "Lists out all the permissions unassociated with roles.",
+            required = true, dataType = "List[java.lang.String]")
+    private String[] removedPermissions;
+
     @ApiModelProperty(name = "users", value = "The list of users assigned to the selected role.",
             required = true, dataType = "List[java.lang.String]")
     private String[] users;
@@ -76,4 +81,7 @@ public class RoleInfo {
         this.permissionList = permissionList;
     }
 
+    public String[] getRemovedPermissions() { return removedPermissions; }
+
+    public void setRemovedPermissions(String[] removedPermissions) { this.removedPermissions = removedPermissions; }
 }
diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/impl/RoleManagementServiceImpl.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/impl/RoleManagementServiceImpl.java
index a9ea688d05..63a6a71d12 100644
--- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/impl/RoleManagementServiceImpl.java
+++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/impl/RoleManagementServiceImpl.java
@@ -403,8 +403,8 @@ public class RoleManagementServiceImpl implements RoleManagementService {
             try {
                 if (roleInfo.getPermissions() != null && roleInfo.getPermissions().length > 0) {
                     String[] roleName = roleInfo.getRoleName().split("/");
-                    addPermissions(roleName[roleName.length - 1], roleInfo.getPermissions(),
-                            DeviceMgtAPIUtils.getUserRealm());
+                    roleInfo.setRemovedPermissions(new String[0]);
+                    updatePermissions(roleName[roleName.length - 1], roleInfo, DeviceMgtAPIUtils.getUserRealm());
                 }
             } catch (UserStoreException e) {
                 String msg = "Error occurred while loading the user store.";
@@ -546,7 +546,7 @@ public class RoleManagementServiceImpl implements RoleManagementService {
 
             if (roleInfo.getPermissions() != null) {
                 String[] roleDetails = roleName.split("/");
-                addPermissions(roleDetails[roleDetails.length - 1], roleInfo.getPermissions(), userRealm);
+                updatePermissions(roleDetails[roleDetails.length - 1], roleInfo, userRealm);
             }
             //TODO: Need to send the updated role information in the entity back to the client
             return Response.status(Response.Status.OK).entity("Role '" + roleInfo.getRoleName() + "' has " +
@@ -697,7 +697,7 @@ public class RoleManagementServiceImpl implements RoleManagementService {
         return rolePermissions;
     }
 
-    private void addPermissions(String roleName, String[] permissions, UserRealm userRealm) {
+    private void updatePermissions(String roleName, RoleInfo roleInfo, UserRealm userRealm) {
         String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain(true);
         Thread thread = new Thread(new Runnable() {
             @Override
@@ -707,7 +707,8 @@ public class RoleManagementServiceImpl implements RoleManagementService {
                     PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(tenantDomain, true);
                     DeviceMgtAPIUtils.getApiPublisher().updateScopeRoleMapping(roleName,
                             RoleManagementServiceImpl.this.getPlatformUIPermissions(roleName, userRealm,
-                                    permissions));
+                                    roleInfo.getPermissions()), RoleManagementServiceImpl.this.getPlatformUIPermissions(roleName, userRealm,
+                                    roleInfo.getRemovedPermissions()));
                 } catch (APIManagerPublisherException | UserAdminException e) {
                     log.error("Error Occurred while updating role scope mapping. ", e);
                 } finally {

From 1b0ad156b2f8476cbeb91bc6ba9e2181af085ba6 Mon Sep 17 00:00:00 2001
From: tcdlpds <lasantha@entgra.io>
Date: Mon, 16 Oct 2023 10:30:03 +0530
Subject: [PATCH 7/8] Add Java Doc comments

---
 .../webapp/publisher/APIPublisherService.java | 13 ++++++++++
 .../publisher/APIPublisherServiceImpl.java    | 13 ++++++++++
 .../impl/RoleManagementServiceImpl.java       | 24 +++++++++++++++++++
 3 files changed, 50 insertions(+)

diff --git a/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherService.java b/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherService.java
index 2dc95d4f37..eec6cfcab7 100644
--- a/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherService.java
+++ b/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherService.java
@@ -36,8 +36,21 @@ public interface APIPublisherService {
 
     void updateScopeRoleMapping() throws APIManagerPublisherException;
 
+    /**
+     * Add default scopes defined in the cdm-config.xml
+     */
     void addDefaultScopesIfNotExist();
 
+    /**
+     * If the permissions are in the permission list, identify the relevant scopes of the supplied permission list
+     * and put the role there; if the permissions are in the removedPermission list, update the relevant scopes by
+     * deleting the role from those scopes.
+     *
+     * @param roleName Role Name
+     * @param permissions List of adding permissions
+     * @param removedPermissions List of removing permissions
+     * @throws APIManagerPublisherException If error occurred while updating the scope role mapping
+     */
     void updateScopeRoleMapping(String roleName, String[] permissions, String[] removedPermissions) throws APIManagerPublisherException;
 
 }
diff --git a/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherServiceImpl.java b/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherServiceImpl.java
index 6d037525ae..69f20fa020 100644
--- a/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherServiceImpl.java
+++ b/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherServiceImpl.java
@@ -673,6 +673,19 @@ public class APIPublisherServiceImpl implements APIPublisherService {
         }
     }
 
+    /**
+     * Update Scopes
+     *
+     * @param roleName Role Name
+     * @param publisherRESTAPIServices {@link PublisherRESTAPIServices}
+     * @param apiApplicationKey {@link APIApplicationKey}
+     * @param accessTokenInfo {@link AccessTokenInfo}
+     * @param scopeObject scope object returning from APIM
+     * @param permissions List of permissions
+     * @param permScopeMap Permission Scope map
+     * @param removingPermissions if list of permissions has to be removed from the role send true, otherwise sends false.
+     * @throws APIManagerPublisherException If the method receives invalid permission to update.
+     */
     private void updateScopes (String roleName, PublisherRESTAPIServices publisherRESTAPIServices,
                       APIApplicationKey apiApplicationKey, AccessTokenInfo accessTokenInfo,
                       JSONObject scopeObject, String[] permissions, Map<String, String> permScopeMap, boolean removingPermissions )
diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/impl/RoleManagementServiceImpl.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/impl/RoleManagementServiceImpl.java
index 63a6a71d12..bca483f6c0 100644
--- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/impl/RoleManagementServiceImpl.java
+++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.api/src/main/java/io/entgra/device/mgt/core/device/mgt/api/jaxrs/service/impl/RoleManagementServiceImpl.java
@@ -279,6 +279,14 @@ public class RoleManagementServiceImpl implements RoleManagementService {
         }
     }
 
+    /**
+     * Retrieve filtered permissions by analyzing all the permission paths.
+     *
+     * @param rolePermissions All the permission paths
+     * @param permissionPaths Permission paths that needs to filter
+     * @param permissions List of filtered permissions
+     * @return {@link List<String>}
+     */
     private List<String> processAndFilterPermissions(UIPermissionNode[] rolePermissions, List<String> permissionPaths, List<String> permissions) {
 
         for (UIPermissionNode rolePermission : rolePermissions) {
@@ -299,6 +307,15 @@ public class RoleManagementServiceImpl implements RoleManagementService {
         return permissions;
     }
 
+    /**
+     * Getting platform permissions
+     *
+     * @param roleName Role Name
+     * @param userRealm {@link UserRealm}
+     * @param permissions list of permissions
+     * @return {@link List<String>}
+     * @throws UserAdminException if error occurred when getting {@link UIPermissionNode}
+     */
     private String[] getPlatformUIPermissions(String roleName, UserRealm userRealm, String[] permissions)
             throws UserAdminException {
         UIPermissionNode uiPermissionNode = getUIPermissionNode(roleName, userRealm);
@@ -697,6 +714,13 @@ public class RoleManagementServiceImpl implements RoleManagementService {
         return rolePermissions;
     }
 
+    /**
+     * Update the role's permissions. This will function in the fire and forget pattern and run on a new thread.
+     *
+     * @param roleName Role Name
+     * @param roleInfo {@link RoleInfo}
+     * @param userRealm {@link UserRealm}
+     */
     private void updatePermissions(String roleName, RoleInfo roleInfo, UserRealm userRealm) {
         String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain(true);
         Thread thread = new Thread(new Runnable() {

From c3cc4fe6d42599c9302d849c6e9955cd5afe4e0f Mon Sep 17 00:00:00 2001
From: Oshani Silva <oshani@entgra.io>
Date: Mon, 16 Oct 2023 05:21:44 +0000
Subject: [PATCH 8/8] Add fix for search operation (#251)

fixes https://roadmap.entgra.net/issues/10279

Co-authored-by: osh <osh.silva@gmail.com>
Reviewed-on: https://repository.entgra.net/community/device-mgt-core/pulls/251
Co-authored-by: Oshani Silva <oshani@entgra.io>
Co-committed-by: Oshani Silva <oshani@entgra.io>
---
 .../device/mgt/core/dao/impl/device/GenericDeviceDAOImpl.java | 4 ++--
 .../mgt/core/service/DeviceManagementProviderServiceImpl.java | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/dao/impl/device/GenericDeviceDAOImpl.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/dao/impl/device/GenericDeviceDAOImpl.java
index 32bffa5af4..fcb1799568 100644
--- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/dao/impl/device/GenericDeviceDAOImpl.java
+++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/dao/impl/device/GenericDeviceDAOImpl.java
@@ -94,7 +94,7 @@ public class GenericDeviceDAOImpl extends AbstractDeviceDAOImpl {
                     "t.NAME AS DEVICE_TYPE ";
 
             //Filter by serial number or any Custom Property in DM_DEVICE_INFO
-            if (serial != null || !request.getCustomProperty().isEmpty()) {
+            if ((serial != null) || (request.getCustomProperty() != null && !request.getCustomProperty().isEmpty())) {
                 sql = sql +
                         "FROM DM_DEVICE d " +
                         "INNER JOIN DM_DEVICE_TYPE t ON d.DEVICE_TYPE_ID = t.ID " +
@@ -170,7 +170,7 @@ public class GenericDeviceDAOImpl extends AbstractDeviceDAOImpl {
                 if (isSerialProvided) {
                     stmt.setString(paramIdx++, "%" + serial + "%");
                 }
-                if (!request.getCustomProperty().isEmpty()) {
+                if (request.getCustomProperty() != null && !request.getCustomProperty().isEmpty()) {
                     for (Map.Entry<String, String> entry : request.getCustomProperty().entrySet()) {
                         stmt.setString(paramIdx++, "%" + entry.getValue() + "%");
                     }
diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/service/DeviceManagementProviderServiceImpl.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/service/DeviceManagementProviderServiceImpl.java
index 8413b1499f..344325ae10 100644
--- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/service/DeviceManagementProviderServiceImpl.java
+++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/service/DeviceManagementProviderServiceImpl.java
@@ -652,7 +652,7 @@ public class DeviceManagementProviderServiceImpl implements DeviceManagementProv
         Map<String, DeviceManager> deviceManagerMap = new HashMap<>();
         List<DeviceCacheKey> deviceCacheKeyList = new ArrayList<>();
         List<Device> existingDevices;
-        List<Device> validDevices = new ArrayList<>();;
+        List<Device> validDevices = new ArrayList<>();
         int tenantId = this.getTenantId();
 
         try {