Permission modifications

components/certificate-mgt/org.wso2.carbon.certificate.mgt.api/src/main/webapp/META-INF/permissions.xml

@@ -32,7 +32,7 @@
     <!-- Device related APIs -->
     <Permission>
         <name>get certificate in the database</name>
-        <path>/device-mgt/admin/certificate/GetSignCSR</path>
+        <path>/device-mgt/certificate/GetSignCSR</path>
         <url>/certificates/scep/signcsr</url>
         <method>POST</method>
         <scope>emm_admin</scope>

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/ActivityInfoProviderService.java

@@ -93,7 +93,7 @@ public interface ActivityInfoProviderService {
                     message = "Internal Server Error. \n Server error occurred while fetching activity data.",
                     response = ErrorResponse.class)
     })
-    @Permission(name = "View Activities", permission = "/device-mgt/activities/view")
+    @Permission(name = "View Activities", permission = "/device-mgt/devices/owning/view")
     Response getActivity(
             @ApiParam(
                     name = "id",
@@ -154,7 +154,7 @@ public interface ActivityInfoProviderService {
                     message = "Internal Server Error. \n Server error occurred while fetching activity data.",
                     response = ErrorResponse.class)
     })
-    @Permission(name = "View Activities", permission = "/device-mgt/activities/view")
+    @Permission(name = "View Activities", permission = "/device-mgt/devices/owning/view")
     Response getActivities(
             @ApiParam(
                     name = "since",

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/ConfigurationManagementService.java

@@ -82,7 +82,7 @@ public interface ConfigurationManagementService {
                             "platform configuration.",
                     response = ErrorResponse.class)
     })
-    @Permission(name = "View Configurations", permission = "/device-mgt/configuration/view")
+    @Permission(name = "View Configurations", permission = "/device-mgt/configurations/view")
     Response getConfiguration(
             @ApiParam(
                     name = "If-Modified-Since",
@@ -128,7 +128,7 @@ public interface ConfigurationManagementService {
                             "Server error occurred while modifying general platform configuration.",
                     response = ErrorResponse.class)
     })
-    @Permission(name = "Manage configurations", permission = "/device-mgt/configuration/manage")
+    @Permission(name = "Manage configurations", permission = "/device-mgt/configurations/manage")
     Response updateConfiguration(
             @ApiParam(
                     name = "configuration",

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/DeviceManagementService.java

@@ -93,7 +93,7 @@ public interface DeviceManagementService {
                     message = "Internal Server Error. \n Server error occurred while fetching the device list.",
                     response = ErrorResponse.class)
     })
-    @Permission(name = "View Devices", permission = "/device-mgt/devices/view")
+    @Permission(name = "View Devices", permission = "/device-mgt/devices/owning/view")
     Response getDevices(
             @ApiParam(
                     name = "name",
@@ -200,7 +200,7 @@ public interface DeviceManagementService {
                                     "Server error occurred while retrieving information requested device.",
                             response = ErrorResponse.class)
             })
-    @Permission(name = "View Devices", permission = "/device-mgt/devices/view")
+    @Permission(name = "View Devices", permission = "/device-mgt/devices/owning/view")
     Response getDevice(
             @ApiParam(
                     name = "type",
@@ -282,7 +282,7 @@ public interface DeviceManagementService {
                                     "Server error occurred while retrieving feature list of the device.",
                             response = ErrorResponse.class)
             })
-    @Permission(name = "View Devices", permission = "/device-mgt/devices/view")
+    @Permission(name = "View Devices", permission = "/device-mgt/devices/owning/view")
     Response getFeaturesOfDevice(
             @ApiParam(
                     name = "type",
@@ -358,7 +358,7 @@ public interface DeviceManagementService {
                                     "Server error occurred while enrolling the device.",
                             response = ErrorResponse.class)
             })
-    @Permission(name = "View Devices", permission = "/device-mgt/devices/view")
+    @Permission(name = "View Devices", permission = "/device-mgt/devices/owning/view")
     Response searchDevices(
             @ApiParam(
                     name = "offset",
@@ -437,7 +437,7 @@ public interface DeviceManagementService {
                                     "Server error occurred while retrieving installed application list of the device.",
                             response = ErrorResponse.class)
             })
-    @Permission(name = "View Devices", permission = "/device-mgt/devices/view")
+    @Permission(name = "View Devices", permission = "/device-mgt/devices/owning/view")
     Response getInstalledApplications(
             @ApiParam(
                     name = "type",
@@ -533,7 +533,7 @@ public interface DeviceManagementService {
                                     "Server error occurred while retrieving operation list scheduled for the device.",
                             response = ErrorResponse.class)
             })
-    @Permission(name = "View Devices", permission = "/device-mgt/devices/view")
+    @Permission(name = "View Devices", permission = "/device-mgt/devices/owning/view")
     Response getDeviceOperations(
             @ApiParam(
                     name = "type",
@@ -631,7 +631,7 @@ public interface DeviceManagementService {
                             response = ErrorResponse.class)
             }
     )
-    @Permission(name = "View Devices", permission = "/device-mgt/devices/view")
+    @Permission(name = "View Devices", permission = "/device-mgt/devices/owning/view")
     Response getEffectivePolicyOfDevice(
             @ApiParam(
                     name = "type",
@@ -683,7 +683,7 @@ public interface DeviceManagementService {
                             response = ErrorResponse.class)
             }
     )
-    @Permission(name = "View Devices", permission = "/device-mgt/devices/view")
+    @Permission(name = "View Devices", permission = "/device-mgt/devices/owning/view")
     Response getComplianceDataOfDevice(
             @ApiParam(
                     name = "type",

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/DeviceTypeManagementService.java

@@ -79,7 +79,7 @@ public interface DeviceTypeManagementService {
                             response = ErrorResponse.class)
             }
     )
-    @Permission(name = "View Device Types", permission = "/device-mgt/devices/view")
+    @Permission(name = "View Device Types", permission = "/device-mgt/devices/owning/view")
     Response getDeviceTypes(
             @ApiParam(
                     name = "If-Modified-Since",

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/GroupManagementService.java

@@ -82,7 +82,7 @@ public interface GroupManagementService {
 //
 //    @GET
 //    @Path("/{groupName}/devices")
-//    @Permission(scope = "group-view", permissions = {"/permission/admin/device-mgt/admin/groups/roles"})
+//    @Permission(scope = "group-view", permissions = {"/permission/admin/device-mgt/groups/roles"})
 //    Response getDevicesOfGroup(@PathParam("groupName") String groupName, @QueryParam("offset") int offset,
 //                        @QueryParam("limit") int limit);
 //

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/DeviceManagementAdminService.java

@@ -86,7 +86,7 @@ public interface DeviceManagementAdminService {
                     message = "Internal Server Error. \n Server error occurred while fetching the device list.",
                     response = ErrorResponse.class)
     })
-    @Permission(name = "View Devices", permission = "/device-mgt/admin/devices/view")
+    @Permission(name = "View Devices", permission = "/device-mgt/devices/owning/view")
     Response getDevicesByName(
             @ApiParam(
                     name = "name",

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/UserManagementAdminService.java

@@ -69,7 +69,7 @@ public interface UserManagementAdminService {
                             "Server error occurred while updating credentials of the user.",
                     response = ErrorResponse.class)
     })
-    @Permission(name = "View Users", permission = "/device-mgt/admin/users/view")
+    @Permission(name = "View Users", permission = "/device-mgt/users/manage")
     Response resetUserPassword(
             @ApiParam(
                     name = "username",

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/webapp/META-INF/permissions.xml

@@ -45,334 +45,334 @@
     </Permission>
     <Permission>
         <name>Devices</name>
-        <path>/device-mgt/admin/devices</path>
+        <path>/device-mgt/devices</path>
         <url>/</url>
         <method>GET</method>
     </Permission>
     <!-- Device related APIs -->
     <Permission>
         <name>List devices</name>
-        <path>/device-mgt/admin/devices/List</path>
+        <path>/device-mgt/devices/List</path>
         <url>/devices</url>
         <method>GET</method>
     </Permission>
     <Permission>
         <name>Search devices</name>
-        <path>/device-mgt/admin/devices/Search</path>
+        <path>/device-mgt/devices/Search</path>
         <url>/devices/search-devices</url>
         <method>POST</method>
     </Permission>
     <Permission>
         <name>View device</name>
-        <path>/device-mgt/admin/devices/View</path>
+        <path>/device-mgt/devices/View</path>
         <url>/devices/*/*</url>
         <method>GET</method>
     </Permission>
     <Permission>
         <name>View device info</name>
-        <path>/device-mgt/admin/devices/View</path>
+        <path>/device-mgt/devices/View</path>
         <url>/devices/*/*/info</url>
         <method>GET</method>
     </Permission>
     <Permission>
         <name>View device applications</name>
-        <path>/device-mgt/admin/devices/View-Applications</path>
+        <path>/device-mgt/devices/View-Applications</path>
         <url>/devices/*/*/applications</url>
         <method>GET</method>
     </Permission>
     <Permission>
         <name>View device effective-policy</name>
-        <path>/device-mgt/admin/devices/View-Active-Policy</path>
+        <path>/device-mgt/devices/View-Active-Policy</path>
         <url>/devices/*/*/effective-policy</url>
         <method>GET</method>
     </Permission>
     <Permission>
         <name>View devices feature</name>
-        <path>/device-mgt/admin/devices/View-Features</path>
+        <path>/device-mgt/devices/View-Features</path>
         <url>/devices/*/*/features</url>
         <method>GET</method>
     </Permission>
     <Permission>
         <name>View device operations</name>
-        <path>/device-mgt/admin/devices/View-Operations</path>
+        <path>/device-mgt/devices/View-Operations</path>
         <url>/devices/*/*/operations</url>
         <method>GET</method>
     </Permission>
     <Permission>
         <name>View Compliance Data</name>
-        <path>/device-mgt/admin/devices/View-Compliance-Data</path>
+        <path>/device-mgt/devices/View-Compliance-Data</path>
         <url>/devices/*/*/compliance-data</url>
         <method>GET</method>
     </Permission>
     <Permission>
         <name>List all devices</name>
-        <path>/device-mgt/admin/devices/Admin-View</path>
+        <path>/device-mgt/devices/Admin-View</path>
         <url>/admin/devices</url>
         <method>GET</method>
     </Permission>
     <Permission>
         <name>View device types</name>
-        <path>/device-mgt/admin/devices/Admin-DeviceType-View</path>
+        <path>/device-mgt/devices/Admin-DeviceType-View</path>
         <url>/admin/device-types</url>
         <method>GET</method>
     </Permission>
     <!-- End of Device related APIs -->
     <Permission>
         <name>Policies</name>
-        <path>/device-mgt/admin/policies</path>
+        <path>/device-mgt/policies</path>
         <url>/</url>
         <method>GET</method>
     </Permission>
     <!-- Policy related APIs -->
     <Permission>
         <name>List policies</name>
-        <path>/device-mgt/admin/policies/List</path>
+        <path>/device-mgt/policies/List</path>
         <url>/policies</url>
         <method>GET</method>
     </Permission>
     <Permission>
         <name>Add Policy</name>
-        <path>/device-mgt/admin/policies/Add</path>
+        <path>/device-mgt/policies/Add</path>
         <url>/policies</url>
         <method>POST</method>
     </Permission>
     <Permission>
         <name>Activate policy</name>
-        <path>/device-mgt/admin/policies/Activate-Policy</path>
+        <path>/device-mgt/policies/Activate-Policy</path>
         <url>/policies/activate-policy</url>
         <method>PUT</method>
     </Permission>
     <Permission>
         <name>Deactivate Policy</name>
-        <path>/device-mgt/admin/policies/Deactivate-Policy</path>
+        <path>/device-mgt/policies/Deactivate-Policy</path>
         <url>/policies/deactivate-policy</url>
         <method>PUT</method>
     </Permission>
     <Permission>
         <name>Remove Policy</name>
-        <path>/device-mgt/admin/policies/Remove</path>
+        <path>/device-mgt/policies/Remove</path>
         <url>/policies/remove-policy</url>
         <method>POST</method>
     </Permission>
     <Permission>
         <name>View Policy</name>
-        <path>/device-mgt/admin/policies/View</path>
+        <path>/device-mgt/policies/View</path>
         <url>/policies/*</url>
         <method>GET</method>
     </Permission>
     <Permission>
         <name>Update Policy</name>
-        <path>/device-mgt/admin/policies/Update</path>
+        <path>/device-mgt/policies/Update</path>
         <url>/policies/*</url>
         <method>PUT</method>
     </Permission>
     <Permission>
         <name>Update Policy</name>
-        <path>/device-mgt/admin/policies/Update</path>
+        <path>/device-mgt/policies/Update</path>
         <url>/policies/apply-changes</url>
         <method>PUT</method>
     </Permission>
     <Permission>
         <name>Update Policy</name>
-        <path>/device-mgt/admin/policies/Change-Priority</path>
+        <path>/device-mgt/policies/Change-Priority</path>
         <url>/policies/priorities</url>
         <method>PUT</method>
     </Permission>
     <!-- End of Policy related APIs -->
     <Permission>
         <name>Notifications</name>
-        <path>/device-mgt/admin/notifications</path>
+        <path>/device-mgt/notifications</path>
         <url>/</url>
         <method>GET</method>
     </Permission>
     <!-- Notification related APIs -->
     <Permission>
         <name>View notifications</name>
-        <path>/device-mgt/admin/notifications/View</path>
+        <path>/device-mgt/notifications/View</path>
         <url>/notifications</url>
         <method>GET</method>
     </Permission>
     <Permission>
         <name>Mark checked notifications</name>
-        <path>/device-mgt/admin/notifications/View</path>
+        <path>/device-mgt/notifications/View</path>
         <url>/notifications/*/mark-checked</url>
         <method>PUT</method>
     </Permission>
     <!-- End of Notification related APIs -->
     <Permission>
         <name>Users</name>
-        <path>/device-mgt/admin/users</path>
+        <path>/device-mgt/users</path>
         <url>/</url>
         <method>GET</method>
     </Permission>
     <!-- User related APIs -->
     <Permission>
         <name>List users</name>
-        <path>/device-mgt/admin/users/List</path>
+        <path>/device-mgt/users/List</path>
         <url>/users</url>
         <method>GET</method>
     </Permission>
     <Permission>
         <name>Add user</name>
-        <path>/device-mgt/admin/users/Add</path>
+        <path>/device-mgt/users/Add</path>
         <url>/users</url>
         <method>POST</method>
     </Permission>
     <Permission>
         <name>List users</name>
-        <path>/device-mgt/admin/users/Search</path>
+        <path>/device-mgt/users/Search</path>
         <url>/users/search/usernames</url>
         <method>GET</method>
     </Permission>
     <Permission>
         <name>Remove user</name>
-        <path>/device-mgt/admin/users/Remove</path>
+        <path>/device-mgt/users/Remove</path>
         <url>/users/*</url>
         <method>DELETE</method>
     </Permission>
     <Permission>
         <name>View user</name>
-        <path>/device-mgt/admin/users/View</path>
+        <path>/device-mgt/users/View</path>
         <url>/users/*</url>
         <method>GET</method>
     </Permission>
     <Permission>
         <name>Update user</name>
-        <path>/device-mgt/admin/users/Update</path>
+        <path>/device-mgt/users/Update</path>
         <url>/users/*</url>
         <method>PUT</method>
     </Permission>
     <Permission>
         <name>Update user credentials</name>
-        <path>/device-mgt/admin/users/Change-Password</path>
+        <path>/device-mgt/users/Change-Password</path>
         <url>/users/*/credentials</url>
         <method>PUT</method>
     </Permission>
     <Permission>
         <name>View assigned role</name>
-        <path>/device-mgt/admin/roles/Assigned-Roles</path>
+        <path>/device-mgt/roles/Assigned-Roles</path>
         <url>/users/*/roles</url>
         <method>GET</method>
     </Permission>
     <Permission>
         <name>Change any user credentials</name>
-        <path>/device-mgt/admin/users/Change-Password-Any</path>
+        <path>/device-mgt/users/Change-Password-Any</path>
         <url>/admin/users/*/credentials</url>
         <method>POST</method>
     </Permission>
     <Permission>
         <name>Send invitation mail</name>
-        <path>/device-mgt/admin/users/Send-invitations</path>
+        <path>/device-mgt/users/Send-invitations</path>
         <url>/users/send-invitation</url>
         <method>POST</method>
     </Permission>
     <!-- End of User related APIs -->
     <Permission>
         <name>Roles</name>
-        <path>/device-mgt/admin/roles</path>
+        <path>/device-mgt/roles</path>
         <url>/</url>
         <method>GET</method>
     </Permission>
     <!-- Role related APIs -->
     <Permission>
         <name>List roles</name>
-        <path>/device-mgt/admin/roles/List</path>
+        <path>/device-mgt/roles/List</path>
         <url>/roles</url>
         <method>GET</method>
     </Permission>
     <Permission>
         <name>Add role</name>
-        <path>/device-mgt/admin/roles/Add</path>
+        <path>/device-mgt/roles/Add</path>
         <url>/roles</url>
         <method>POST</method>
     </Permission>
     <Permission>
         <name>Remove role</name>
-        <path>/device-mgt/admin/roles/Remove</path>
+        <path>/device-mgt/roles/Remove</path>
         <url>/roles/*</url>
         <method>DELETE</method>
     </Permission>
     <Permission>
         <name>View role</name>
-        <path>/device-mgt/admin/roles/View</path>
+        <path>/device-mgt/roles/View</path>
         <url>/roles/*</url>
         <method>GET</method>
     </Permission>
     <Permission>
         <name>Update role</name>
-        <path>/device-mgt/admin/roles/Update</path>
+        <path>/device-mgt/roles/Update</path>
         <url>/roles/*</url>
         <method>PUT</method>
     </Permission>
     <Permission>
         <name>View role permissions</name>
-        <path>/device-mgt/admin/roles/View-Permission</path>
+        <path>/device-mgt/roles/View-Permission</path>
         <url>/roles/*/permissions</url>
         <method>GET</method>
     </Permission>
     <Permission>
         <name>Add Users to role</name>
-        <path>/device-mgt/admin/roles/Add-Users</path>
+        <path>/device-mgt/roles/Add-Users</path>
         <url>/roles/*/users</url>
         <method>PUT</method>
     </Permission>
     <!-- End of Role related APIs -->
     <Permission>
         <name>Configurations</name>
-        <path>/device-mgt/admin/general-configs</path>
+        <path>/device-mgt/general-configs</path>
         <url>/</url>
         <method>GET</method>
     </Permission>
     <!-- Configuration related APIs -->
     <Permission>
         <name>View configuration</name>
-        <path>/device-mgt/admin/general-configuration/View</path>
+        <path>/device-mgt/general-configuration/View</path>
         <url>/configuration</url>
         <method>GET</method>
     </Permission>
     <Permission>
         <name>Update configuration</name>
-        <path>/device-mgt/admin/general-configuration/Update</path>
+        <path>/device-mgt/general-configuration/Update</path>
         <url>/configuration</url>
         <method>PUT</method>
     </Permission>
     <!-- End of Configuration related APIs -->
     <Permission>
         <name>Activities</name>
-        <path>/device-mgt/admin/activities</path>
+        <path>/device-mgt/activities</path>
         <url>/</url>
         <method>GET</method>
     </Permission>
     <!-- Activity related APIs -->
     <Permission>
         <name>View Activities</name>
-        <path>/device-mgt/admin/activities/View</path>
+        <path>/device-mgt/devices/owning/view</path>
         <url>/activities</url>
         <method>GET</method>
     </Permission>
     <Permission>
         <name>View Activity Details</name>
-        <path>/device-mgt/admin/activities/View</path>
+        <path>/device-mgt/devices/owning/view</path>
         <url>/activities/*</url>
         <method>GET</method>
     </Permission>
     <!-- End of Activity related APIs -->
     <Permission>
         <name>Applications</name>
-        <path>/device-mgt/admin/applications</path>
+        <path>/device-mgt/applications</path>
         <url>/</url>
         <method>GET</method>
     </Permission>
     <!-- Application related APIs -->
     <Permission>
         <name>Install Applications</name>
-        <path>/device-mgt/admin/application/Install</path>
+        <path>/device-mgt/application/Install</path>
         <url>/admin/applications/install-application</url>
         <method>POST</method>
     </Permission>
     <Permission>
         <name>Uninstall-Applications</name>
-        <path>/device-mgt/admin/application/Uninstall</path>
+        <path>/device-mgt/application/Uninstall</path>
         <url>/admin/applications/uninstall-application</url>
         <method>POST</method>
     </Permission>

components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/group/mgt/DeviceGroupConstants.java

@@ -67,7 +67,7 @@ public class DeviceGroupConstants {
 
     public static class Permissions {
         public static final String[] DEFAULT_ADMIN_PERMISSIONS =
-                {"/permission/device-mgt/admin/groups", "/permission/device-mgt/user/groups"};
+                {"/permission/device-mgt/groups", "/permission/device-mgt/user/groups"};
         public static final String[] DEFAULT_OPERATOR_PERMISSIONS =
                 {"/permission/device-mgt/user/groups/device_operation"};
         public static final String[] DEFAULT_STATS_MONITOR_PERMISSIONS =

components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java

@@ -47,7 +47,7 @@ import java.util.Map;
  */
 public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthorizationService {
 
-    private final static String CDM_ADMIN_PERMISSION = "/device-mgt/admin";
+    private final static String CDM_ADMIN_PERMISSION = "/device-mgt/devices/any/permitted-actions-upon-owning-device";
     private final static String CDM_ADMIN = "Device Management Administrator";
     private static Log log = LogFactory.getLog(DeviceAccessAuthorizationServiceImpl.class);
 
@@ -246,7 +246,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
     private boolean addAdminPermissionToRegistry() throws PermissionManagementException {
         Permission permission = new Permission();
         permission.setName(CDM_ADMIN);
-        permission.setPath(CDM_ADMIN_PERMISSION);
+        permission.setPath(PermissionUtils.getAbsolutePermissionPath(CDM_ADMIN_PERMISSION));
         return PermissionUtils.putPermission(permission);
     }
 

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/api/device-api.jag

@@ -152,7 +152,7 @@ if (!user) {
                     result =  responsePayload.responseText;
                 });
     } else if (uriMatcher.match("/{context}/api/devices/")) {
-        if (userModule.isAuthorized("/permission/admin/device-mgt/admin/devices/list")) {
+        if (userModule.isAuthorized("/permission/admin/device-mgt/devices/list")) {
             result = deviceModule.listDevices();
         } else {
             response.sendError(403);
@@ -161,7 +161,7 @@ if (!user) {
         elements = uriMatcher.elements();
         deviceId = elements.deviceId;
         type = elements.type;
-        if (userModule.isAuthorized("/permission/admin/device-mgt/admin/devices/list")) {
+        if (userModule.isAuthorized("/permission/admin/device-mgt/devices/list")) {
             result = deviceModule.viewDevice(type, deviceId);
         }else {
             response.sendError(403);
@@ -171,7 +171,7 @@ if (!user) {
         deviceId = elements.deviceId;
         type = elements.type;
         operation = elements.operation;
-        if (userModule.isAuthorized("/permission/admin/device-mgt/admin/devices/operation")) {
+        if (userModule.isAuthorized("/permission/admin/device-mgt/devices/operation")) {
             result = deviceModule.performOperation(deviceId, operation, [], type);
         } else {
             response.sendError(403);

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/api/user-api.jag

@@ -98,7 +98,7 @@ if (uriMatcher.match("/{context}/api/user/authenticate")) {
     /*
      @Deprecated
      */
-    if (userModule.isAuthorized("/permission/admin/device-mgt/admin/user/invite")) {
+    if (userModule.isAuthorized("/permission/admin/device-mgt/user/invite")) {
         elements = uriMatcher.elements();
         username = elements.username;
         userModule.inviteUser(username);
@@ -109,7 +109,7 @@ if (uriMatcher.match("/{context}/api/user/authenticate")) {
     /*
      @Deprecated
      */
-    if (userModule.isAuthorized("/permission/admin/device-mgt/admin/user/add")) {
+    if (userModule.isAuthorized("/permission/admin/device-mgt/user/add")) {
         addUserFormData = request.getContent();
         username = addUserFormData.username;
         firstname = addUserFormData.firstname;
@@ -160,7 +160,7 @@ if (uriMatcher.match("/{context}/api/user/authenticate")) {
     /*
      @Deprecated
      */
-    if (userModule.isAuthorized("/permission/admin/device-mgt/admin/user/remove")) {
+    if (userModule.isAuthorized("/permission/admin/device-mgt/user/remove")) {
         elements = uriMatcher.elements();
         username = elements.username;
         try {

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/business-controllers/user.js

@@ -396,25 +396,25 @@ var userModule = function () {
 
     publicMethods.getUIPermissions = function () {
         var permissions = {};
-        if (publicMethods.isAuthorized("/permission/admin/device-mgt/admin/devices/list")) {
+        if (publicMethods.isAuthorized("/permission/admin/device-mgt/devices/list")) {
             permissions["LIST_DEVICES"] = true;
         }
         if (publicMethods.isAuthorized("/permission/admin/device-mgt/user/devices/list")) {
             permissions["LIST_OWN_DEVICES"] = true;
         }
-        if (publicMethods.isAuthorized("/permission/admin/device-mgt/admin/groups/list")) {
+        if (publicMethods.isAuthorized("/permission/admin/device-mgt/groups/list")) {
             permissions["LIST_ALL_GROUPS"] = true;
         }
         if (publicMethods.isAuthorized("/permission/admin/device-mgt/user/groups/list")) {
             permissions["LIST_GROUPS"] = true;
         }
-        if (publicMethods.isAuthorized("/permission/admin/device-mgt/admin/users/list")) {
+        if (publicMethods.isAuthorized("/permission/admin/device-mgt/users/list")) {
             permissions["LIST_USERS"] = true;
         }
-        if (publicMethods.isAuthorized("/permission/admin/device-mgt/admin/roles/list")) {
+        if (publicMethods.isAuthorized("/permission/admin/device-mgt/roles/list")) {
             permissions["LIST_ROLES"] = true;
         }
-        if (publicMethods.isAuthorized("/permission/admin/device-mgt/admin/policies/list")) {
+        if (publicMethods.isAuthorized("/permission/admin/device-mgt/policies/list")) {
             permissions["LIST_ALL_POLICIES"] = true;
         }
         if (publicMethods.isAuthorized("/permission/admin/device-mgt/user/policies/list")) {
@@ -426,28 +426,28 @@ var userModule = function () {
         if (publicMethods.isAuthorized("/permission/admin/device-mgt/user/groups/add")) {
             permissions["ADD_GROUP"] = true;
         }
-        if (publicMethods.isAuthorized("/permission/admin/device-mgt/admin/users/add")) {
+        if (publicMethods.isAuthorized("/permission/admin/device-mgt/users/add")) {
             permissions["ADD_USER"] = true;
         }
-        if (publicMethods.isAuthorized("/permission/admin/device-mgt/admin/users/remove")) {
+        if (publicMethods.isAuthorized("/permission/admin/device-mgt/users/remove")) {
             permissions["REMOVE_USER"] = true;
         }
-        if (publicMethods.isAuthorized("/permission/admin/device-mgt/admin/roles/add")) {
+        if (publicMethods.isAuthorized("/permission/admin/device-mgt/roles/add")) {
             permissions["ADD_ROLE"] = true;
         }
-        if (publicMethods.isAuthorized("/permission/admin/device-mgt/admin/policies/add")) {
+        if (publicMethods.isAuthorized("/permission/admin/device-mgt/policies/add")) {
             permissions["ADD_ADMIN_POLICY"] = true;
         }
         if (publicMethods.isAuthorized("/permission/admin/device-mgt/user/policies/add")) {
             permissions["ADD_POLICY"] = true;
         }
-        if (publicMethods.isAuthorized("/permission/admin/device-mgt/admin/policies/priority")) {
+        if (publicMethods.isAuthorized("/permission/admin/device-mgt/policies/priority")) {
             permissions["CHANGE_POLICY_PRIORITY"] = true;
         }
-        if (publicMethods.isAuthorized("/permission/admin/device-mgt/admin/dashboard/view")) {
+        if (publicMethods.isAuthorized("/permission/admin/device-mgt/dashboard/view")) {
             permissions["VIEW_DASHBOARD"] = true;
         }
-        if (publicMethods.isAuthorized("/permission/admin/device-mgt/admin/platform-configs/view")) {
+        if (publicMethods.isAuthorized("/permission/admin/device-mgt/platform-configs/view")) {
             permissions["TENANT_CONFIGURATION"] = true;
         }
 

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.certificate.create/create.hbs

@@ -23,18 +23,20 @@
             <i class="icon fw fw-home"></i>
         </a>
     </li>
+    <li>
+        <a href="{{@app.context}}/certificates">
+            Certificates
+        </a>
+    </li>
     <li>
         <a href="{{@app.context}}/certificates/add">
-            <span class="fw-stack">
+            Add
-               <i class="fw fw-ring fw-stack-2x"></i>
-               <i class="fw fw-document fw-stack-1x"></i>
-            </span>
-            Add Certificate
         </a>
     </li>
 {{/zone}}
 
 {{#zone "content"}}
+    {{#if isAuthorized}}
         <!-- content/body -->
         <div class="row">
             <div class="col-md-12">
@@ -94,6 +96,14 @@
             </div>
         </div>
         <!-- /content/body -->
+    {{else}}
+        <h1 class="page-sub-title">
+            Permission Denied
+        </h1>
+        <br>
+        You not authorized to enter Certificate Management Section.
+        <br>
+    {{/if}}
 {{/zone}}
 
 {{#zone "bottomJs"}}

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.certificate.create/create.js

@@ -26,7 +26,8 @@ function onRequest(context) {
     // var log = new Log("units/user-create/create.js");
     var userModule = require("/app/modules/business-controllers/user.js")["userModule"];
     var mdmProps = require("/app/modules/conf-reader/main.js")["conf"];
-
+    var viewModel = {};
+    viewModel.isAuthorized = userModule.isAuthorized("/permission/admin/device-mgt/certificates/manage");
     var response = userModule.getRolesByUserStore();
     if (response["status"] == "success") {
         viewModel["roles"] = response["content"];

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.certificates/certificates.hbs

@@ -23,6 +23,15 @@
             <i class="icon fw fw-home"></i>
         </a>
     </li>
+    <li>
+        <a href="{{@app.context}}/certificates">
+           Certificate
+        </a>
+    </li>
+{{/zone}}
+
+{{#zone "navbarActions"}}
+    {{#if removePermitted}}
         <li>
             <a href="{{@app.context}}/certificates/add">
             <span class="fw-stack">
@@ -32,6 +41,7 @@
                 Add Certificate
             </a>
         </li>
+    {{/if}}
 {{/zone}}
 
 {{#zone "content"}}

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.role.create/create.hbs

@@ -38,6 +38,7 @@
 {{/zone}}
 
 {{#zone "content"}}
+    {{#if canManage}}
     <!-- content/body -->
     <div class="row">
         <div class="col-md-12">
@@ -96,6 +97,7 @@
                                     Role name is required, should be in minimum 3 characters long and not include any whitespaces.
                                 </label>
                             </div>
+                            {{#if canViewUsers}}
                             <label class="wr-input-label">
                                 User list
                             </label>
@@ -104,6 +106,7 @@
                                 <!--suppress HtmlFormInputWithoutLabel -->
                                 <select id="users" class="form-control select2" multiple="multiple"></select>
                             </div>
+                            {{/if}}
                         </div>
                     </div>
                     <br>
@@ -134,6 +137,14 @@
         </div>
     </div>
     <!-- /content/body -->
+    {{else}}
+        <h1 class="page-sub-title">
+            Permission Denied
+        </h1>
+        <br>
+        You not authorized to enter Role Management Section.
+        <br>
+    {{/if}}
 {{/zone}}
 {{#zone "bottomJs"}}
     {{js "js/bottomJs.js"}}

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.role.create/create.js

@@ -20,16 +20,24 @@
  * Returns the dynamic state to be populated by add-user page.
  * 
  * @param context Object that gets updated with the dynamic state of this page to be presented
- * @returns {*} A context object that returns the dynamic state of this page to be presented
+ * @returns {*} A displayData object that returns the dynamic state of this page to be presented
  */
 function onRequest(context) {
     var userModule = require("/app/modules/business-controllers/user.js")["userModule"];
     var deviceMgtProps = require("/app/modules/conf-reader/main.js")["conf"];
+    var displayData = {};
 
-    context["userStores"] = userModule.getSecondaryUserStores();
+    displayData["userStores"] = userModule.getSecondaryUserStores();
-    context["roleNameJSRegEx"] = deviceMgtProps["roleValidationConfig"]["roleNameJSRegEx"];
+    displayData["roleNameJSRegEx"] = deviceMgtProps["roleValidationConfig"]["roleNameJSRegEx"];
-    context["roleNameHelpText"] = deviceMgtProps["roleValidationConfig"]["roleNameHelpMsg"];
+    displayData["roleNameHelpText"] = deviceMgtProps["roleValidationConfig"]["roleNameHelpMsg"];
-    context["roleNameRegExViolationErrorMsg"] = deviceMgtProps["roleValidationConfig"]["roleNameRegExViolationErrorMsg"];
+    displayData["roleNameRegExViolationErrorMsg"] = deviceMgtProps["roleValidationConfig"]["roleNameRegExViolationErrorMsg"];
 
-    return context;
+    if (userModule.isAuthorized("/permission/admin/device-mgt/roles/manage")) {
+        displayData.canManage = true;
+    }
+    if (userModule.isAuthorized("/permission/admin/device-mgt/users/view")) {
+        displayData.canViewUsers = true;
+    }
+
+    return displayData;
 }

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.user.create/create.hbs

@@ -51,7 +51,8 @@
                                 <div id="user-create-error-msg" class="alert alert-danger hidden" role="alert">
                                     <i class="icon fw fw-error"></i><span></span>
                                 </div>
-                            <label class="wr-input-label" title="Select the domain of the user store from the drop-down given below. The domain of the default user store is PRIMARY">
+                                <label class="wr-input-label"
+                                       title="Select the domain of the user store from the drop-down given below. The domain of the default user store is PRIMARY">
                                     User Store Domain
                                     <span class="wr-help-tip glyphicon glyphicon-question-sign"></span>
                                 </label>
@@ -68,19 +69,25 @@
                                     <span class="wr-help-tip glyphicon glyphicon-question-sign"></span>
                                 </label>
                                 <div id="usernameInputField" class="form-group wr-input-control">
-                                <input limit="{{charLimit}}" type="text" id="username" data-regex="{{usernameJSRegEx}}" data-errormsg="{{usernameRegExViolationErrorMsg}}" class="form-control"/>
+                                    <input limit="{{charLimit}}" type="text" id="username"
+                                           data-regex="{{usernameJSRegEx}}"
+                                           data-errormsg="{{usernameRegExViolationErrorMsg}}" class="form-control"/>
                                     <span class=" usernameError hidden glyphicon glyphicon-remove form-control-feedback"></span>
-                                <label class="error usernameEmpty hidden" for="summary">This field is required. Username should be in minimum 3 characters long and do not include any whitespaces.</label>
+                                    <label class="error usernameEmpty hidden" for="summary">This field is required.
+                                        Username should be in minimum 3 characters long and do not include any
+                                        whitespaces.</label>
                                 </div>
                                 <label class="wr-input-label">First Name *</label>
                                 <div id="firstNameField" class="form-group wr-input-control">
-                                <input type="text" id="firstname" data-regex="{{firstnameJSRegEx}}" data-errormsg="{{firstnameRegExViolationErrorMsg}}" class="form-control"/>
+                                    <input type="text" id="firstname" data-regex="{{firstnameJSRegEx}}"
+                                           data-errormsg="{{firstnameRegExViolationErrorMsg}}" class="form-control"/>
                                     <span class="glyphicon glyphicon-remove form-control-feedback hidden fnError"></span>
                                     <label class=" hidden error fnError" for="summary">This field is required.</label>
                                 </div>
                                 <label class="wr-input-label">Last Name *</label>
                                 <div id="lastNameField" class="form-group wr-input-control">
-                                <input type="text" id="lastname" data-regex="{{lastnameJSRegEx}}" data-errormsg="{{lastnameRegExViolationErrorMsg}}" class="form-control"/>
+                                    <input type="text" id="lastname" data-regex="{{lastnameJSRegEx}}"
+                                           data-errormsg="{{lastnameRegExViolationErrorMsg}}" class="form-control"/>
                                     <span class="glyphicon glyphicon-remove form-control-feedback hidden lnError"></span>
                                     <label class=" hidden error lnError" for="summary">This field is required.</label>
                                 </div>
@@ -91,13 +98,17 @@
                                 <div id="emailField" class=" form-group wr-input-control">
                                     <input type="email" id="emailAddress" class="form-control"/>
                                     <span class="glyphicon glyphicon-remove form-control-feedback hidden emailError"></span>
-                                <label class=" hidden error email-required" for="summary">This field is required.</label>
+                                    <label class=" hidden error email-required" for="summary">This field is
-                                <label class=" hidden error email-invalid" for="summary">Invalid Email Address.</label>
+                                        required.</label>
+                                    <label class=" hidden error email-invalid" for="summary">Invalid Email
+                                        Address.</label>
                                 </div>
-                            <label class="wr-input-label" title="Optional field that can have 0-to-many roles for the user">
+                                <label class="wr-input-label"
+                                       title="Optional field that can have 0-to-many roles for the user">
                                     User Roles
                                     <span class="wr-help-tip glyphicon glyphicon-question-sign"></span>
                                 </label>
+                                {{#if canViewRoles}}
                                     <div class="wr-input-control">
                                         <select id="roles" class="form-control select2" multiple="multiple">
                                             {{#each roles}}
@@ -105,6 +116,7 @@
                                             {{/each}}
                                         </select>
                                     </div>
+                                {{/if}}
                             </div>
                         </div>
                         <br>
@@ -128,7 +140,8 @@
                         <br>Please click <b>"Add Another User"</b>, if you wish to add another user or click
                         <b>"View User List"</b> to complete the process and go back to the user list.
                         <hr/>
-                    <button class="wr-btn" onclick="window.location.href='{{@app.context}}/users'">View User List</button>
+                        <button class="wr-btn" onclick="window.location.href='{{@app.context}}/users'">View User List
+                        </button>
                         <a href="{{@app.context}}/user/add" class="cu-btn-inner">
                         <span class="fw-stack">
                             <i class="fw fw-ring fw-stack-2x"></i>

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.user.create/create.js

@@ -35,6 +35,9 @@ function onRequest() {
     if (userModule.isAuthorized("/permission/admin/device-mgt/users/manage")) {
         page.canManage = true;
     }
+    if (userModule.isAuthorized("/permission/admin/device-mgt/roles/view")) {
+        page.canViewRoles = true;
+    }
     var userStores = userModule.getSecondaryUserStores();
     page["userStores"] = userStores;
     page["charLimit"] = devicemgtProps["usernameLength"];

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/units/cdmf.unit.policy.create/create.js

@@ -26,6 +26,8 @@ function onRequest(context) {
     var types = {};
 
     types.isAuthorized = userModule.isAuthorized("/permission/admin/device-mgt/policies/manage");
+    types.isAuthorizedViewUsers = userModule.isAuthorized("/permission/admin/device-mgt/roles/view");
+    types.isAuthorizedViewRoles = userModule.isAuthorized("/permission/admin/device-mgt/users/view");
     types["types"] = [];
     var typesListResponse = deviceModule.getDeviceTypes();
     if (typesListResponse["status"] == "success") {

components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/config/Permissions.java

@@ -23,7 +23,7 @@ import javax.xml.bind.annotation.XmlType;
  *           <simpleType>
  *             <restriction base="{http://www.w3.org/2001/XMLSchema}string">
  *               <enumeration value="/permission/device-mgt/user/groups/device_operation"/>
- *               <enumeration value="/permission/device-mgt/admin/groups"/>
+ *               <enumeration value="/permission/device-mgt/groups"/>
  *               <enumeration value="/permission/device-mgt/user/groups"/>
  *               <enumeration value="/permission/device-mgt/user/groups/device_monitor"/>
  *             </restriction>