[Feature] Support application roles for Identity Server and support RBAC for apps

[AnuradhaSK]

Is your feature request related to a problem? Please describe.
Role-based access control (RBAC) is a widely used access control mechanism for B2E and B2B applications. To support RBAC, API resource management, API Authorization to applications, application role management, and application role-based scope validation are key features to have in the IAM solution.

Describe the solution you would prefer

• Implement roles management catering organization level role mgt and application level role mgt
• Ability to assign userstore groups and locally managed users to roles in the newly implemented model
• Ability to assign federated idp groups to roles in the newly implemented model
• Use these roles for scope validation and support RBAC
• Ability to share roles of B2B applications when sharing the app with sub org
• Use these roles in XACML policies
• Add an adaptive script functions to consume application roles of a user during adaptive scripts

[Achintha444]

Design

Wireframe

https://docs.google.com/document/d/1Jt1ksVptBHmcrsitva_r4Aa7UjAFwVcr_rdlvkgh0Ns/edit

[Achintha444]

Front-End PR's

• Update UI of the groups section of roles identity-apps#4162
• Add i18N to the new roles section identity-apps#4147
• Update i18n of roles. identity-apps#4152
• feat(react): add Autocomplete component oxygen-ui#165
• Updated the UIs of the assign groups and assign users in the edit roles interface identity-apps#4212
• Edit role basic UI updated identity-apps#4224
• Change assign roles interfaces in the user and group sections identity-apps#4239
• Add create role UI identity-apps#4266
• Add permissions selection section to the create role interface identity-apps#4278
• Update roles list interface identity-apps#4280
• Complete role creation identity-apps#4305
• fix(react): fix autocomplete component prop type issue oxygen-ui#170
• Enable role V2 feature identity-apps#4326
• Fix Role permission, api resource not displaying bug identity-apps#4387
• Fix legacyAuthzRuntime not setting properly identity-apps#4391
• Bump versions in pom  #17310
• Fix Assigned users and groups in roles identity-apps#4415
• Hide connected apps tab if the audience is application. identity-apps#4422
• Temporary update hasRequiredScopes function identity-apps#4429
• Bump console version #17352

[AnuradhaSK]

BE PRs

DB schema due to RoleV2 service

• Introduce audience to the role (DB schemas) carbon-kernel#3673
• Add APP_ROLE_ASSOCIATION and ROLE_SCOPE tables carbon-identity-framework#4936
• Change unique key of the UM_SHARED_ROLE table by adding UM_MAIN_ROLE_TENANT_ID carbon-kernel#3693

OSGi service improvements to existing role module and new OSGi service for RoleV2 mgt

• Introduce Role-Management V2 carbon-identity-framework#4965
• Introduce role management listener to resolve application mgt services carbon-identity-framework#5031

SCIM and Charon Changes for Role V2 support

• Add Role V2 definitions charon#392
• Introduce scim2/v2/Roles endpoint wso2-extensions/identity-inbound-provisioning-scim2#486

Add access control and /o/ path support for /scim2/v2/Roles endpoint

• Add access control for /scim2/v2/Roles endpoint carbon-identity-framework#4917
• Allow /scim2/v2/Roles in /o path carbon-identity-framework#4998

Capability to associate roles in the new model with an application

• Add capability to associate v2 roles with applications carbon-identity-framework#5001
• Add capability to associate v2 roles with applications identity-api-server#504
• Resolve associated roles of shared app wso2-extensions/identity-organization-management#258
• Return allowed role audience in application list view if requested carbon-identity-framework#5045
• Return associating roles' allowed audience on request identity-api-server#515
• Fix integration failures due to new attribute in ApplicationResponseModel in application api v1 #17182
• Fix integration failures due to new attribute in ApplicationListItem in application api v1 #17191

Shared role managing event handler

• Add shared role managing event handler and event listener wso2-extensions/identity-organization-management#255
• New services to derive whether app is shared to a given org / get main app id wso2-extensions/identity-organization-management#260
• Support app audience role deletion on app deletion, Add Listeners for AssociatedRole config retrieval service, and Bug fixes carbon-identity-framework#5047
• Implement listeners to resolve associated role details of shared app wso2-extensions/identity-organization-management#268
• Add subscriptions for SharedRoleMgtHandler carbon-identity-framework#5053

Scope Validator Improvements

Kernel level improvements for Role V2

• Introduce Hybrid Role-V2 Manager carbon-kernel#3690
• New : Change hybrid role manager to work with V2 roles  carbon-kernel#3700
• Fix admin role mandatory attribute update wso2-extensions/identity-inbound-provisioning-scim2#497
• Fix federated roles resolving issue carbon-identity-framework#5102

Event handlers updates related to Role V2

• Update IdentityOauthEventHandler to support Role V2 wso2-extensions/identity-inbound-auth-oauth#2198

Config to enable/disable legacy authz runtime

• Add configuration to enable legacy authorization runtime carbon-kernel#3699

Admin role system permissions update

• Add application mgt listener to update permissions of admin role and add admin role to console app carbon-identity-framework#5042

Scope Validator implementation

• Default OAuth2 Scope Validator implementation  wso2-extensions/identity-inbound-auth-oauth#2206

** Return roles from suborganizations to parent org always to support RBAC for shared apps**

• Always set roles claim as a requested claim of the shared application if legacy authz runtime is false wso2-extensions/identity-organization-management#275

App associated roles resolver implementation

• Add App Associated Role Resolver implementation and handle roles claim carbon-identity-framework#5070

[AnuradhaSK]

Migration Issues

• [Migration-Identity DB] Support application roles for Identity Server and support RBAC for apps #16865
• [Migration-Shared DB] Support application roles for Identity Server and support RBAC for apps  #16864

[AnuradhaSK]

Pending Items

• Cache fixes such as Introduce Role-Management V2 carbon-identity-framework#4965 (comment)
• Add Audit logs in the new pattern
• Integration Tests

[PasinduYeshan]

Improvements/ Bug Fixes :

• Fix permission not getting replaced when empty permission list is sent - Fixed empty permission list replace issue in v2 Role patch wso2-extensions/identity-inbound-provisioning-scim2#495
• Fix 500 returns when empty value object is sent in patch replace operation - Fixed empty value object issue inside v2 role patch operation charon#395
• Fix shared shared v2 role display name update issue - Fix shared shared v2 role display name update issue carbon-identity-framework#5071
• Fix delete role with application deletion issue - Fix delete roles by application name issue carbon-identity-framework#5115
• Add from clauses for MySQL queries - Add FROM clause for v2 role management sql queries  carbon-identity-framework#5116
• Error while retrieving list of v2 roles with corrupted audience information #17395 - Fix get role list issue when roles has deleted/invalid audience info carbon-identity-framework#5119

[asekawa]

Identified bugs
1.UI issues in groups assign section in the roles tab - #17235
2.Two Add roles buttons are visible in the roles section- #17236

[AnuradhaSK]

Creating issues for pending tasks

• Add a caching layer for role management
• Add audit logs for role management
• Support federated group to role mapping
• Use the newly introduced roles in XACML policies with new authz runtime
• Add an adaptive script function to consume roles of a user during adaptive scripts
• Add unit tests to new modules / new functions
• Add integration tests to /scim2/v2/Roles API
• Documentation