Improve user delete and update for sub organizations

components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/utils/SCIMCommonUtils.java

@@ -34,6 +34,8 @@
 import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
 import org.wso2.carbon.identity.core.util.IdentityUtil;
 import org.wso2.carbon.identity.handler.event.account.lock.constants.AccountConstants;
+import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
+import org.wso2.carbon.identity.organization.management.service.util.OrganizationManagementUtil;
 import org.wso2.carbon.identity.role.mgt.core.IdentityRoleManagementException;
 import org.wso2.carbon.identity.role.mgt.core.util.UserIDResolver;
 import org.wso2.carbon.identity.scim2.common.cache.SCIMCustomAttributeSchemaCache;
@@ -948,4 +950,20 @@ public static String getLoggedInUserID() throws CharonException {
  throw new CharonException("Error occurred while retrieving super admin ID.", e);
  }
  }
+
+ /**
+ * Check whether the given tenant domain is an organization.
+ *
+ * @param tenantDomain Tenant domain of the request
+ * @return True if the tenant domain is an organization.
+ * @throws CharonException If an error occurred while checking the organization state.
+ */
+ public static boolean isOrganization(String tenantDomain) throws CharonException {
+
+ try {
+ return OrganizationManagementUtil.isOrganization(tenantDomain);
+ } catch (OrganizationManagementException e) {
+ throw new CharonException("Error occurred while checking the organization state.", e);
+ }
+ }
 }

components/org.wso2.carbon.identity.scim2.provider/src/main/java/org/wso2/carbon/identity/scim2/provider/resources/UserResource.java

@@ -40,6 +40,7 @@
 import javax.ws.rs.core.Response;
 
 import static org.wso2.carbon.identity.scim2.provider.util.SupportUtils.buildCustomSchema;
+import static org.wso2.carbon.identity.scim2.provider.util.SupportUtils.getTenantDomain;
 import static org.wso2.carbon.identity.scim2.provider.util.SupportUtils.getTenantId;
 
 @Path("/")
@@ -151,13 +152,16 @@ public Response deleteUser(@PathParam(SCIMProviderConstants.ID) String id,
  // obtain the user store manager
  UserManager userManager = IdentitySCIMManager.getInstance().getUserManager();
 
- String superAdminID = AdminAttributeUtil.getSuperAdminID();
- String loggedInUser = SCIMCommonUtils.getLoggedInUserID();
- if ((superAdminID.equals(id)) && (!loggedInUser.equals(id))) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Do not have permission to delete SuperAdmin user.");
+ // Skipping this validation if the request comes from a sub organization.
+ if (!SCIMCommonUtils.isOrganization(getTenantDomain())) {
+ String superAdminID = AdminAttributeUtil.getSuperAdminID();
+ String loggedInUser = SCIMCommonUtils.getLoggedInUserID();
+ if ((superAdminID.equals(id)) && (!loggedInUser.equals(id))) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Do not have permission to delete SuperAdmin user.");
+ }
+ return Response.status(Response.Status.FORBIDDEN).build();
  }
- return Response.status(Response.Status.FORBIDDEN).build();
  }
 
  // create charon-SCIM user resource manager and hand-over the request.
@@ -348,13 +352,16 @@ public Response patchUser(@PathParam(SCIMConstants.CommonSchemaConstants.ID) Str
  // obtain the user store manager
  UserManager userManager = IdentitySCIMManager.getInstance().getUserManager();
 
- String superAdminID = AdminAttributeUtil.getSuperAdminID();
- String loggedInUser = SCIMCommonUtils.getLoggedInUserID();
- if ((superAdminID.equals(id)) && (!loggedInUser.equals(id))) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Do not have permission to patch SuperAdmin user.");
+ // Skipping this validation if the request comes from a sub organization.
+ if (!SCIMCommonUtils.isOrganization(getTenantDomain())) {
+ String superAdminID = AdminAttributeUtil.getSuperAdminID();
+ String loggedInUser = SCIMCommonUtils.getLoggedInUserID();
+ if ((superAdminID.equals(id)) && (!loggedInUser.equals(id))) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Do not have permission to patch SuperAdmin user.");
+ }
+ return Response.status(Response.Status.FORBIDDEN).build();
  }
- return Response.status(Response.Status.FORBIDDEN).build();
  }
 
  // Build Custom schema