From c2d1d55074769249707d9381c4c3e87b4da11703 Mon Sep 17 00:00:00 2001
From: Thilina Shashimal Senarath <thilinasenarath97@gmail.com>
Date: Mon, 21 Aug 2023 21:32:09 +0530
Subject: [PATCH 01/21] add changes

---
 .../pom.xml                                   | 110 ++++++
 .../role/mgt/ApplicationRoleManager.java      | 113 ++++++
 .../role/mgt/ApplicationRoleManagerImpl.java  | 137 +++++++
 .../role/mgt/cache/ApplicationRoleCache.java  |  42 +++
 .../mgt/cache/ApplicationRoleCacheEntry.java  |  46 +++
 .../mgt/cache/ApplicationRoleCacheKey.java    |  69 ++++
 .../ApplicationRoleMgtConstants.java          |  85 +++++
 .../role/mgt/constants/SQLConstants.java      |  89 +++++
 .../role/mgt/dao/ApplicationRoleMgtDAO.java   |  60 ++++
 .../dao/impl/ApplicationRoleMgtDAOImpl.java   | 340 ++++++++++++++++++
 .../CacheBackedApplicationRoleMgtDAOImpl.java | 164 +++++++++
 ...licationRoleManagementClientException.java |  36 ++
 .../ApplicationRoleManagementException.java   |  79 ++++
 ...licationRoleManagementServerException.java |  51 +++
 .../ApplicationRoleMgtServiceComponent.java   |  66 ++++
 ...licationRoleMgtServiceComponentHolder.java |  37 ++
 .../role/mgt/model/ApplicationRole.java       | 127 +++++++
 .../application/role/mgt/model/User.java      |  41 +++
 .../mgt/util/ApplicationRoleMgtUtils.java     |  77 ++++
 .../application/role/mgt/util/IDResolver.java |  12 +
 .../role/mgt/util/UserIDResolver.java         |  77 ++++
 components/application-role-mgt/pom.xml       |  38 ++
 .../pom.xml                                   |  70 ++++
 .../pom.xml                                   | 121 +++++++
 features/application-role-mgt/pom.xml         |  40 +++
 pom.xml                                       |  13 +
 26 files changed, 2140 insertions(+)
 create mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/pom.xml
 create mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java
 create mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
 create mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/cache/ApplicationRoleCache.java
 create mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/cache/ApplicationRoleCacheEntry.java
 create mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/cache/ApplicationRoleCacheKey.java
 create mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java
 create mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java
 create mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java
 create mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
 create mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java
 create mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/exceptions/ApplicationRoleManagementClientException.java
 create mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/exceptions/ApplicationRoleManagementException.java
 create mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/exceptions/ApplicationRoleManagementServerException.java
 create mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/internal/ApplicationRoleMgtServiceComponent.java
 create mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/internal/ApplicationRoleMgtServiceComponentHolder.java
 create mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/model/ApplicationRole.java
 create mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/model/User.java
 create mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/ApplicationRoleMgtUtils.java
 create mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/IDResolver.java
 create mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/UserIDResolver.java
 create mode 100644 components/application-role-mgt/pom.xml
 create mode 100644 features/application-role-mgt/org.wso2.carbon.identity.application.role.mgt.feature/pom.xml
 create mode 100644 features/application-role-mgt/org.wso2.carbon.identity.application.role.mgt.server.feature/pom.xml
 create mode 100644 features/application-role-mgt/pom.xml

diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/pom.xml b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/pom.xml
new file mode 100644
index 000000000000..745e74022442
--- /dev/null
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/pom.xml
@@ -0,0 +1,110 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+  ~
+  ~ WSO2 LLC. licenses this file to you under the Apache License,
+  ~ Version 2.0 (the "License"); you may not use this file except
+  ~ in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~ http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing,
+  ~ software distributed under the License is distributed on an
+  ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  ~ KIND, either express or implied.  See the License for the
+  ~ specific language governing permissions and limitations
+  ~ under the License.
+  -->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <parent>
+        <groupId>org.wso2.carbon.identity.framework</groupId>
+        <artifactId>application-role-mgt</artifactId>
+        <version>5.25.287-SNAPSHOT</version>
+        <relativePath>../pom.xml</relativePath>
+    </parent>
+
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>org.wso2.carbon.identity.application.role.mgt</artifactId>
+    <name>Application Role Management Service</name>
+    <packaging>bundle</packaging>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.felix</groupId>
+            <artifactId>org.apache.felix.scr.ds-annotations</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.wso2.eclipse.osgi</groupId>
+            <artifactId>org.eclipse.osgi.services</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.eclipse.osgi</groupId>
+            <artifactId>org.eclipse.osgi</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>commons-logging</groupId>
+            <artifactId>commons-logging</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.wso2.carbon.identity.framework</groupId>
+            <artifactId>org.wso2.carbon.identity.core</artifactId>
+        </dependency>
+        <!--Test Dependencies-->
+        <dependency>
+            <groupId>org.testng</groupId>
+            <artifactId>testng</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.jacoco</groupId>
+            <artifactId>org.jacoco.agent</artifactId>
+            <classifier>runtime</classifier>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.felix</groupId>
+                <artifactId>maven-bundle-plugin</artifactId>
+                <extensions>true</extensions>
+                <configuration>
+                    <instructions>
+                        <Bundle-SymbolicName>${project.artifactId}</Bundle-SymbolicName>
+                        <Bundle-Name>${project.artifactId}</Bundle-Name>
+                        <Bundle-Description>Application Role Management Service Bundle</Bundle-Description>
+                        <Private-Package>org.wso2.carbon.identity.application.role.mgt.internal
+                        </Private-Package>
+                        <Export-Package>
+                            !org.wso2.carbon.identity.application.role.mgt.internal,
+                            org.wso2.carbon.identity.application.role.mgt.*;
+                            version="${project.version}",
+                        </Export-Package>
+                        <Import-Package>
+                            javax.sql,
+                            org.osgi.framework; version="${osgi.framework.imp.pkg.version.range}",
+                            org.osgi.service.component; version="${osgi.service.component.imp.pkg.version.range}",
+                            org.apache.commons.lang; version="${commons-lang.wso2.osgi.version.range}",
+                            org.apache.commons.logging; version="${import.package.version.commons.logging}",
+                            org.wso2.carbon.context; version="${carbon.kernel.package.import.version.range}",
+                            org.wso2.carbon.identity.core.*; version="${carbon.identity.package.import.version.range}",
+                            org.wso2.carbon.database.utils.jdbc;
+                            version="${org.wso2.carbon.database.utils.version.range}",
+                            org.wso2.carbon.user.api; version="${carbon.user.api.imp.pkg.version.range}",
+                            org.wso2.carbon.user.core.*;version="${carbon.kernel.package.import.version.range}",
+                            org.wso2.carbon.database.utils.jdbc.exceptions;version="${org.wso2.carbon.database.utils.version.range}",
+                            org.wso2.carbon.utils; version="${carbon.kernel.package.import.version.range}",
+                        </Import-Package>
+                    </instructions>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java
new file mode 100644
index 000000000000..1c64a99c00f0
--- /dev/null
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java
@@ -0,0 +1,113 @@
+/*
+ * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.application.role.mgt;
+
+import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementException;
+import org.wso2.carbon.identity.application.role.mgt.model.ApplicationRole;
+
+import java.util.List;
+
+/**
+ * Application Role Manager.
+ */
+public interface ApplicationRoleManager {
+
+    /**
+     * Add application role.
+     *
+     * @param applicationRole Application role.
+     * @throws ApplicationRoleManagementException Error occurred while adding application role.
+     */
+    void addApplicationRole(ApplicationRole applicationRole) throws ApplicationRoleManagementException;
+
+    /**
+     * Update application role.
+     *
+     * @param applicationRole Application role.
+     * @throws ApplicationRoleManagementException Error occurred while updating the application role.
+     */
+    void updateApplicationRole(ApplicationRole applicationRole) throws ApplicationRoleManagementException;
+
+    /**
+     * Get the application role by role id.
+     *
+     * @param roleId Role id.
+     * @return Application role.
+     * @throws ApplicationRoleManagementException Error occurred while retrieving the application role.
+     */
+    ApplicationRole getApplicationRoleById(String roleId) throws ApplicationRoleManagementException;
+
+    /**
+     * Get all the application roles by application id.
+     *
+     * @param applicationId Application id.
+     * @return Application roles.
+     * @throws ApplicationRoleManagementException Error occurred while retrieving the application roles of a given app.
+     */
+    List<ApplicationRole> getApplicationRoles(String applicationId) throws ApplicationRoleManagementException;
+
+    /**
+     * Delete application role.
+     *
+     * @param roleId Role id.
+     * @throws ApplicationRoleManagementException Error occurred while deleting the application role.
+     */
+    void deleteApplicationRole(String roleId) throws ApplicationRoleManagementException;
+
+
+    /**
+     * Update the list of assigned users for an application role.
+     *
+     * @param roleId Application role ID.
+     * @param addedUsers List of user IDs to be assigned.
+     * @param removedUsers List of user IDs to be unassigned.
+     * @throws ApplicationRoleManagementException Error occurred while updating the application role.
+     */
+    void updateApplicationRoleAssignedUsers(String roleId, List<String> addedUsers, List<String> removedUsers)
+            throws ApplicationRoleManagementException;
+
+    /**
+     * Get the list of assigned users of an application role.
+     *
+     * @param roleId Application role ID.
+     * @throws ApplicationRoleManagementException Error occurred while updating the application role.
+     */
+    ApplicationRole getApplicationRoleAssignedUsers(String roleId) throws ApplicationRoleManagementException;
+
+    /**
+     * Update the list of assigned groups for an application role.
+     *
+     * @param roleId Application role ID.
+     * @param addedGroups List of group IDs to be assigned.
+     * @param removedGroups List of group IDs to be unassigned.
+     * @throws ApplicationRoleManagementException Error occurred while updating the application role.
+     */
+    void updateApplicationRoleAssignedGroups(String roleId, List<String> addedGroups, List<String> removedGroups)
+            throws ApplicationRoleManagementException;
+
+    /**
+     * Get the list of assigned groups of an application role.
+     *
+     * @param roleId Application role ID.
+     * @throws ApplicationRoleManagementException Error occurred while updating the application role.
+     */
+    ApplicationRole getApplicationRoleAssignedGroups(String roleId) throws ApplicationRoleManagementException;
+
+
+}
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
new file mode 100644
index 000000000000..3d146733ab1b
--- /dev/null
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
@@ -0,0 +1,137 @@
+/*
+ * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.application.role.mgt;
+
+import org.wso2.carbon.context.PrivilegedCarbonContext;
+import org.wso2.carbon.identity.application.role.mgt.dao.ApplicationRoleMgtDAO;
+import org.wso2.carbon.identity.application.role.mgt.dao.impl.ApplicationRoleMgtDAOImpl;
+import org.wso2.carbon.identity.application.role.mgt.dao.impl.CacheBackedApplicationRoleMgtDAOImpl;
+import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementException;
+import org.wso2.carbon.identity.application.role.mgt.model.ApplicationRole;
+
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+
+import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_DUPLICATE_ROLE;
+import static org.wso2.carbon.identity.application.role.mgt.util.ApplicationRoleMgtUtils.handleClientException;
+
+/**
+ * Application role management service implementation.
+ */
+public class ApplicationRoleManagerImpl implements ApplicationRoleManager {
+
+    private static final ApplicationRoleManager instance = new ApplicationRoleManagerImpl();
+
+    private ApplicationRoleManagerImpl() {
+
+    }
+
+    public static ApplicationRoleManager getInstance() {
+
+        return instance;
+    }
+
+    private final ApplicationRoleMgtDAO applicationRoleMgtDAO =
+            new CacheBackedApplicationRoleMgtDAOImpl(new ApplicationRoleMgtDAOImpl());
+
+    @Override
+    public void addApplicationRole(ApplicationRole applicationRole) throws ApplicationRoleManagementException {
+
+        String tenantDomain = getTenantDomain();
+        boolean existingRole =
+                applicationRoleMgtDAO.isExistingRole(applicationRole.getApplicationId(), applicationRole.getRoleName(),
+                        tenantDomain);
+        if (existingRole) {
+            throw handleClientException(ERROR_CODE_DUPLICATE_ROLE, applicationRole.getRoleName(),
+                    applicationRole.getApplicationId());
+        }
+        applicationRoleMgtDAO.addApplicationRole(applicationRole, tenantDomain);
+    }
+
+    @Override
+    public void updateApplicationRole(ApplicationRole applicationRole) throws ApplicationRoleManagementException {
+
+        // TODO :
+    }
+
+    @Override
+    public ApplicationRole getApplicationRoleById(String roleId) throws ApplicationRoleManagementException {
+
+        return applicationRoleMgtDAO.getApplicationRoleById(roleId, getTenantDomain());
+    }
+
+    @Override
+    public List<ApplicationRole> getApplicationRoles(String applicationId) throws ApplicationRoleManagementException {
+
+        return applicationRoleMgtDAO.getApplicationRoles(applicationId);
+    }
+
+    @Override
+    public void deleteApplicationRole(String roleId) throws ApplicationRoleManagementException {
+
+        applicationRoleMgtDAO.deleteApplicationRole(roleId, getTenantDomain());
+    }
+
+    @Override
+    public void updateApplicationRoleAssignedUsers(String roleId, List<String> addedUsers, List<String> removedUsers)
+            throws ApplicationRoleManagementException {
+
+        removeCommonValues(addedUsers, removedUsers);
+        applicationRoleMgtDAO.updateApplicationRoleAssignedUsers(roleId, addedUsers, removedUsers, getTenantDomain());
+    }
+
+    @Override
+    public ApplicationRole getApplicationRoleAssignedUsers(String roleId)
+            throws ApplicationRoleManagementException {
+
+        return applicationRoleMgtDAO.getApplicationRoleAssignedUsers(roleId, getTenantDomain());
+    }
+
+    @Override
+    public void updateApplicationRoleAssignedGroups(String roleId, List<String> addedGroups, List<String> removedGroups)
+            throws ApplicationRoleManagementException {
+
+    }
+
+    @Override
+    public ApplicationRole getApplicationRoleAssignedGroups(String roleId)
+            throws ApplicationRoleManagementException {
+
+        return null;
+    }
+
+    private static String getTenantDomain() {
+
+        return PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain();
+    }
+
+    private void removeCommonValues(List<String> list1, List<String> list2) {
+        HashSet<String> set = new HashSet<>(list1);
+
+        Iterator<String> iterator = list2.iterator();
+        while (iterator.hasNext()) {
+            String value = iterator.next();
+            if (set.contains(value)) {
+                iterator.remove();
+                list1.remove(value);
+            }
+        }
+    }
+}
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/cache/ApplicationRoleCache.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/cache/ApplicationRoleCache.java
new file mode 100644
index 000000000000..8ad3aa33551e
--- /dev/null
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/cache/ApplicationRoleCache.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.application.role.mgt.cache;
+
+import org.wso2.carbon.identity.core.cache.BaseCache;
+import org.wso2.carbon.utils.CarbonUtils;
+
+/**
+ * Cache implementation for application role cache.
+ */
+public class ApplicationRoleCache extends BaseCache<ApplicationRoleCacheKey, ApplicationRoleCacheEntry> {
+
+    private static final String CACHE_NAME = "ApplicationRoleCacheById";
+    private static final ApplicationRoleCache instance = new ApplicationRoleCache();
+
+    private ApplicationRoleCache() {
+
+        super(CACHE_NAME);
+    }
+
+    public static ApplicationRoleCache getInstance() {
+
+        CarbonUtils.checkSecurity();
+        return instance;
+    }
+}
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/cache/ApplicationRoleCacheEntry.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/cache/ApplicationRoleCacheEntry.java
new file mode 100644
index 000000000000..b32cff547484
--- /dev/null
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/cache/ApplicationRoleCacheEntry.java
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.application.role.mgt.cache;
+
+import org.wso2.carbon.identity.application.role.mgt.model.ApplicationRole;
+import org.wso2.carbon.identity.core.cache.CacheEntry;
+
+/**
+ * Cache entry which is kept in the application role cache.
+ */
+public class ApplicationRoleCacheEntry extends CacheEntry {
+
+    private static final long serialVersionUID = 3112605038259278777L;
+    private ApplicationRole applicationRole;
+
+    public ApplicationRoleCacheEntry(ApplicationRole applicationRole) {
+
+        this.applicationRole = applicationRole;
+    }
+
+    public ApplicationRole getApplicationRole() {
+
+        return applicationRole;
+    }
+
+    public void setApplicationRole(ApplicationRole applicationRole) {
+
+        this.applicationRole = applicationRole;
+    }
+}
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/cache/ApplicationRoleCacheKey.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/cache/ApplicationRoleCacheKey.java
new file mode 100644
index 000000000000..d2a87897a236
--- /dev/null
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/cache/ApplicationRoleCacheKey.java
@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.application.role.mgt.cache;
+
+import org.wso2.carbon.identity.core.cache.CacheKey;
+
+/**
+ * Cache key to lookup application role from cache.
+ */
+public class ApplicationRoleCacheKey extends CacheKey {
+
+    private static final long serialVersionUID = 8263255365985309443L;
+    private String applicationRoleId;
+
+    public ApplicationRoleCacheKey(String applicationRoleId) {
+
+        this.applicationRoleId = applicationRoleId;
+    }
+
+    public String getApplicationRoleId() {
+
+        return applicationRoleId;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+
+        if (this == o) {
+            return true;
+        }
+        if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        if (!super.equals(o)) {
+            return false;
+        }
+
+        ApplicationRoleCacheKey that = (ApplicationRoleCacheKey) o;
+
+        if (!applicationRoleId.equals(that.applicationRoleId)) {
+            return false;
+        }
+        return true;
+    }
+
+    @Override
+    public int hashCode() {
+
+        int result = super.hashCode();
+        result = 31 * result + applicationRoleId.hashCode();
+        return result;
+    }
+}
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java
new file mode 100644
index 000000000000..83f782136970
--- /dev/null
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java
@@ -0,0 +1,85 @@
+/*
+ * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.application.role.mgt.constants;
+
+/**
+ * Application role management constants.
+ */
+public class ApplicationRoleMgtConstants {
+
+    private static final String APP_ROLE_MGT_ERROR_CODE_PREFIX = "APM-";
+
+    /**
+     * Application role management error message constants.
+     */
+    public enum ErrorMessages {
+
+        // Server Errors.
+        ERROR_CODE_INSERT_ROLE("65001", "Error occurred while adding the role.",
+                "Error occurred while adding the role: %s to application: %s."),
+        ERROR_CODE_GET_ROLE_BY_ID("65002", "Error occurred while retrieving the role.",
+                "Error occurred while retrieving the role: %s."),
+        ERROR_CODE_CHECKING_ROLE_EXISTENCE("65003", "Error occurred while checking the role existence.",
+                "Error occurred while checking whether the role: %s exists in application: %s."),
+        ERROR_CODE_GET_ROLES_BY_APPLICATION("65004", "Error occurred while retrieving the roles of the application",
+                "Error occurred while retrieving the roles of application: %s."),
+        ERROR_CODE_UPDATE_ROLE("65005", "Error occurred while updating the role.",
+                "Error occurred while updating the role: %s of application: %s."),
+        ERROR_CODE_DELETE_ROLE("65006", "Error occurred while deleting the role.",
+                "Error occurred while deleting the role: %s."),
+        ERROR_CODE_UPDATE_ROLE_ASSIGNED_USERS("65007", "Error occurred while assigning users to the role.",
+                "Error occurred while assigning users to the role: %s."),
+        ERROR_CODE_GET_ROLE_ASSIGNED_USERS("65008", "Error occurred while retrieving users of the role.",
+                "Error occurred while retrieving users of the role: %s."),
+        ERROR_CODE_UPDATE_ROLE_ASSIGNED_GROUPS("65007", "Error occurred while assigning groups to the role.",
+                "Error occurred while assigning groups to the role: %s."),
+        ERROR_CODE_GET_ROLE_ASSIGNED_GROUPS("65008", "Error occurred while retrieving groups of the role.",
+                "Error occurred while retrieving groups of the role: %s."),
+
+        // Client Errors.
+        ERROR_CODE_DUPLICATE_ROLE("60001", "Role already exists.",
+                "Role with name: %s already exists in application: %s.");
+
+        private final String code;
+        private final String message;
+        private final String description;
+
+        ErrorMessages(String code, String message, String description) {
+
+            this.code = code;
+            this.message = message;
+            this.description = description;
+        }
+
+        public String getCode() {
+
+            return APP_ROLE_MGT_ERROR_CODE_PREFIX + code;
+        }
+
+        public String getMessage() {
+
+            return message;
+        }
+
+        public String getDescription() {
+
+            return description;
+        }
+    }
+}
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java
new file mode 100644
index 000000000000..51c34557f477
--- /dev/null
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java
@@ -0,0 +1,89 @@
+/*
+ * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.application.role.mgt.constants;
+
+/**
+ * Database queries related to application role management CRUD operations.
+ */
+public class SQLConstants {
+
+    public static final String ADD_APPLICATION_ROLE =  "INSERT INTO APP_ROLE (ROLE_ID, ROLE_NAME, TENANT_ID, APP_ID) " +
+            "VALUES (:" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + ";, :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_NAME + ";, :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";, :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_APP_ID + ";);";
+
+    public static final String GET_APPLICATION_ROLE_BY_ID = "SELECT ROLE_ID, ROLE_NAME, TENANT_ID, APP_ID " +
+            "FROM APP_ROLE WHERE ROLE_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + ";";
+
+    public static final String GET_APPLICATION_ROLES_OF_APPLICATION = "SELECT ROLE_ID, ROLE_NAME, TENANT_ID, APP_ID " +
+            "FROM APP_ROLE WHERE APP_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_APP_ID + ";";
+
+    public static final String IS_APPLICATION_ROLE_EXISTS = "SELECT COUNT(1) FROM APP_ROLE WHERE ROLE_NAME = :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_NAME + "; AND APP_ID = :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_APP_ID + "; AND TENANT_ID = :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + "; ";
+
+    public static final String UPDATE_APPLICATION_ROLE_BY_ID = "UPDATE APP_ROLE SET ROLE_NAME = :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_NAME + "; WHERE ROLE_ID = :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + ";";
+    public static final String DELETE_APPLICATION_ROLE_BY_ID = "DELETE FROM APP_ROLE WHERE ROLE_ID = :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + ";";
+
+    public static final String ADD_APPLICATION_ROLE_USER =  "INSERT INTO USER_ROLE (ROLE_ID, USER_ID, TENANT_ID) " +
+            "VALUES (:" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + ";, :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_USER_ID + ";, :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";);";
+
+    public static final String DELETE_ASSIGNED_USER_APPLICATION_ROLE = "DELETE FROM USER_ROLE WHERE ROLE_ID = :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + " USER_ID = :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_USER_ID + ";";
+
+    public static final String GET_ASSIGNED_USERS_OF_APPLICATION_ROLE = "SELECT USER_ID " +
+            "FROM USER_ROLE WHERE ROLE_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + ";";
+
+    public static final String ADD_APPLICATION_ROLE_GROUP =  "INSERT INTO GROUP_ROLE (ROLE_ID, USER_ID, TENANT_ID) " +
+            "VALUES (:" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + ";, :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_GROUP_ID + ";, :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";);";
+
+    public static final String DELETE_ASSIGNED_GROUP_APPLICATION_ROLE = "DELETE FROM GROUP_ROLE WHERE ROLE_ID = :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + " GROUP_ID = :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_GROUP_ID + ";";
+
+    public static final String GET_ASSIGNED_GROUPS_OF_APPLICATION_ROLE = "SELECT GROUP_ID " +
+            "FROM GROUP_ROLE WHERE ROLE_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + " TENANT_ID = : "
+            + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";";
+
+    /**
+     * SQL Placeholders.
+     */
+    public static final class SQLPlaceholders {
+
+        public static final String DB_SCHEMA_COLUMN_NAME_ROLE_ID = "ROLE_ID";
+        public static final String DB_SCHEMA_COLUMN_NAME_ROLE_NAME = "ROLE_NAME";
+        public static final String DB_SCHEMA_COLUMN_NAME_TENANT_ID = "TENANT_ID";
+        public static final String DB_SCHEMA_COLUMN_NAME_APP_ID = "APP_ID";
+        public static final String DB_SCHEMA_COLUMN_NAME_USER_ID = "USER_ID";
+        public static final String DB_SCHEMA_COLUMN_NAME_GROUP_ID = "GROUP_ID";
+    }
+}
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java
new file mode 100644
index 000000000000..e6c93550fe7f
--- /dev/null
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java
@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.application.role.mgt.dao;
+
+import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementException;
+import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementServerException;
+import org.wso2.carbon.identity.application.role.mgt.model.ApplicationRole;
+
+import java.util.List;
+
+/**
+ * Application role DAO interface.
+ */
+public interface ApplicationRoleMgtDAO {
+
+    ApplicationRole addApplicationRole(ApplicationRole applicationRole, String tenantDomain)
+            throws ApplicationRoleManagementServerException;
+
+    ApplicationRole getApplicationRoleById(String roleId, String tenantDomain)
+            throws ApplicationRoleManagementServerException;
+
+    List<ApplicationRole> getApplicationRoles(String applicationId) throws ApplicationRoleManagementServerException;
+
+    void updateApplicationRole(String applicationId, String roleId, String tenantDomain)
+            throws ApplicationRoleManagementServerException;
+
+    void deleteApplicationRole(String roleId, String tenantDomain) throws ApplicationRoleManagementServerException;
+
+    boolean isExistingRole(String applicationId, String roleName, String tenantDomain)
+            throws ApplicationRoleManagementServerException;
+
+    void updateApplicationRoleAssignedUsers(String roleId, List<String> addedUsers, List<String> removedUsers,
+                                            String tenantDomain) throws
+            ApplicationRoleManagementServerException;
+
+    ApplicationRole getApplicationRoleAssignedUsers(String roleId, String tenantDomain)
+            throws ApplicationRoleManagementException;
+
+    void updateApplicationRoleAssignedGroups(String roleId, List<String> addedGroups, List<String> removedGroups,
+                                             String tenantDomain) throws ApplicationRoleManagementException;
+
+    ApplicationRole getApplicationRoleAssignedGroups(String roleId, String tenantDomain)
+            throws ApplicationRoleManagementException;
+}
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
new file mode 100644
index 000000000000..12fe094bc9c0
--- /dev/null
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
@@ -0,0 +1,340 @@
+/*
+ * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.application.role.mgt.dao.impl;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.database.utils.jdbc.NamedJdbcTemplate;
+import org.wso2.carbon.database.utils.jdbc.exceptions.DataAccessException;
+import org.wso2.carbon.database.utils.jdbc.exceptions.TransactionException;
+import org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants;
+import org.wso2.carbon.identity.application.role.mgt.dao.ApplicationRoleMgtDAO;
+import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementException;
+import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementServerException;
+import org.wso2.carbon.identity.application.role.mgt.model.ApplicationRole;
+import org.wso2.carbon.identity.application.role.mgt.model.User;
+import org.wso2.carbon.identity.application.role.mgt.util.UserIDResolver;
+import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
+import org.wso2.carbon.utils.multitenancy.MultitenantConstants;
+
+import java.util.List;
+
+import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_CHECKING_ROLE_EXISTENCE;
+import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_DELETE_ROLE;
+import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_GET_ROLES_BY_APPLICATION;
+import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_GET_ROLE_ASSIGNED_USERS;
+import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_GET_ROLE_BY_ID;
+import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_INSERT_ROLE;
+import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_UPDATE_ROLE;
+import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_UPDATE_ROLE_ASSIGNED_GROUPS;
+import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_UPDATE_ROLE_ASSIGNED_USERS;
+import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_APP_ID;
+import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_GROUP_ID;
+import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID;
+import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_NAME;
+import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID;
+import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_USER_ID;
+import static org.wso2.carbon.identity.application.role.mgt.util.ApplicationRoleMgtUtils.getNewTemplate;
+import static org.wso2.carbon.identity.application.role.mgt.util.ApplicationRoleMgtUtils.handleServerException;
+
+/**
+ * Application role DAO implementation.
+ */
+public class ApplicationRoleMgtDAOImpl implements ApplicationRoleMgtDAO {
+
+    private static final Log LOG = LogFactory.getLog(ApplicationRoleMgtDAOImpl.class);
+    private UserIDResolver userIDResolver = new UserIDResolver();
+
+    @Override
+    public ApplicationRole addApplicationRole(ApplicationRole applicationRole, String tenantDomain)
+            throws ApplicationRoleManagementServerException {
+
+        int tenantID;
+        if (tenantDomain != null) {
+            tenantID = IdentityTenantUtil.getTenantId(tenantDomain);
+        } else {
+            tenantID = MultitenantConstants.INVALID_TENANT_ID;
+        }
+
+        NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
+        try {
+            namedJdbcTemplate.withTransaction(template -> {
+                template.executeInsert(SQLConstants.ADD_APPLICATION_ROLE, namedPreparedStatement -> {
+                    namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, applicationRole.getRoleId());
+                    namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_APP_ID, applicationRole.getApplicationId());
+                    namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_NAME, applicationRole.getRoleName());
+                    namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, tenantID);
+                }, null, false);
+                return null;
+            });
+        } catch (TransactionException e) {
+            throw handleServerException(ERROR_CODE_INSERT_ROLE, e, applicationRole.getRoleName(),
+                    applicationRole.getApplicationId());
+        }
+        return applicationRole;
+    }
+
+    @Override
+    public ApplicationRole getApplicationRoleById(String roleId, String tenantDomain)
+            throws ApplicationRoleManagementServerException {
+
+        int tenantID;
+        if (tenantDomain != null) {
+            tenantID = IdentityTenantUtil.getTenantId(tenantDomain);
+        } else {
+            tenantID = MultitenantConstants.INVALID_TENANT_ID;
+        }
+
+        NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
+        try {
+            return namedJdbcTemplate.fetchSingleRecord(SQLConstants.GET_APPLICATION_ROLE_BY_ID,
+                    (resultSet, rowNumber) ->
+                            new ApplicationRole(resultSet.getString(DB_SCHEMA_COLUMN_NAME_ROLE_ID),
+                                    resultSet.getString(DB_SCHEMA_COLUMN_NAME_ROLE_NAME),
+                                    resultSet.getString(DB_SCHEMA_COLUMN_NAME_APP_ID)),
+                    namedPreparedStatement -> {
+                        namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
+                        namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, tenantID);
+                    });
+        } catch (DataAccessException e) {
+            throw handleServerException(ERROR_CODE_GET_ROLE_BY_ID, e, roleId);
+        }
+    }
+
+    @Override
+    public List<ApplicationRole> getApplicationRoles(String applicationId)
+            throws ApplicationRoleManagementServerException {
+
+        NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
+        try {
+            return namedJdbcTemplate.executeQuery(SQLConstants.GET_APPLICATION_ROLES_OF_APPLICATION,
+                    (resultSet, rowNumber) ->
+                            new ApplicationRole(resultSet.getString(DB_SCHEMA_COLUMN_NAME_ROLE_ID),
+                                    resultSet.getString(DB_SCHEMA_COLUMN_NAME_ROLE_NAME),
+                                    resultSet.getString(DB_SCHEMA_COLUMN_NAME_APP_ID)),
+                    namedPreparedStatement -> {
+                        namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_APP_ID, applicationId);
+                    });
+        } catch (DataAccessException e) {
+            throw handleServerException(ERROR_CODE_GET_ROLES_BY_APPLICATION, e, applicationId);
+        }
+    }
+
+    @Override
+    public void updateApplicationRole(String applicationId, String roleId, String tenantDomain)
+            throws ApplicationRoleManagementServerException {
+
+        NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
+        try {
+            namedJdbcTemplate.withTransaction(template -> {
+                template.executeUpdate(SQLConstants.UPDATE_APPLICATION_ROLE_BY_ID, namedPreparedStatement -> {
+                    namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
+                });
+                return null;
+            });
+        } catch (TransactionException e) {
+            throw handleServerException(ERROR_CODE_UPDATE_ROLE, e, roleId, applicationId);
+        }
+    }
+
+    @Override
+    public void deleteApplicationRole(String roleId, String tenantDomain)
+            throws ApplicationRoleManagementServerException {
+
+        NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
+        try {
+            namedJdbcTemplate.executeQuery(SQLConstants.DELETE_APPLICATION_ROLE_BY_ID, (resultSet, rowNumber) -> null,
+                    namedPreparedStatement -> {
+                        namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
+                    });
+        } catch (DataAccessException e) {
+            throw handleServerException(ERROR_CODE_DELETE_ROLE, e, roleId);
+        }
+    }
+
+    @Override
+    public boolean isExistingRole(String applicationId, String roleName, String tenantDomain)
+            throws ApplicationRoleManagementServerException {
+
+        int tenantID;
+        if (tenantDomain != null) {
+            tenantID = IdentityTenantUtil.getTenantId(tenantDomain);
+        } else {
+            tenantID = MultitenantConstants.INVALID_TENANT_ID;
+        }
+
+        NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
+        try {
+            return namedJdbcTemplate.fetchSingleRecord(SQLConstants.IS_APPLICATION_ROLE_EXISTS,
+                    (resultSet, rowNumber) -> resultSet.getInt(1) > 0,
+                    namedPreparedStatement -> {
+                        namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_NAME, roleName);
+                        namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_APP_ID, applicationId);
+                        namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, tenantID);
+                    });
+        } catch (DataAccessException e) {
+            throw handleServerException(ERROR_CODE_CHECKING_ROLE_EXISTENCE, e, roleName, applicationId);
+        }
+    }
+
+    @Override
+    public void updateApplicationRoleAssignedUsers(String roleId, List<String> addedUsers, List<String> removedUsers,
+                                                   String tenantDomain)
+            throws ApplicationRoleManagementServerException {
+
+        int tenantID;
+        if (tenantDomain != null) {
+            tenantID = IdentityTenantUtil.getTenantId(tenantDomain);
+        } else {
+            tenantID = MultitenantConstants.INVALID_TENANT_ID;
+        }
+
+        NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
+        try {
+            String sqlStmt = SQLConstants.ADD_APPLICATION_ROLE_USER;
+            namedJdbcTemplate.withTransaction(template -> {
+                namedJdbcTemplate.executeBatchInsert(sqlStmt, (preparedStatement -> {
+                    for (String userId : addedUsers) {
+                        preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
+                        preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_USER_ID, userId);
+                        preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, tenantID);
+                        preparedStatement.addBatch();
+                    }
+                }), roleId);
+                for (String userId: removedUsers) {
+                    namedJdbcTemplate.executeQuery(SQLConstants.DELETE_ASSIGNED_USER_APPLICATION_ROLE,
+                            (resultSet, rowNumber) -> null, namedPreparedStatement -> {
+                                namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
+                                namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_USER_ID, userId);
+                            });
+                }
+                return null;
+            });
+        } catch (TransactionException e) {
+            throw handleServerException(ERROR_CODE_UPDATE_ROLE_ASSIGNED_USERS, e, roleId);
+        }
+    }
+
+    @Override
+    public ApplicationRole getApplicationRoleAssignedUsers(String roleId, String tenantDomain)
+            throws ApplicationRoleManagementException {
+
+        int tenantID;
+        if (tenantDomain != null) {
+            tenantID = IdentityTenantUtil.getTenantId(tenantDomain);
+        } else {
+            tenantID = MultitenantConstants.INVALID_TENANT_ID;
+        }
+        NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
+        try {
+            List<User> users;
+            users = namedJdbcTemplate.executeQuery(SQLConstants.GET_ASSIGNED_USERS_OF_APPLICATION_ROLE,
+                    (resultSet, rowNumber) -> {
+                        User user = new User(resultSet.getString(DB_SCHEMA_COLUMN_NAME_USER_ID));
+                        return user;
+                    },
+                    namedPreparedStatement -> {
+                        namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
+                    });
+            for (User user : users) {
+                user.setUserName(getUserNamesByID(user.getId(), tenantDomain));
+            }
+            ApplicationRole applicationRole = new ApplicationRole(roleId);
+            applicationRole.setAssignedUsers(users);
+            return  applicationRole;
+        } catch (DataAccessException e) {
+            throw handleServerException(ERROR_CODE_GET_ROLE_ASSIGNED_USERS, e, roleId);
+        }
+    }
+
+    @Override
+    public void updateApplicationRoleAssignedGroups(String roleId, List<String> addedGroups, List<String> removedGroups,
+                                                    String tenantDomain) throws ApplicationRoleManagementException {
+
+        int tenantID;
+        if (tenantDomain != null) {
+            tenantID = IdentityTenantUtil.getTenantId(tenantDomain);
+        } else {
+            tenantID = MultitenantConstants.INVALID_TENANT_ID;
+        }
+
+        NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
+        try {
+            String sqlStmt = SQLConstants.ADD_APPLICATION_ROLE_GROUP;
+            namedJdbcTemplate.withTransaction(template -> {
+                namedJdbcTemplate.executeBatchInsert(sqlStmt, (preparedStatement -> {
+                    for (String groupId : addedGroups) {
+                        preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
+                        preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_USER_ID, groupId);
+                        preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, tenantID);
+                        preparedStatement.addBatch();
+                    }
+                }), roleId);
+                for (String groupId: removedGroups) {
+                    namedJdbcTemplate.executeQuery(SQLConstants.DELETE_ASSIGNED_GROUP_APPLICATION_ROLE,
+                            (resultSet, rowNumber) -> null, namedPreparedStatement -> {
+                                namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
+                                namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_GROUP_ID, groupId);
+                            });
+                }
+                return null;
+            });
+        } catch (TransactionException e) {
+            throw handleServerException(ERROR_CODE_UPDATE_ROLE_ASSIGNED_GROUPS, e, roleId);
+        }
+    }
+
+    @Override
+    public ApplicationRole getApplicationRoleAssignedGroups(String roleId, String tenantDomain)
+            throws ApplicationRoleManagementException {
+
+//        int tenantID;
+//        if (tenantDomain != null) {
+//            tenantID = IdentityTenantUtil.getTenantId(tenantDomain);
+//        } else {
+//            tenantID = MultitenantConstants.INVALID_TENANT_ID;
+//        }
+//        NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
+//        try {
+//            namedJdbcTemplate.executeQuery(SQLConstants.GET_ASSIGNED_GROUPS_OF_APPLICATION_ROLE,
+//                    (resultSet, rowNumber) -> {
+//                        ApplicationRole applicationRole = new ApplicationRole(roleId);
+//                        List<String> groupIds = new ArrayList<>();
+//                        while (resultSet.next()) {
+//                            groupIds.add(resultSet.getString(DB_SCHEMA_COLUMN_NAME_GROUP_ID));
+//                        }
+//                        applicationRole.setAssignedGroups(groupIds.toArray(new String[0]));
+//                        return applicationRole;
+//                    },
+//                    namedPreparedStatement -> {
+//                        namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
+//                        namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, tenantID);
+//                    });
+//        } catch (DataAccessException e) {
+//            throw handleServerException(ERROR_CODE_GET_ROLE_ASSIGNED_USERS, e, roleId);
+//        }
+        return null;
+    }
+
+    private String getUserNamesByID(String userIDs, String tenantDomain)
+            throws ApplicationRoleManagementException {
+
+        return userIDResolver.getNameByID(userIDs, tenantDomain);
+    }
+}
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java
new file mode 100644
index 000000000000..9cc07ba01da5
--- /dev/null
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java
@@ -0,0 +1,164 @@
+/*
+ * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.application.role.mgt.dao.impl;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.identity.application.role.mgt.cache.ApplicationRoleCache;
+import org.wso2.carbon.identity.application.role.mgt.cache.ApplicationRoleCacheEntry;
+import org.wso2.carbon.identity.application.role.mgt.cache.ApplicationRoleCacheKey;
+import org.wso2.carbon.identity.application.role.mgt.dao.ApplicationRoleMgtDAO;
+import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementException;
+import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementServerException;
+import org.wso2.carbon.identity.application.role.mgt.model.ApplicationRole;
+
+import java.util.List;
+
+/**
+ * Cache backed application role management DAO implementation.
+ */
+public class CacheBackedApplicationRoleMgtDAOImpl implements ApplicationRoleMgtDAO {
+
+    private static final Log LOG = LogFactory.getLog(CacheBackedApplicationRoleMgtDAOImpl.class);
+
+    private static ApplicationRoleCache applicationRoleCache;
+    private final ApplicationRoleMgtDAO applicationRoleMgtDAO;
+
+    public CacheBackedApplicationRoleMgtDAOImpl(ApplicationRoleMgtDAOImpl applicationRoleMgtDAO) {
+
+        this.applicationRoleMgtDAO = applicationRoleMgtDAO;
+        applicationRoleCache = ApplicationRoleCache.getInstance();
+    }
+
+    @Override
+    public ApplicationRole addApplicationRole(ApplicationRole applicationRole, String tenantDomain)
+            throws ApplicationRoleManagementServerException {
+
+        return applicationRoleMgtDAO.addApplicationRole(applicationRole, tenantDomain);
+    }
+
+    @Override
+    public ApplicationRole getApplicationRoleById(String roleId, String tenantDomain)
+            throws ApplicationRoleManagementServerException {
+
+        ApplicationRole applicationRole = getApplicationRoleFromCache(roleId, tenantDomain);
+        if (applicationRole == null) {
+            applicationRole = applicationRoleMgtDAO.getApplicationRoleById(roleId, tenantDomain);
+            if (applicationRole != null) {
+                addToCache(applicationRole, tenantDomain);
+            }
+        }
+        return applicationRole;
+    }
+
+    @Override
+    public List<ApplicationRole> getApplicationRoles(String applicationId)
+            throws ApplicationRoleManagementServerException {
+
+        return applicationRoleMgtDAO.getApplicationRoles(applicationId);
+    }
+
+    @Override
+    public void updateApplicationRole(String applicationId, String roleId, String tenantDomain)
+            throws ApplicationRoleManagementServerException {
+
+        clearFromCache(roleId, tenantDomain);
+        applicationRoleMgtDAO.updateApplicationRole(applicationId, roleId, tenantDomain);
+    }
+
+    @Override
+    public void deleteApplicationRole(String roleId, String tenantDomain)
+            throws ApplicationRoleManagementServerException {
+
+        clearFromCache(roleId, tenantDomain);
+        applicationRoleMgtDAO.deleteApplicationRole(roleId, tenantDomain);
+    }
+
+    @Override
+    public boolean isExistingRole(String applicationId, String roleName, String tenantDomain)
+            throws ApplicationRoleManagementServerException {
+
+        // TODO: introduce a cache key with app id and role name.
+        return applicationRoleMgtDAO.isExistingRole(applicationId, roleName, tenantDomain);
+    }
+
+    @Override
+    public void updateApplicationRoleAssignedUsers(String roleId, List<String> addedUsers, List<String> removedUsers,
+                                                   String tenantDomain)
+            throws ApplicationRoleManagementServerException {
+
+        applicationRoleMgtDAO.updateApplicationRoleAssignedUsers(roleId, addedUsers, removedUsers, tenantDomain);
+    }
+
+    @Override
+    public ApplicationRole getApplicationRoleAssignedUsers(String roleId, String tenantDomain)
+            throws ApplicationRoleManagementException {
+
+        return applicationRoleMgtDAO.getApplicationRoleAssignedUsers(roleId, tenantDomain);
+    }
+
+    @Override
+    public void updateApplicationRoleAssignedGroups(String roleId, List<String> addedGroups, List<String> removedGroups,
+                                                    String tenantDomain) throws ApplicationRoleManagementException {
+
+        applicationRoleMgtDAO.updateApplicationRoleAssignedUsers(roleId, addedGroups, removedGroups, tenantDomain);
+    }
+
+    @Override
+    public ApplicationRole getApplicationRoleAssignedGroups(String roleId, String tenantDomain)
+            throws ApplicationRoleManagementException {
+
+        return applicationRoleMgtDAO.getApplicationRoleAssignedGroups(roleId, tenantDomain);
+    }
+
+    private ApplicationRole getApplicationRoleFromCache(String applicationRoleId, String tenantDomain) {
+
+        ApplicationRole applicationRole = null;
+        if (StringUtils.isNotBlank(applicationRoleId)) {
+            ApplicationRoleCacheKey cacheKey = new ApplicationRoleCacheKey(applicationRoleId);
+            ApplicationRoleCacheEntry entry = applicationRoleCache.getValueFromCache(cacheKey, tenantDomain);
+            if (entry != null) {
+                applicationRole = entry.getApplicationRole();
+            }
+        }
+        return applicationRole;
+    }
+
+    private void addToCache(ApplicationRole applicationRole, String tenantDomain) {
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug(
+                    String.format("Add application role: %s in application: %s to cache", applicationRole.getRoleName(),
+                            applicationRole.getApplicationId()));
+        }
+        ApplicationRoleCacheKey cacheKey = new ApplicationRoleCacheKey(applicationRole.getApplicationId());
+        ApplicationRoleCacheEntry cacheEntry = new ApplicationRoleCacheEntry(applicationRole);
+        applicationRoleCache.addToCache(cacheKey, cacheEntry, tenantDomain);
+    }
+
+    private void clearFromCache(String applicationRoleId, String tenantDomain) {
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug(String.format("Delete application role: %s from cache", applicationRoleId));
+        }
+        ApplicationRoleCacheKey cacheKey = new ApplicationRoleCacheKey(applicationRoleId);
+        applicationRoleCache.clearCacheEntry(cacheKey, tenantDomain);
+    }
+}
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/exceptions/ApplicationRoleManagementClientException.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/exceptions/ApplicationRoleManagementClientException.java
new file mode 100644
index 000000000000..bcfd79d10026
--- /dev/null
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/exceptions/ApplicationRoleManagementClientException.java
@@ -0,0 +1,36 @@
+/*
+ * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.application.role.mgt.exceptions;
+
+/**
+ * Application role management client exception.
+ */
+public class ApplicationRoleManagementClientException extends ApplicationRoleManagementException {
+
+    public ApplicationRoleManagementClientException(String message, String description, String errorCode) {
+
+        super(message, description, errorCode);
+    }
+
+    public ApplicationRoleManagementClientException(String message, String description, String errorCode,
+                                                    Throwable cause) {
+
+        super(message, description, errorCode, cause);
+    }
+}
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/exceptions/ApplicationRoleManagementException.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/exceptions/ApplicationRoleManagementException.java
new file mode 100644
index 000000000000..4ff1a782843c
--- /dev/null
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/exceptions/ApplicationRoleManagementException.java
@@ -0,0 +1,79 @@
+/*
+ * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.application.role.mgt.exceptions;
+
+/**
+ * Application role management exception.
+ */
+public class ApplicationRoleManagementException extends Exception {
+
+    private String errorCode;
+    private String description;
+
+    public ApplicationRoleManagementException(String message) {
+
+        super(message);
+    }
+
+    public ApplicationRoleManagementException(String message, String errorCode) {
+
+        super(message);
+        this.errorCode = errorCode;
+    }
+
+    public ApplicationRoleManagementException(String message, String errorCode, Throwable cause) {
+
+        super(message, cause);
+        this.errorCode = errorCode;
+    }
+
+    public ApplicationRoleManagementException(String message, String description, String errorCode) {
+
+        super(message);
+        this.errorCode = errorCode;
+        this.description = description;
+    }
+
+    public ApplicationRoleManagementException(String message, String description, String errorCode, Throwable cause) {
+
+        super(message, cause);
+        this.errorCode = errorCode;
+        this.description = description;
+    }
+
+    public String getErrorCode() {
+
+        return errorCode;
+    }
+
+    public String getDescription() {
+
+        return description;
+    }
+
+    public void setErrorCode(String errorCode) {
+
+        this.errorCode = errorCode;
+    }
+
+    public void setDescription(String description) {
+
+        this.description = description;
+    }
+}
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/exceptions/ApplicationRoleManagementServerException.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/exceptions/ApplicationRoleManagementServerException.java
new file mode 100644
index 000000000000..33be365948ac
--- /dev/null
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/exceptions/ApplicationRoleManagementServerException.java
@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.application.role.mgt.exceptions;
+
+/**
+ * Application role management server exception.
+ */
+public class ApplicationRoleManagementServerException extends ApplicationRoleManagementException {
+
+    public ApplicationRoleManagementServerException(String message) {
+
+        super(message);
+    }
+
+    public ApplicationRoleManagementServerException(String message, String errorCode) {
+
+        super(message, errorCode);
+    }
+
+    public ApplicationRoleManagementServerException(String message, String errorCode, Throwable cause) {
+
+        super(message, errorCode, cause);
+    }
+
+    public ApplicationRoleManagementServerException(String message, String description, String errorCode) {
+
+        super(message, description, errorCode);
+    }
+
+    public ApplicationRoleManagementServerException(String message, String description, String errorCode,
+                                                    Throwable cause) {
+
+        super(message, description, errorCode, cause);
+    }
+}
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/internal/ApplicationRoleMgtServiceComponent.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/internal/ApplicationRoleMgtServiceComponent.java
new file mode 100644
index 000000000000..c221b30ee758
--- /dev/null
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/internal/ApplicationRoleMgtServiceComponent.java
@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.application.role.mgt.internal;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.osgi.framework.BundleContext;
+import org.osgi.service.component.ComponentContext;
+import org.osgi.service.component.annotations.Activate;
+import org.osgi.service.component.annotations.Component;
+import org.osgi.service.component.annotations.Deactivate;
+import org.wso2.carbon.identity.application.role.mgt.ApplicationRoleManager;
+import org.wso2.carbon.identity.application.role.mgt.ApplicationRoleManagerImpl;
+
+/**
+ * OSGi declarative services component which handled activation and deactivation of Application Role Management.
+ */
+@Component(
+        name = "identity.application.role.mgt.component",
+        immediate = true
+)
+public class ApplicationRoleMgtServiceComponent {
+
+    private static final Log LOG = LogFactory.getLog(ApplicationRoleMgtServiceComponent.class);
+
+    @Activate
+    protected void activate(ComponentContext ctxt) {
+
+        try {
+            BundleContext bundleCtx = ctxt.getBundleContext();
+            bundleCtx.registerService(ApplicationRoleManager.class, ApplicationRoleManagerImpl.getInstance(), null);
+        } catch (Throwable e) {
+            LOG.error("Error while initializing application role management component.", e);
+        }
+    }
+
+    @Deactivate
+    protected void deactivate(ComponentContext ctxt) {
+
+        try {
+            BundleContext bundleCtx = ctxt.getBundleContext();
+            bundleCtx.ungetService(bundleCtx.getServiceReference(ApplicationRoleManager.class));
+            if (LOG.isDebugEnabled()) {
+                LOG.debug("application role management bundle is deactivated");
+            }
+        } catch (Throwable e) {
+            LOG.error("Error while deactivating application role management component.", e);
+        }
+    }
+}
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/internal/ApplicationRoleMgtServiceComponentHolder.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/internal/ApplicationRoleMgtServiceComponentHolder.java
new file mode 100644
index 000000000000..a78c7cdc4eae
--- /dev/null
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/internal/ApplicationRoleMgtServiceComponentHolder.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.application.role.mgt.internal;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+/**
+ * Service component holder class for role management service.
+ */
+public class ApplicationRoleMgtServiceComponentHolder {
+
+    private static final ApplicationRoleMgtServiceComponentHolder instance =
+            new ApplicationRoleMgtServiceComponentHolder();
+    private static final Log LOG = LogFactory.getLog(ApplicationRoleMgtServiceComponentHolder.class);
+
+    public static ApplicationRoleMgtServiceComponentHolder getInstance() {
+
+        return instance;
+    }
+}
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/model/ApplicationRole.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/model/ApplicationRole.java
new file mode 100644
index 000000000000..5923432c7a07
--- /dev/null
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/model/ApplicationRole.java
@@ -0,0 +1,127 @@
+/*
+ * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.application.role.mgt.model;
+
+import java.util.List;
+
+/**
+ * Application role model.
+ */
+public class ApplicationRole {
+
+    private String roleId;
+    private String roleName;
+    private String[] permissions;
+    private String applicationId;
+    private List<User> assignedUsers;
+    private List<User> assignedGroups;
+
+    public ApplicationRole(String roleId, String roleName, String[] permissions, String applicationId) {
+
+        this.roleId = roleId;
+        this.roleName = roleName;
+        this.permissions = permissions;
+        this.applicationId = applicationId;
+    }
+
+    public ApplicationRole(String roleId, String roleName, String applicationId) {
+
+        this.roleId = roleId;
+        this.roleName = roleName;
+        this.applicationId = applicationId;
+    }
+
+    public ApplicationRole(String roleName, String[] permissions, String applicationId) {
+
+        this.roleName = roleName;
+        this.permissions = permissions;
+        this.applicationId = applicationId;
+    }
+
+    public ApplicationRole(String roleName, String applicationId) {
+
+        this.roleName = roleName;
+        this.applicationId = applicationId;
+    }
+
+    public ApplicationRole(String roleId) {
+
+        this.roleId = roleId;
+    }
+
+    public String getRoleId() {
+
+        return roleId;
+    }
+
+    public void setRoleId(String roleId) {
+
+        this.roleId = roleId;
+    }
+
+    public String getRoleName() {
+
+        return roleName;
+    }
+
+    public void setRoleName(String roleName) {
+
+        this.roleName = roleName;
+    }
+
+    public String[] getPermissions() {
+
+        return permissions;
+    }
+
+    public void setPermissions(String[] permissions) {
+
+        this.permissions = permissions;
+    }
+
+    public String getApplicationId() {
+
+        return applicationId;
+    }
+
+    public void setApplicationId(String applicationId) {
+
+        this.applicationId = applicationId;
+    }
+
+    public List<User> getAssignedUsers() {
+
+        return assignedUsers;
+    }
+
+    public void setAssignedUsers(List<User> assignedUsers) {
+
+        this.assignedUsers = assignedUsers;
+    }
+
+    public List<User> getAssignedGroups() {
+
+        return assignedGroups;
+    }
+
+    public void setAssignedGroups(List<User> assignedGroups) {
+
+        this.assignedGroups = assignedGroups;
+    }
+}
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/model/User.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/model/User.java
new file mode 100644
index 000000000000..8a43f73773cc
--- /dev/null
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/model/User.java
@@ -0,0 +1,41 @@
+package org.wso2.carbon.identity.application.role.mgt.model;
+
+/**
+ * Application role assigned user model.
+ */
+public class User {
+
+    private String id;
+    private String userName;
+
+    public User(String id, String userName) {
+
+        this.id = id;
+        this.userName = userName;
+    }
+
+    public User(String id) {
+
+        this.id = id;
+    }
+
+    public String getId() {
+
+        return id;
+    }
+
+    public void setId(String id) {
+
+        this.id = id;
+    }
+
+    public String getUserName() {
+
+        return userName;
+    }
+
+    public void setUserName(String userName) {
+
+        this.userName = userName;
+    }
+}
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/ApplicationRoleMgtUtils.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/ApplicationRoleMgtUtils.java
new file mode 100644
index 000000000000..98bfd2203113
--- /dev/null
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/ApplicationRoleMgtUtils.java
@@ -0,0 +1,77 @@
+/*
+ * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.application.role.mgt.util;
+
+import org.apache.commons.lang.ArrayUtils;
+import org.wso2.carbon.database.utils.jdbc.NamedJdbcTemplate;
+import org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants;
+import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementClientException;
+import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementServerException;
+import org.wso2.carbon.identity.core.util.IdentityDatabaseUtil;
+
+/**
+ * Application role management util.
+ */
+public class ApplicationRoleMgtUtils {
+
+    /**
+     * Get a new Jdbc Template.
+     *
+     * @return a new Jdbc Template.
+     */
+    public static NamedJdbcTemplate getNewTemplate() {
+
+        return new NamedJdbcTemplate(IdentityDatabaseUtil.getDataSource());
+    }
+
+    /**
+     * Handle server exceptions.
+     *
+     * @param error Error message.
+     * @param e     Throwable.
+     * @param data  Data to be replaced in the error description.
+     * @return ApplicationRoleManagementServerException.
+     */
+    public static ApplicationRoleManagementServerException handleServerException(
+            ApplicationRoleMgtConstants.ErrorMessages error, Throwable e, String... data) {
+
+        String description = error.getDescription();
+        if (ArrayUtils.isNotEmpty(data)) {
+            description = String.format(description, data);
+        }
+        return new ApplicationRoleManagementServerException(error.getMessage(), description, error.getCode(), e);
+    }
+
+    /**
+     * Handle client exceptions.
+     *
+     * @param error Error message.
+     * @param data  Data to be replaced in the error description.
+     * @return ApplicationRoleManagementClientException.
+     */
+    public static ApplicationRoleManagementClientException handleClientException(
+            ApplicationRoleMgtConstants.ErrorMessages error, String... data) {
+
+        String description = error.getDescription();
+        if (ArrayUtils.isNotEmpty(data)) {
+            description = String.format(description, data);
+        }
+        return new ApplicationRoleManagementClientException(error.getMessage(), description, error.getCode());
+    }
+}
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/IDResolver.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/IDResolver.java
new file mode 100644
index 000000000000..893172d74e6f
--- /dev/null
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/IDResolver.java
@@ -0,0 +1,12 @@
+package org.wso2.carbon.identity.application.role.mgt.util;
+
+import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementException;
+
+/**
+ * Id Resolver.
+ */
+public interface IDResolver {
+
+    String getNameByID(String id, String tenantDomain) throws ApplicationRoleManagementException;
+
+}
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/UserIDResolver.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/UserIDResolver.java
new file mode 100644
index 000000000000..6491199a9082
--- /dev/null
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/UserIDResolver.java
@@ -0,0 +1,77 @@
+package org.wso2.carbon.identity.application.role.mgt.util;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.context.PrivilegedCarbonContext;
+import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementClientException;
+import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementException;
+import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementServerException;
+import org.wso2.carbon.user.api.UserStoreException;
+import org.wso2.carbon.user.api.UserStoreManager;
+import org.wso2.carbon.user.core.common.AbstractUserStoreManager;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * UserId Resolver.
+ */
+public class UserIDResolver implements IDResolver {
+
+    private Log log = LogFactory.getLog(UserIDResolver.class);
+
+    @Override
+    public String getNameByID(String id, String tenantDomain) throws ApplicationRoleManagementException {
+
+        String userName = resolveUserNameFromUserID(id);
+        if (userName == null) {
+            String errorMessage = "A user doesn't exist with id: " + id + " in the tenantDomain: " + tenantDomain;
+            throw new ApplicationRoleManagementClientException(errorMessage, errorMessage, "");
+        }
+        return userName;
+    }
+
+    public List<String> getNamesByIDs(List<String> idList, String tenantDomain)
+            throws ApplicationRoleManagementException {
+
+        List<String> usersList = new ArrayList<>();
+        for (String id : idList) {
+            usersList.add(getNameByID(id, tenantDomain));
+        }
+        return usersList;
+    }
+
+    /**
+     * Retrieves the username of the given userID.
+     *
+     * @param id userID.
+     * @return username of the user.
+     * @throws ApplicationRoleManagementException ApplicationRoleManagementException.
+     */
+    public String resolveUserNameFromUserID(String id) throws ApplicationRoleManagementException {
+
+        try {
+            UserStoreManager userStoreManager = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUserRealm()
+                    .getUserStoreManager();
+            try {
+                if (userStoreManager instanceof AbstractUserStoreManager) {
+                    return ((AbstractUserStoreManager) userStoreManager).getUserNameFromUserID(id);
+                }
+                if (log.isDebugEnabled()) {
+                    log.debug("Provided user store manager for the userID: " + id + ", is not an instance " +
+                            "of the AbstractUserStore manager");
+                }
+                throw new ApplicationRoleManagementClientException("Unable to get the username of the userID",
+                        "Unable to get the username of the userID: " + id + ".", "");
+            } catch (UserStoreException e) {
+                throw new ApplicationRoleManagementServerException("Error occurred while resolving username for " +
+                        "the userID Error occurred while resolving username for the userID: " + id, "");
+            }
+        } catch (UserStoreException e) {
+            throw new ApplicationRoleManagementServerException("Error occurred while retrieving the userstore manager "
+                    + "to resolve username for the userID", "Error occurred while retrieving the userstore manager to "
+                    + "resolve username for the userID: " + id, e);
+        }
+    }
+
+}
diff --git a/components/application-role-mgt/pom.xml b/components/application-role-mgt/pom.xml
new file mode 100644
index 000000000000..fc33e87650f9
--- /dev/null
+++ b/components/application-role-mgt/pom.xml
@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+  ~
+  ~ WSO2 LLC. licenses this file to you under the Apache License,
+  ~ Version 2.0 (the "License"); you may not use this file except
+  ~ in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~ http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing,
+  ~ software distributed under the License is distributed on an
+  ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  ~ KIND, either express or implied.  See the License for the
+  ~ specific language governing permissions and limitations
+  ~ under the License.
+  -->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <parent>
+        <groupId>org.wso2.carbon.identity.framework</groupId>
+        <artifactId>identity-framework</artifactId>
+        <version>5.25.287-SNAPSHOT</version>
+        <relativePath>../../pom.xml</relativePath>
+    </parent>
+
+    <modelVersion>4.0.0</modelVersion>
+    <packaging>pom</packaging>
+    <artifactId>application-role-mgt</artifactId>
+
+    <modules>
+        <module>org.wso2.carbon.identity.application.role.mgt</module>
+    </modules>
+
+</project>
diff --git a/features/application-role-mgt/org.wso2.carbon.identity.application.role.mgt.feature/pom.xml b/features/application-role-mgt/org.wso2.carbon.identity.application.role.mgt.feature/pom.xml
new file mode 100644
index 000000000000..444b97acec84
--- /dev/null
+++ b/features/application-role-mgt/org.wso2.carbon.identity.application.role.mgt.feature/pom.xml
@@ -0,0 +1,70 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  ~ Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+  ~
+  ~  WSO2 Inc. licenses this file to you under the Apache License,
+  ~  Version 2.0 (the "License"); you may not use this file except
+  ~  in compliance with the License.
+  ~  You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~  Unless required by applicable law or agreed to in writing,
+  ~  software distributed under the License is distributed on an
+  ~  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  ~  KIND, either express or implied.  See the License for the
+  ~  specific language governing permissions and limitations
+  ~  under the License.
+  -->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+    <parent>
+        <groupId>org.wso2.carbon.identity.framework</groupId>
+        <artifactId>application-role-mgt-feature</artifactId>
+        <version>5.25.287-SNAPSHOT</version>
+        <relativePath>../pom.xml</relativePath>
+    </parent>
+
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>org.wso2.carbon.identity.application.role.mgt.feature</artifactId>
+    <packaging>pom</packaging>
+    <name>Identity Application Role Management Feature</name>
+    <url>http://wso2.org</url>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.wso2.carbon.identity.framework</groupId>
+            <artifactId>org.wso2.carbon.identity.application.role.mgt.server.feature</artifactId>
+            <type>zip</type>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.wso2.maven</groupId>
+                <artifactId>carbon-p2-plugin</artifactId>
+                <version>${carbon.p2.plugin.version}</version>
+                <executions>
+                    <execution>
+                        <id>4-p2-feature-generation</id>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>p2-feature-gen</goal>
+                        </goals>
+                        <configuration>
+                            <id>org.wso2.carbon.identity.application.role.mgt</id>
+                            <propertiesFile>../../etc/feature.properties</propertiesFile>
+                            <includedFeatures>
+                                <includedFeatureDef>
+                                    org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.role.mgt.server.feature
+                                </includedFeatureDef>
+                            </includedFeatures>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>
diff --git a/features/application-role-mgt/org.wso2.carbon.identity.application.role.mgt.server.feature/pom.xml b/features/application-role-mgt/org.wso2.carbon.identity.application.role.mgt.server.feature/pom.xml
new file mode 100644
index 000000000000..704bf0b12388
--- /dev/null
+++ b/features/application-role-mgt/org.wso2.carbon.identity.application.role.mgt.server.feature/pom.xml
@@ -0,0 +1,121 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  ~ Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+  ~
+  ~  WSO2 Inc. licenses this file to you under the Apache License,
+  ~  Version 2.0 (the "License"); you may not use this file except
+  ~  in compliance with the License.
+  ~  You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~  Unless required by applicable law or agreed to in writing,
+  ~  software distributed under the License is distributed on an
+  ~  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  ~  KIND, either express or implied.  See the License for the
+  ~  specific language governing permissions and limitations
+  ~  under the License.
+  -->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+    <parent>
+        <groupId>org.wso2.carbon.identity.framework</groupId>
+        <artifactId>application-role-mgt-feature</artifactId>
+        <version>5.25.287-SNAPSHOT</version>
+        <relativePath>../pom.xml</relativePath>
+    </parent>
+
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>org.wso2.carbon.identity.application.role.mgt.server.feature</artifactId>
+    <packaging>pom</packaging>
+    <name>Identity Application Role Management Server Feature</name>
+    <url>http://wso2.org</url>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.wso2.carbon.identity.framework</groupId>
+            <artifactId>org.wso2.carbon.identity.application.role.mgt</artifactId>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.wso2.maven</groupId>
+                <artifactId>carbon-p2-plugin</artifactId>
+                <version>${carbon.p2.plugin.version}</version>
+                <executions>
+                    <execution>
+                        <id>4-p2-feature-generation</id>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>p2-feature-gen</goal>
+                        </goals>
+                        <configuration>
+                            <id>org.wso2.carbon.identity.application.role.mgt.server</id>
+                            <propertiesFile>../../etc/feature.properties</propertiesFile>
+                            <adviceFile>
+                                <properties>
+                                    <propertyDef>org.wso2.carbon.p2.category.type:server
+                                    </propertyDef>
+                                </properties>
+                            </adviceFile>
+                            <bundles>
+                                <bundleDef>org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.role.mgt</bundleDef>
+                            </bundles>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <artifactId>maven-resources-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>prefilter-resources</id>
+                        <phase>generate-resources</phase>
+                        <goals>
+                            <goal>copy-resources</goal>
+                        </goals>
+                        <configuration>
+                            <outputDirectory>src/main/resources</outputDirectory>
+                            <resources>
+                                <resource>
+                                    <directory>resources</directory>
+                                    <includes>
+                                        <include>**/*.xml</include>
+                                        <include>**/*.json</include>
+                                        <include>**/*.sql</include>
+                                        <include>p2.inf</include>
+                                        <include>build.properties</include>
+                                    </includes>
+                                </resource>
+                            </resources>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-antrun-plugin</artifactId>
+                <version>1.1</version>
+                <executions>
+                    <execution>
+                        <id>clean_target</id>
+                        <phase>install</phase>
+                        <configuration>
+                            <tasks>
+                                <delete dir="src/main/resources" />
+                                <delete dir="src/main" />
+                                <delete dir="src" />
+                            </tasks>
+                        </configuration>
+                        <goals>
+                            <goal>run</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>
diff --git a/features/application-role-mgt/pom.xml b/features/application-role-mgt/pom.xml
new file mode 100644
index 000000000000..88b8d6814d35
--- /dev/null
+++ b/features/application-role-mgt/pom.xml
@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  ~ Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+  ~
+  ~  WSO2 Inc. licenses this file to you under the Apache License,
+  ~  Version 2.0 (the "License"); you may not use this file except
+  ~  in compliance with the License.
+  ~  You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~  Unless required by applicable law or agreed to in writing,
+  ~  software distributed under the License is distributed on an
+  ~  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  ~  KIND, either express or implied.  See the License for the
+  ~  specific language governing permissions and limitations
+  ~  under the License.
+  -->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+    <parent>
+        <groupId>org.wso2.carbon.identity.framework</groupId>
+        <artifactId>identity-framework</artifactId>
+        <version>5.25.287-SNAPSHOT</version>
+        <relativePath>../../pom.xml</relativePath>
+    </parent>
+
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>application-role-mgt-feature</artifactId>
+    <packaging>pom</packaging>
+    <name>WSO2 Carbon - Application Role Management Feature Aggregator Module</name>
+    <url>http://wso2.org</url>
+
+    <modules>
+        <module>org.wso2.carbon.identity.application.role.mgt.server.feature</module>
+        <module>org.wso2.carbon.identity.application.role.mgt.feature</module>
+    </modules>
+
+</project>
+
diff --git a/pom.xml b/pom.xml
index 1aa6b38b4e94..73114bf1994b 100644
--- a/pom.xml
+++ b/pom.xml
@@ -101,6 +101,8 @@
         <module>features/central-logger</module>
         <module>features/input-validation-mgt</module>
         <module>features/consent-server-configs-mgt</module>
+        <module>components/application-role-mgt</module>
+        <module>features/application-role-mgt</module>
     </modules>
 
 
@@ -814,6 +816,12 @@
                 <version>${project.version}</version>
                 <type>zip</type>
             </dependency>
+            <dependency>
+                <groupId>org.wso2.carbon.identity.framework</groupId>
+                <artifactId>org.wso2.carbon.identity.application.role.mgt.server.feature</artifactId>
+                <version>${project.version}</version>
+                <type>zip</type>
+            </dependency>
             <dependency>
                 <groupId>org.wso2.carbon.identity.framework</groupId>
                 <artifactId>org.wso2.carbon.identity.application.mgt.ui.feature</artifactId>
@@ -1235,6 +1243,11 @@
                 <artifactId>org.wso2.carbon.identity.application.mgt</artifactId>
                 <version>${project.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.wso2.carbon.identity.framework</groupId>
+                <artifactId>org.wso2.carbon.identity.application.role.mgt</artifactId>
+                <version>${project.version}</version>
+            </dependency>
 
             <dependency>
                 <groupId>org.wso2.carbon.identity.framework</groupId>

From c208ffc40b43f6d358dbd1323fcd6958c6a9b96b Mon Sep 17 00:00:00 2001
From: Thilina Shashimal Senarath <thilinasenarath97@gmail.com>
Date: Tue, 22 Aug 2023 18:51:05 +0530
Subject: [PATCH 02/21] add changes

---
 .../pom.xml                                   |   6 +
 .../role/mgt/ApplicationRoleManager.java      |   7 +-
 .../role/mgt/ApplicationRoleManagerImpl.java  |  39 +++++-
 .../ApplicationRoleMgtConstants.java          |   1 +
 .../role/mgt/constants/SQLConstants.java      |  15 +--
 .../role/mgt/dao/ApplicationRoleMgtDAO.java   |   9 +-
 .../dao/impl/ApplicationRoleMgtDAOImpl.java   | 114 ++++++++++++------
 .../CacheBackedApplicationRoleMgtDAOImpl.java |  17 ++-
 .../ApplicationRoleMgtServiceComponent.java   |  44 +++++++
 ...licationRoleMgtServiceComponentHolder.java |  34 ++++++
 .../role/mgt/model/ApplicationRole.java       |   6 +-
 .../application/role/mgt/model/Group.java     |  47 ++++++++
 .../role/mgt/util/GroupIDResolver.java        |  49 ++++++++
 13 files changed, 327 insertions(+), 61 deletions(-)
 create mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/model/Group.java
 create mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/GroupIDResolver.java

diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/pom.xml b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/pom.xml
index 745e74022442..428cd3b93d28 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/pom.xml
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/pom.xml
@@ -66,6 +66,10 @@
             <classifier>runtime</classifier>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.wso2.carbon.identity.framework</groupId>
+            <artifactId>org.wso2.carbon.idp.mgt</artifactId>
+        </dependency>
     </dependencies>
 
     <build>
@@ -100,6 +104,8 @@
                             org.wso2.carbon.user.core.*;version="${carbon.kernel.package.import.version.range}",
                             org.wso2.carbon.database.utils.jdbc.exceptions;version="${org.wso2.carbon.database.utils.version.range}",
                             org.wso2.carbon.utils; version="${carbon.kernel.package.import.version.range}",
+                            org.wso2.carbon.idp.mgt.*; version="${carbon.identity.package.import.version.range}",
+                            org.wso2.carbon.identity.application.common.*; version="${carbon.identity.package.import.version.range}",
                         </Import-Package>
                     </instructions>
                 </configuration>
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java
index 1c64a99c00f0..c0546e2334ab 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java
@@ -98,8 +98,8 @@ void updateApplicationRoleAssignedUsers(String roleId, List<String> addedUsers,
      * @param removedGroups List of group IDs to be unassigned.
      * @throws ApplicationRoleManagementException Error occurred while updating the application role.
      */
-    void updateApplicationRoleAssignedGroups(String roleId, List<String> addedGroups, List<String> removedGroups)
-            throws ApplicationRoleManagementException;
+    void updateApplicationRoleAssignedGroups(String roleId, String idpId, List<String> addedGroups,
+                                             List<String> removedGroups) throws ApplicationRoleManagementException;
 
     /**
      * Get the list of assigned groups of an application role.
@@ -107,7 +107,8 @@ void updateApplicationRoleAssignedGroups(String roleId, List<String> addedGroups
      * @param roleId Application role ID.
      * @throws ApplicationRoleManagementException Error occurred while updating the application role.
      */
-    ApplicationRole getApplicationRoleAssignedGroups(String roleId) throws ApplicationRoleManagementException;
+    ApplicationRole getApplicationRoleAssignedGroups(String roleId, String idpId)
+            throws ApplicationRoleManagementException;
 
 
 }
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
index 3d146733ab1b..0351bb247d48 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
@@ -19,17 +19,21 @@
 package org.wso2.carbon.identity.application.role.mgt;
 
 import org.wso2.carbon.context.PrivilegedCarbonContext;
+import org.wso2.carbon.identity.application.common.model.IdentityProvider;
 import org.wso2.carbon.identity.application.role.mgt.dao.ApplicationRoleMgtDAO;
 import org.wso2.carbon.identity.application.role.mgt.dao.impl.ApplicationRoleMgtDAOImpl;
 import org.wso2.carbon.identity.application.role.mgt.dao.impl.CacheBackedApplicationRoleMgtDAOImpl;
 import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementException;
+import org.wso2.carbon.identity.application.role.mgt.internal.ApplicationRoleMgtServiceComponentHolder;
 import org.wso2.carbon.identity.application.role.mgt.model.ApplicationRole;
+import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
 
 import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
 
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_DUPLICATE_ROLE;
+import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.LOCAL_IDP;
 import static org.wso2.carbon.identity.application.role.mgt.util.ApplicationRoleMgtUtils.handleClientException;
 
 /**
@@ -105,16 +109,45 @@ public ApplicationRole getApplicationRoleAssignedUsers(String roleId)
     }
 
     @Override
-    public void updateApplicationRoleAssignedGroups(String roleId, List<String> addedGroups, List<String> removedGroups)
+    public void updateApplicationRoleAssignedGroups(String roleId, String idpId, List<String> addedGroups,
+                                                    List<String> removedGroups)
             throws ApplicationRoleManagementException {
 
+        try {
+            IdentityProvider identityProvider;
+            if (LOCAL_IDP.equals(idpId)) {
+
+                identityProvider = ApplicationRoleMgtServiceComponentHolder.getInstance()
+                        .getIdentityProviderManager().getResidentIdP(getTenantDomain());
+            } else {
+                identityProvider = ApplicationRoleMgtServiceComponentHolder.getInstance()
+                        .getIdentityProviderManager().getIdPByResourceId(idpId, getTenantDomain(), true);
+            }
+            removeCommonValues(addedGroups, removedGroups);
+            applicationRoleMgtDAO.updateApplicationRoleAssignedGroups(roleId, identityProvider.getResourceId(),
+                    addedGroups, removedGroups, getTenantDomain());
+        }   catch (IdentityProviderManagementException e) {
+        throw new ApplicationRoleManagementException("Error while retrieving idp",
+                "Error while retrieving idp for idpId: " + idpId, e);
+    }
     }
 
     @Override
-    public ApplicationRole getApplicationRoleAssignedGroups(String roleId)
+    public ApplicationRole getApplicationRoleAssignedGroups(String roleId, String idpId)
             throws ApplicationRoleManagementException {
 
-        return null;
+        if (LOCAL_IDP.equals(idpId)) {
+            return applicationRoleMgtDAO.getApplicationRoleAssignedGroups(roleId, getTenantDomain());
+        }
+        IdentityProvider identityProvider;
+        try {
+            identityProvider = ApplicationRoleMgtServiceComponentHolder.getInstance()
+                    .getIdentityProviderManager().getIdPByResourceId(idpId, getTenantDomain(), true);
+        } catch (IdentityProviderManagementException e) {
+            throw new ApplicationRoleManagementException("Error while retrieving idp", "Error while retrieving idp " +
+                    "for idpId: " + idpId, e);
+        }
+        return applicationRoleMgtDAO.getApplicationRoleAssignedGroups(roleId, identityProvider, getTenantDomain());
     }
 
     private static String getTenantDomain() {
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java
index 83f782136970..735bd065df80 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java
@@ -24,6 +24,7 @@
 public class ApplicationRoleMgtConstants {
 
     private static final String APP_ROLE_MGT_ERROR_CODE_PREFIX = "APM-";
+    public static final String LOCAL_IDP = "local";
 
     /**
      * Application role management error message constants.
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java
index 51c34557f477..07166afca263 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java
@@ -54,25 +54,25 @@ public class SQLConstants {
             SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";);";
 
     public static final String DELETE_ASSIGNED_USER_APPLICATION_ROLE = "DELETE FROM USER_ROLE WHERE ROLE_ID = :" +
-            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + " USER_ID = :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + " AND USER_ID = :" +
             SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_USER_ID + ";";
 
     public static final String GET_ASSIGNED_USERS_OF_APPLICATION_ROLE = "SELECT USER_ID " +
             "FROM USER_ROLE WHERE ROLE_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + ";";
 
-    public static final String ADD_APPLICATION_ROLE_GROUP =  "INSERT INTO GROUP_ROLE (ROLE_ID, USER_ID, TENANT_ID) " +
-            "VALUES (:" +
+    public static final String ADD_APPLICATION_ROLE_GROUP =  "INSERT INTO GROUP_ROLE (ROLE_ID, GROUP_ID, IDP_ID," +
+            " TENANT_ID) VALUES (:" +
             SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + ";, :" +
             SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_GROUP_ID + ";, :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_IDP_ID + ";, :" +
             SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";);";
 
     public static final String DELETE_ASSIGNED_GROUP_APPLICATION_ROLE = "DELETE FROM GROUP_ROLE WHERE ROLE_ID = :" +
-            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + " GROUP_ID = :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + " AND GROUP_ID = :" +
             SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_GROUP_ID + ";";
 
-    public static final String GET_ASSIGNED_GROUPS_OF_APPLICATION_ROLE = "SELECT GROUP_ID " +
-            "FROM GROUP_ROLE WHERE ROLE_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + " TENANT_ID = : "
-            + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";";
+    public static final String GET_ASSIGNED_GROUPS_OF_APPLICATION_ROLE = "SELECT GROUP_ID, IDP_ID " +
+            "FROM GROUP_ROLE WHERE ROLE_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + ";";
 
     /**
      * SQL Placeholders.
@@ -85,5 +85,6 @@ public static final class SQLPlaceholders {
         public static final String DB_SCHEMA_COLUMN_NAME_APP_ID = "APP_ID";
         public static final String DB_SCHEMA_COLUMN_NAME_USER_ID = "USER_ID";
         public static final String DB_SCHEMA_COLUMN_NAME_GROUP_ID = "GROUP_ID";
+        public static final String DB_SCHEMA_COLUMN_NAME_IDP_ID = "IDP_ID";
     }
 }
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java
index e6c93550fe7f..dccd63bb5592 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java
@@ -18,6 +18,7 @@
 
 package org.wso2.carbon.identity.application.role.mgt.dao;
 
+import org.wso2.carbon.identity.application.common.model.IdentityProvider;
 import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementException;
 import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementServerException;
 import org.wso2.carbon.identity.application.role.mgt.model.ApplicationRole;
@@ -52,9 +53,13 @@ void updateApplicationRoleAssignedUsers(String roleId, List<String> addedUsers,
     ApplicationRole getApplicationRoleAssignedUsers(String roleId, String tenantDomain)
             throws ApplicationRoleManagementException;
 
-    void updateApplicationRoleAssignedGroups(String roleId, List<String> addedGroups, List<String> removedGroups,
-                                             String tenantDomain) throws ApplicationRoleManagementException;
+    void updateApplicationRoleAssignedGroups(String roleId, String idpId, List<String> addedGroups,
+                                             List<String> removedGroups, String tenantDomain)
+            throws ApplicationRoleManagementException;
 
     ApplicationRole getApplicationRoleAssignedGroups(String roleId, String tenantDomain)
             throws ApplicationRoleManagementException;
+
+    ApplicationRole getApplicationRoleAssignedGroups(String roleId, IdentityProvider identityProvider,
+                                                     String tenantDomain) throws ApplicationRoleManagementException;
 }
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
index 12fe094bc9c0..156c46db08b6 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
@@ -23,21 +23,28 @@
 import org.wso2.carbon.database.utils.jdbc.NamedJdbcTemplate;
 import org.wso2.carbon.database.utils.jdbc.exceptions.DataAccessException;
 import org.wso2.carbon.database.utils.jdbc.exceptions.TransactionException;
+import org.wso2.carbon.identity.application.common.model.IdPGroup;
+import org.wso2.carbon.identity.application.common.model.IdentityProvider;
 import org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants;
 import org.wso2.carbon.identity.application.role.mgt.dao.ApplicationRoleMgtDAO;
 import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementException;
 import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementServerException;
 import org.wso2.carbon.identity.application.role.mgt.model.ApplicationRole;
+import org.wso2.carbon.identity.application.role.mgt.model.Group;
 import org.wso2.carbon.identity.application.role.mgt.model.User;
+import org.wso2.carbon.identity.application.role.mgt.util.GroupIDResolver;
 import org.wso2.carbon.identity.application.role.mgt.util.UserIDResolver;
 import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
 import org.wso2.carbon.utils.multitenancy.MultitenantConstants;
 
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_CHECKING_ROLE_EXISTENCE;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_DELETE_ROLE;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_GET_ROLES_BY_APPLICATION;
+import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_GET_ROLE_ASSIGNED_GROUPS;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_GET_ROLE_ASSIGNED_USERS;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_GET_ROLE_BY_ID;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_INSERT_ROLE;
@@ -46,6 +53,7 @@
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_UPDATE_ROLE_ASSIGNED_USERS;
 import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_APP_ID;
 import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_GROUP_ID;
+import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_IDP_ID;
 import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID;
 import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_NAME;
 import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID;
@@ -60,6 +68,7 @@ public class ApplicationRoleMgtDAOImpl implements ApplicationRoleMgtDAO {
 
     private static final Log LOG = LogFactory.getLog(ApplicationRoleMgtDAOImpl.class);
     private UserIDResolver userIDResolver = new UserIDResolver();
+    private GroupIDResolver groupIDResolver = new GroupIDResolver();
 
     @Override
     public ApplicationRole addApplicationRole(ApplicationRole applicationRole, String tenantDomain)
@@ -235,19 +244,12 @@ public void updateApplicationRoleAssignedUsers(String roleId, List<String> added
     public ApplicationRole getApplicationRoleAssignedUsers(String roleId, String tenantDomain)
             throws ApplicationRoleManagementException {
 
-        int tenantID;
-        if (tenantDomain != null) {
-            tenantID = IdentityTenantUtil.getTenantId(tenantDomain);
-        } else {
-            tenantID = MultitenantConstants.INVALID_TENANT_ID;
-        }
         NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
         try {
             List<User> users;
             users = namedJdbcTemplate.executeQuery(SQLConstants.GET_ASSIGNED_USERS_OF_APPLICATION_ROLE,
                     (resultSet, rowNumber) -> {
-                        User user = new User(resultSet.getString(DB_SCHEMA_COLUMN_NAME_USER_ID));
-                        return user;
+                        return new User(resultSet.getString(DB_SCHEMA_COLUMN_NAME_USER_ID));
                     },
                     namedPreparedStatement -> {
                         namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
@@ -264,8 +266,9 @@ public ApplicationRole getApplicationRoleAssignedUsers(String roleId, String ten
     }
 
     @Override
-    public void updateApplicationRoleAssignedGroups(String roleId, List<String> addedGroups, List<String> removedGroups,
-                                                    String tenantDomain) throws ApplicationRoleManagementException {
+    public void updateApplicationRoleAssignedGroups(String roleId, String idpId, List<String> addedGroups,
+                                                    List<String> removedGroups, String tenantDomain)
+            throws ApplicationRoleManagementException {
 
         int tenantID;
         if (tenantDomain != null) {
@@ -281,7 +284,8 @@ public void updateApplicationRoleAssignedGroups(String roleId, List<String> adde
                 namedJdbcTemplate.executeBatchInsert(sqlStmt, (preparedStatement -> {
                     for (String groupId : addedGroups) {
                         preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
-                        preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_USER_ID, groupId);
+                        preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_GROUP_ID, groupId);
+                        preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_IDP_ID, idpId);
                         preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, tenantID);
                         preparedStatement.addBatch();
                     }
@@ -301,40 +305,70 @@ public void updateApplicationRoleAssignedGroups(String roleId, List<String> adde
     }
 
     @Override
-    public ApplicationRole getApplicationRoleAssignedGroups(String roleId, String tenantDomain)
+    public ApplicationRole getApplicationRoleAssignedGroups(String roleId, String tenantDomain) throws
+            ApplicationRoleManagementException {
+
+        NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
+        try {
+            List<Group> groups;
+            groups = namedJdbcTemplate.executeQuery(SQLConstants.GET_ASSIGNED_GROUPS_OF_APPLICATION_ROLE,
+                    (resultSet, rowNumber) -> new Group(resultSet.getString(DB_SCHEMA_COLUMN_NAME_GROUP_ID),
+                            resultSet.getString(DB_SCHEMA_COLUMN_NAME_IDP_ID)),
+                    namedPreparedStatement -> {
+                        namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
+                    });
+            for (Group group : groups) {
+                group.setGroupName(getGroupNamesByID(group.getGroupId(), tenantDomain));
+            }
+            ApplicationRole applicationRole = new ApplicationRole(roleId);
+            applicationRole.setAssignedGroups(groups);
+            return  applicationRole;
+        } catch (DataAccessException e) {
+            throw handleServerException(ERROR_CODE_GET_ROLE_ASSIGNED_GROUPS, e, roleId);
+        }
+    }
+
+    @Override
+    public ApplicationRole getApplicationRoleAssignedGroups(String roleId, IdentityProvider identityProvider,
+                                                            String tenantDomain) throws
+            ApplicationRoleManagementException {
+
+        NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
+        try {
+            List<Group> groups;
+            groups = namedJdbcTemplate.executeQuery(SQLConstants.GET_ASSIGNED_GROUPS_OF_APPLICATION_ROLE,
+                    (resultSet, rowNumber) -> new Group(resultSet.getString(DB_SCHEMA_COLUMN_NAME_GROUP_ID),
+                            resultSet.getString(DB_SCHEMA_COLUMN_NAME_IDP_ID)),
+                    namedPreparedStatement -> {
+                        namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
+                    });
+            IdPGroup[] idpGroups = identityProvider.getIdPGroupConfig();
+            Map<String, String> idToNameMap = new HashMap<>();
+            for (IdPGroup idpGroup : idpGroups) {
+                idToNameMap.put(idpGroup.getIdpGroupId(), idpGroup.getIdpGroupName());
+            }
+            for (Group group : groups) {
+                if (idToNameMap.containsKey(group.getGroupId())) {
+                    group.setGroupName(idToNameMap.get(group.getGroupId()));
+                }
+            }
+            ApplicationRole applicationRole = new ApplicationRole(roleId);
+            applicationRole.setAssignedGroups(groups);
+            return  applicationRole;
+        } catch (DataAccessException e) {
+            throw handleServerException(ERROR_CODE_GET_ROLE_ASSIGNED_GROUPS, e, roleId);
+        }
+    }
+
+    private String getUserNamesByID(String userID, String tenantDomain)
             throws ApplicationRoleManagementException {
 
-//        int tenantID;
-//        if (tenantDomain != null) {
-//            tenantID = IdentityTenantUtil.getTenantId(tenantDomain);
-//        } else {
-//            tenantID = MultitenantConstants.INVALID_TENANT_ID;
-//        }
-//        NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
-//        try {
-//            namedJdbcTemplate.executeQuery(SQLConstants.GET_ASSIGNED_GROUPS_OF_APPLICATION_ROLE,
-//                    (resultSet, rowNumber) -> {
-//                        ApplicationRole applicationRole = new ApplicationRole(roleId);
-//                        List<String> groupIds = new ArrayList<>();
-//                        while (resultSet.next()) {
-//                            groupIds.add(resultSet.getString(DB_SCHEMA_COLUMN_NAME_GROUP_ID));
-//                        }
-//                        applicationRole.setAssignedGroups(groupIds.toArray(new String[0]));
-//                        return applicationRole;
-//                    },
-//                    namedPreparedStatement -> {
-//                        namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
-//                        namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, tenantID);
-//                    });
-//        } catch (DataAccessException e) {
-//            throw handleServerException(ERROR_CODE_GET_ROLE_ASSIGNED_USERS, e, roleId);
-//        }
-        return null;
+        return userIDResolver.getNameByID(userID, tenantDomain);
     }
 
-    private String getUserNamesByID(String userIDs, String tenantDomain)
+    private String getGroupNamesByID(String groupID, String tenantDomain)
             throws ApplicationRoleManagementException {
 
-        return userIDResolver.getNameByID(userIDs, tenantDomain);
+        return groupIDResolver.getNameByID(groupID, tenantDomain);
     }
 }
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java
index 9cc07ba01da5..cca39aeb7f7c 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java
@@ -21,6 +21,7 @@
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.identity.application.common.model.IdentityProvider;
 import org.wso2.carbon.identity.application.role.mgt.cache.ApplicationRoleCache;
 import org.wso2.carbon.identity.application.role.mgt.cache.ApplicationRoleCacheEntry;
 import org.wso2.carbon.identity.application.role.mgt.cache.ApplicationRoleCacheKey;
@@ -115,10 +116,12 @@ public ApplicationRole getApplicationRoleAssignedUsers(String roleId, String ten
     }
 
     @Override
-    public void updateApplicationRoleAssignedGroups(String roleId, List<String> addedGroups, List<String> removedGroups,
-                                                    String tenantDomain) throws ApplicationRoleManagementException {
+    public void updateApplicationRoleAssignedGroups(String roleId, String idpId, List<String> addedGroups,
+                                                    List<String> removedGroups, String tenantDomain)
+            throws ApplicationRoleManagementException {
 
-        applicationRoleMgtDAO.updateApplicationRoleAssignedUsers(roleId, addedGroups, removedGroups, tenantDomain);
+        applicationRoleMgtDAO.updateApplicationRoleAssignedGroups(roleId, idpId, addedGroups, removedGroups,
+                tenantDomain);
     }
 
     @Override
@@ -128,6 +131,14 @@ public ApplicationRole getApplicationRoleAssignedGroups(String roleId, String te
         return applicationRoleMgtDAO.getApplicationRoleAssignedGroups(roleId, tenantDomain);
     }
 
+    @Override
+    public ApplicationRole getApplicationRoleAssignedGroups(String roleId, IdentityProvider identityProvider,
+                                                            String tenantDomain)
+            throws ApplicationRoleManagementException {
+
+        return applicationRoleMgtDAO.getApplicationRoleAssignedGroups(roleId, identityProvider, tenantDomain);
+    }
+
     private ApplicationRole getApplicationRoleFromCache(String applicationRoleId, String tenantDomain) {
 
         ApplicationRole applicationRole = null;
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/internal/ApplicationRoleMgtServiceComponent.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/internal/ApplicationRoleMgtServiceComponent.java
index c221b30ee758..4cd54523e31d 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/internal/ApplicationRoleMgtServiceComponent.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/internal/ApplicationRoleMgtServiceComponent.java
@@ -25,8 +25,13 @@
 import org.osgi.service.component.annotations.Activate;
 import org.osgi.service.component.annotations.Component;
 import org.osgi.service.component.annotations.Deactivate;
+import org.osgi.service.component.annotations.Reference;
+import org.osgi.service.component.annotations.ReferenceCardinality;
+import org.osgi.service.component.annotations.ReferencePolicy;
 import org.wso2.carbon.identity.application.role.mgt.ApplicationRoleManager;
 import org.wso2.carbon.identity.application.role.mgt.ApplicationRoleManagerImpl;
+import org.wso2.carbon.idp.mgt.IdpManager;
+import org.wso2.carbon.user.core.service.RealmService;
 
 /**
  * OSGi declarative services component which handled activation and deactivation of Application Role Management.
@@ -63,4 +68,43 @@ protected void deactivate(ComponentContext ctxt) {
             LOG.error("Error while deactivating application role management component.", e);
         }
     }
+
+    @Reference(
+            name = "realm.service",
+            service = RealmService.class,
+            cardinality = ReferenceCardinality.MANDATORY,
+            policy = ReferencePolicy.DYNAMIC,
+            unbind = "unsetRealmService")
+    protected void setRealmService(RealmService realmService) {
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("Setting the Realm Service");
+        }
+        ApplicationRoleMgtServiceComponentHolder.getInstance().setRealmService(realmService);
+    }
+
+    protected void unsetRealmService(RealmService realmService) {
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("Unset the Realm Service.");
+        }
+        ApplicationRoleMgtServiceComponentHolder.getInstance().setRealmService(null);
+    }
+
+    @Reference(
+            name = "idp.mgt.dscomponent",
+            service = IdpManager.class,
+            cardinality = ReferenceCardinality.MANDATORY,
+            policy = ReferencePolicy.DYNAMIC,
+            unbind = "unsetIdentityProviderManager"
+    )
+    protected void setIdentityProviderManager(IdpManager idpMgtService) {
+
+        ApplicationRoleMgtServiceComponentHolder.getInstance().setIdentityProviderManager(idpMgtService);
+    }
+
+    protected void unsetIdentityProviderManager(IdpManager idpMgtService) {
+
+        ApplicationRoleMgtServiceComponentHolder.getInstance().setIdentityProviderManager(null);
+    }
 }
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/internal/ApplicationRoleMgtServiceComponentHolder.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/internal/ApplicationRoleMgtServiceComponentHolder.java
index a78c7cdc4eae..f92f7f1aec0e 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/internal/ApplicationRoleMgtServiceComponentHolder.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/internal/ApplicationRoleMgtServiceComponentHolder.java
@@ -20,6 +20,8 @@
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.idp.mgt.IdpManager;
+import org.wso2.carbon.user.core.service.RealmService;
 
 /**
  * Service component holder class for role management service.
@@ -28,10 +30,42 @@ public class ApplicationRoleMgtServiceComponentHolder {
 
     private static final ApplicationRoleMgtServiceComponentHolder instance =
             new ApplicationRoleMgtServiceComponentHolder();
+    private RealmService realmService;
+    private IdpManager identityProviderManager;
     private static final Log LOG = LogFactory.getLog(ApplicationRoleMgtServiceComponentHolder.class);
 
     public static ApplicationRoleMgtServiceComponentHolder getInstance() {
 
         return instance;
     }
+
+    public RealmService getRealmService() {
+
+        return realmService;
+    }
+
+    public void setRealmService(RealmService realmService) {
+
+        this.realmService = realmService;
+    }
+
+    /**
+     * Get IdentityProviderManager osgi service.
+     *
+     * @return IdentityProviderManager
+     */
+    public IdpManager getIdentityProviderManager() {
+
+        return identityProviderManager;
+    }
+
+    /**
+     * Set IdentityProviderManager osgi service.
+     *
+     * @param idpManager IdentityProviderManager.
+     */
+    public void setIdentityProviderManager(IdpManager idpManager) {
+
+        this.identityProviderManager = idpManager;
+    }
 }
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/model/ApplicationRole.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/model/ApplicationRole.java
index 5923432c7a07..650378f522af 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/model/ApplicationRole.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/model/ApplicationRole.java
@@ -30,7 +30,7 @@ public class ApplicationRole {
     private String[] permissions;
     private String applicationId;
     private List<User> assignedUsers;
-    private List<User> assignedGroups;
+    private List<Group> assignedGroups;
 
     public ApplicationRole(String roleId, String roleName, String[] permissions, String applicationId) {
 
@@ -115,12 +115,12 @@ public void setAssignedUsers(List<User> assignedUsers) {
         this.assignedUsers = assignedUsers;
     }
 
-    public List<User> getAssignedGroups() {
+    public List<Group> getAssignedGroups() {
 
         return assignedGroups;
     }
 
-    public void setAssignedGroups(List<User> assignedGroups) {
+    public void setAssignedGroups(List<Group> assignedGroups) {
 
         this.assignedGroups = assignedGroups;
     }
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/model/Group.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/model/Group.java
new file mode 100644
index 000000000000..1774d85d9dc8
--- /dev/null
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/model/Group.java
@@ -0,0 +1,47 @@
+package org.wso2.carbon.identity.application.role.mgt.model;
+
+/**
+ * Application role assigned group model.
+ */
+public class Group {
+
+    private String groupId;
+    private String groupName;
+    private String idpId;
+
+    public Group(String groupId, String idpId) {
+
+        this.groupId = groupId;
+        this.idpId = idpId;
+    }
+
+    public String getGroupId() {
+
+        return groupId;
+    }
+
+    public void setGroupId(String groupId) {
+
+        this.groupId = groupId;
+    }
+
+    public String getGroupName() {
+
+        return groupName;
+    }
+
+    public void setGroupName(String groupName) {
+
+        this.groupName = groupName;
+    }
+
+    public String getIdpId() {
+
+        return idpId;
+    }
+
+    public void setIdpId(String idpId) {
+
+        this.idpId = idpId;
+    }
+}
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/GroupIDResolver.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/GroupIDResolver.java
new file mode 100644
index 000000000000..fe5cc862cb7b
--- /dev/null
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/GroupIDResolver.java
@@ -0,0 +1,49 @@
+package org.wso2.carbon.identity.application.role.mgt.util;
+
+import org.wso2.carbon.context.PrivilegedCarbonContext;
+import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementClientException;
+import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementException;
+import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementServerException;
+import org.wso2.carbon.identity.application.role.mgt.internal.ApplicationRoleMgtServiceComponentHolder;
+import org.wso2.carbon.user.api.UserRealm;
+import org.wso2.carbon.user.api.UserStoreException;
+import org.wso2.carbon.user.core.common.AbstractUserStoreManager;
+import org.wso2.carbon.user.core.service.RealmService;
+
+/**
+ * GroupId Resolver.
+ */
+public class GroupIDResolver implements IDResolver {
+
+    @Override
+    public String getNameByID(String id, String tenantDomain) throws ApplicationRoleManagementException {
+
+        String groupName = resolveGroupNameFromGroupID(id);
+        if (groupName == null) {
+            String errorMessage = "A group doesn't exist with id: " + id + " in the tenantDomain: " + tenantDomain;
+            throw new ApplicationRoleManagementClientException(errorMessage, errorMessage, "");
+        }
+        return groupName;
+    }
+
+    public String resolveGroupNameFromGroupID(String id) throws ApplicationRoleManagementException {
+
+        AbstractUserStoreManager userStoreManager;
+        try {
+            userStoreManager = getUserStoreManager(PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId());
+            return userStoreManager.getGroupNameByGroupId(id);
+        } catch (UserStoreException e) {
+            throw new ApplicationRoleManagementServerException("Error occurred while retrieving the userstore manager "
+                    + "to resolve group name for the groupID", "Error occurred while retrieving the userstore manager "
+                    + "to resolve group name for the groupID: " + id, e);
+        }
+    }
+
+    private AbstractUserStoreManager getUserStoreManager(int tenantId) throws UserStoreException {
+
+        RealmService realmService = ApplicationRoleMgtServiceComponentHolder.getInstance().getRealmService();
+        UserRealm tenantUserRealm = realmService.getTenantUserRealm(tenantId);
+
+        return (AbstractUserStoreManager) tenantUserRealm.getUserStoreManager();
+    }
+}

From 6c4b1b1e3404847973863b67a6983fc5a8d91b04 Mon Sep 17 00:00:00 2001
From: Thilina Shashimal Senarath <thilinasenarath97@gmail.com>
Date: Wed, 23 Aug 2023 12:17:25 +0530
Subject: [PATCH 03/21] add changes

---
 .../role/mgt/ApplicationRoleManagerImpl.java  | 17 ++--
 .../ApplicationRoleMgtConstants.java          |  2 +-
 .../role/mgt/constants/SQLConstants.java      |  7 +-
 .../role/mgt/dao/ApplicationRoleMgtDAO.java   |  3 -
 .../dao/impl/ApplicationRoleMgtDAOImpl.java   | 93 ++++++++-----------
 .../CacheBackedApplicationRoleMgtDAOImpl.java |  7 --
 .../application/role/mgt/model/Group.java     | 11 +++
 7 files changed, 66 insertions(+), 74 deletions(-)

diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
index 0351bb247d48..d36113fedbe7 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
@@ -135,19 +135,20 @@ public void updateApplicationRoleAssignedGroups(String roleId, String idpId, Lis
     @Override
     public ApplicationRole getApplicationRoleAssignedGroups(String roleId, String idpId)
             throws ApplicationRoleManagementException {
-
-        if (LOCAL_IDP.equals(idpId)) {
-            return applicationRoleMgtDAO.getApplicationRoleAssignedGroups(roleId, getTenantDomain());
-        }
-        IdentityProvider identityProvider;
         try {
-            identityProvider = ApplicationRoleMgtServiceComponentHolder.getInstance()
-                    .getIdentityProviderManager().getIdPByResourceId(idpId, getTenantDomain(), true);
+            IdentityProvider identityProvider;
+            if (LOCAL_IDP.equalsIgnoreCase(idpId)) {
+                identityProvider = ApplicationRoleMgtServiceComponentHolder.getInstance()
+                        .getIdentityProviderManager().getResidentIdP(getTenantDomain());
+            } else {
+                identityProvider = ApplicationRoleMgtServiceComponentHolder.getInstance()
+                        .getIdentityProviderManager().getIdPByResourceId(idpId, getTenantDomain(), true);
+            }
+            return applicationRoleMgtDAO.getApplicationRoleAssignedGroups(roleId, identityProvider, getTenantDomain());
         } catch (IdentityProviderManagementException e) {
             throw new ApplicationRoleManagementException("Error while retrieving idp", "Error while retrieving idp " +
                     "for idpId: " + idpId, e);
         }
-        return applicationRoleMgtDAO.getApplicationRoleAssignedGroups(roleId, identityProvider, getTenantDomain());
     }
 
     private static String getTenantDomain() {
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java
index 735bd065df80..95697f521ecc 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java
@@ -24,7 +24,7 @@
 public class ApplicationRoleMgtConstants {
 
     private static final String APP_ROLE_MGT_ERROR_CODE_PREFIX = "APM-";
-    public static final String LOCAL_IDP = "local";
+    public static final String LOCAL_IDP = "LOCAL";
 
     /**
      * Application role management error message constants.
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java
index 07166afca263..a4ea631f4313 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java
@@ -54,7 +54,7 @@ public class SQLConstants {
             SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";);";
 
     public static final String DELETE_ASSIGNED_USER_APPLICATION_ROLE = "DELETE FROM USER_ROLE WHERE ROLE_ID = :" +
-            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + " AND USER_ID = :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + "; AND USER_ID = :" +
             SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_USER_ID + ";";
 
     public static final String GET_ASSIGNED_USERS_OF_APPLICATION_ROLE = "SELECT USER_ID " +
@@ -68,11 +68,12 @@ public class SQLConstants {
             SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";);";
 
     public static final String DELETE_ASSIGNED_GROUP_APPLICATION_ROLE = "DELETE FROM GROUP_ROLE WHERE ROLE_ID = :" +
-            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + " AND GROUP_ID = :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + "; AND GROUP_ID = :" +
             SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_GROUP_ID + ";";
 
     public static final String GET_ASSIGNED_GROUPS_OF_APPLICATION_ROLE = "SELECT GROUP_ID, IDP_ID " +
-            "FROM GROUP_ROLE WHERE ROLE_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + ";";
+            "FROM GROUP_ROLE WHERE ROLE_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID +
+            "; AND IDP_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_IDP_ID + ";";
 
     /**
      * SQL Placeholders.
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java
index dccd63bb5592..9e6e368bfdef 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java
@@ -57,9 +57,6 @@ void updateApplicationRoleAssignedGroups(String roleId, String idpId, List<Strin
                                              List<String> removedGroups, String tenantDomain)
             throws ApplicationRoleManagementException;
 
-    ApplicationRole getApplicationRoleAssignedGroups(String roleId, String tenantDomain)
-            throws ApplicationRoleManagementException;
-
     ApplicationRole getApplicationRoleAssignedGroups(String roleId, IdentityProvider identityProvider,
                                                      String tenantDomain) throws ApplicationRoleManagementException;
 }
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
index 156c46db08b6..4e55878000b2 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
@@ -51,6 +51,7 @@
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_UPDATE_ROLE;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_UPDATE_ROLE_ASSIGNED_GROUPS;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_UPDATE_ROLE_ASSIGNED_USERS;
+import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.LOCAL_IDP;
 import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_APP_ID;
 import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_GROUP_ID;
 import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_IDP_ID;
@@ -227,8 +228,8 @@ public void updateApplicationRoleAssignedUsers(String roleId, List<String> added
                     }
                 }), roleId);
                 for (String userId: removedUsers) {
-                    namedJdbcTemplate.executeQuery(SQLConstants.DELETE_ASSIGNED_USER_APPLICATION_ROLE,
-                            (resultSet, rowNumber) -> null, namedPreparedStatement -> {
+                    namedJdbcTemplate.executeUpdate(SQLConstants.DELETE_ASSIGNED_USER_APPLICATION_ROLE,
+                            namedPreparedStatement -> {
                                 namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
                                 namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_USER_ID, userId);
                             });
@@ -248,9 +249,7 @@ public ApplicationRole getApplicationRoleAssignedUsers(String roleId, String ten
         try {
             List<User> users;
             users = namedJdbcTemplate.executeQuery(SQLConstants.GET_ASSIGNED_USERS_OF_APPLICATION_ROLE,
-                    (resultSet, rowNumber) -> {
-                        return new User(resultSet.getString(DB_SCHEMA_COLUMN_NAME_USER_ID));
-                    },
+                    (resultSet, rowNumber) -> new User(resultSet.getString(DB_SCHEMA_COLUMN_NAME_USER_ID)),
                     namedPreparedStatement -> {
                         namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
                     });
@@ -279,23 +278,27 @@ public void updateApplicationRoleAssignedGroups(String roleId, String idpId, Lis
 
         NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
         try {
-            String sqlStmt = SQLConstants.ADD_APPLICATION_ROLE_GROUP;
             namedJdbcTemplate.withTransaction(template -> {
-                namedJdbcTemplate.executeBatchInsert(sqlStmt, (preparedStatement -> {
-                    for (String groupId : addedGroups) {
-                        preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
-                        preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_GROUP_ID, groupId);
-                        preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_IDP_ID, idpId);
-                        preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, tenantID);
-                        preparedStatement.addBatch();
+                if (addedGroups.size() > 0) {
+                    namedJdbcTemplate.executeBatchInsert(SQLConstants.ADD_APPLICATION_ROLE_GROUP,
+                            (preparedStatement -> {
+                                for (String groupId : addedGroups) {
+                                    preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
+                                    preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_GROUP_ID, groupId);
+                                    preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_IDP_ID, idpId);
+                                    preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, tenantID);
+                                    preparedStatement.addBatch();
+                        }
+                    }), roleId);
+                }
+                if (removedGroups.size() > 0) {
+                    for (String groupId: removedGroups) {
+                        namedJdbcTemplate.executeUpdate(SQLConstants.DELETE_ASSIGNED_GROUP_APPLICATION_ROLE,
+                                namedPreparedStatement -> {
+                                    namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
+                                    namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_GROUP_ID, groupId);
+                                });
                     }
-                }), roleId);
-                for (String groupId: removedGroups) {
-                    namedJdbcTemplate.executeQuery(SQLConstants.DELETE_ASSIGNED_GROUP_APPLICATION_ROLE,
-                            (resultSet, rowNumber) -> null, namedPreparedStatement -> {
-                                namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
-                                namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_GROUP_ID, groupId);
-                            });
                 }
                 return null;
             });
@@ -304,30 +307,6 @@ public void updateApplicationRoleAssignedGroups(String roleId, String idpId, Lis
         }
     }
 
-    @Override
-    public ApplicationRole getApplicationRoleAssignedGroups(String roleId, String tenantDomain) throws
-            ApplicationRoleManagementException {
-
-        NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
-        try {
-            List<Group> groups;
-            groups = namedJdbcTemplate.executeQuery(SQLConstants.GET_ASSIGNED_GROUPS_OF_APPLICATION_ROLE,
-                    (resultSet, rowNumber) -> new Group(resultSet.getString(DB_SCHEMA_COLUMN_NAME_GROUP_ID),
-                            resultSet.getString(DB_SCHEMA_COLUMN_NAME_IDP_ID)),
-                    namedPreparedStatement -> {
-                        namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
-                    });
-            for (Group group : groups) {
-                group.setGroupName(getGroupNamesByID(group.getGroupId(), tenantDomain));
-            }
-            ApplicationRole applicationRole = new ApplicationRole(roleId);
-            applicationRole.setAssignedGroups(groups);
-            return  applicationRole;
-        } catch (DataAccessException e) {
-            throw handleServerException(ERROR_CODE_GET_ROLE_ASSIGNED_GROUPS, e, roleId);
-        }
-    }
-
     @Override
     public ApplicationRole getApplicationRoleAssignedGroups(String roleId, IdentityProvider identityProvider,
                                                             String tenantDomain) throws
@@ -341,15 +320,25 @@ public ApplicationRole getApplicationRoleAssignedGroups(String roleId, IdentityP
                             resultSet.getString(DB_SCHEMA_COLUMN_NAME_IDP_ID)),
                     namedPreparedStatement -> {
                         namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
+                        namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_IDP_ID,
+                                identityProvider.getResourceId());
                     });
-            IdPGroup[] idpGroups = identityProvider.getIdPGroupConfig();
-            Map<String, String> idToNameMap = new HashMap<>();
-            for (IdPGroup idpGroup : idpGroups) {
-                idToNameMap.put(idpGroup.getIdpGroupId(), idpGroup.getIdpGroupName());
-            }
-            for (Group group : groups) {
-                if (idToNameMap.containsKey(group.getGroupId())) {
-                    group.setGroupName(idToNameMap.get(group.getGroupId()));
+            if (LOCAL_IDP.equals(identityProvider.getIdentityProviderName())) {
+                for (Group group : groups) {
+                    group.setGroupName(getGroupNamesByID(group.getGroupId(), tenantDomain));
+                    group.setIdpName(identityProvider.getIdentityProviderName());
+                }
+            } else {
+                IdPGroup[] idpGroups = identityProvider.getIdPGroupConfig();
+                Map<String, String> idToNameMap = new HashMap<>();
+                for (IdPGroup idpGroup : idpGroups) {
+                    idToNameMap.put(idpGroup.getIdpGroupId(), idpGroup.getIdpGroupName());
+                }
+                for (Group group : groups) {
+                    if (idToNameMap.containsKey(group.getGroupId())) {
+                        group.setGroupName(idToNameMap.get(group.getGroupId()));
+                        group.setIdpName(identityProvider.getIdentityProviderName());
+                    }
                 }
             }
             ApplicationRole applicationRole = new ApplicationRole(roleId);
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java
index cca39aeb7f7c..6b9e8164b6b7 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java
@@ -124,13 +124,6 @@ public void updateApplicationRoleAssignedGroups(String roleId, String idpId, Lis
                 tenantDomain);
     }
 
-    @Override
-    public ApplicationRole getApplicationRoleAssignedGroups(String roleId, String tenantDomain)
-            throws ApplicationRoleManagementException {
-
-        return applicationRoleMgtDAO.getApplicationRoleAssignedGroups(roleId, tenantDomain);
-    }
-
     @Override
     public ApplicationRole getApplicationRoleAssignedGroups(String roleId, IdentityProvider identityProvider,
                                                             String tenantDomain)
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/model/Group.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/model/Group.java
index 1774d85d9dc8..d116f282b734 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/model/Group.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/model/Group.java
@@ -8,6 +8,7 @@ public class Group {
     private String groupId;
     private String groupName;
     private String idpId;
+    private String idpName;
 
     public Group(String groupId, String idpId) {
 
@@ -44,4 +45,14 @@ public void setIdpId(String idpId) {
 
         this.idpId = idpId;
     }
+
+    public String getIdpName() {
+
+        return idpName;
+    }
+
+    public void setIdpName(String idpName) {
+
+        this.idpName = idpName;
+    }
 }

From 2f02e6f90fd2e3580eb82b6fc3ffab2ee972d70a Mon Sep 17 00:00:00 2001
From: Thilina Shashimal Senarath <thilinasenarath97@gmail.com>
Date: Thu, 24 Aug 2023 15:28:38 +0530
Subject: [PATCH 04/21] Add validations

---
 .../role/mgt/ApplicationRoleManager.java      | 16 ++++
 .../role/mgt/ApplicationRoleManagerImpl.java  | 16 +++-
 .../ApplicationRoleMgtConstants.java          | 20 ++--
 .../role/mgt/constants/SQLConstants.java      |  8 ++
 .../role/mgt/dao/ApplicationRoleMgtDAO.java   |  8 +-
 .../dao/impl/ApplicationRoleMgtDAOImpl.java   | 93 ++++++++++++++++++-
 .../CacheBackedApplicationRoleMgtDAOImpl.java | 30 +++++-
 .../role/mgt/util/GroupIDResolver.java        | 21 ++++-
 .../application/role/mgt/util/IDResolver.java |  2 +
 .../role/mgt/util/UserIDResolver.java         | 70 +++++++-------
 10 files changed, 226 insertions(+), 58 deletions(-)

diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java
index c0546e2334ab..89d4438c8614 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java
@@ -110,5 +110,21 @@ void updateApplicationRoleAssignedGroups(String roleId, String idpId, List<Strin
     ApplicationRole getApplicationRoleAssignedGroups(String roleId, String idpId)
             throws ApplicationRoleManagementException;
 
+    /**
+     * Get the list of application roles of a user.
+     *
+     * @param userId user ID.
+     * @throws ApplicationRoleManagementException Error occurred while updating the application role.
+     */
+    List<ApplicationRole> getApplicationRolesByUserId(String userId) throws ApplicationRoleManagementException;
+
+    /**
+     * Get the list of application roles of a group.
+     *
+     * @param groupId group ID.
+     * @throws ApplicationRoleManagementException Error occurred while updating the application role.
+     */
+    List<ApplicationRole> getApplicationRolesByGroupId(String groupId) throws ApplicationRoleManagementException;
+
 
 }
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
index d36113fedbe7..767cb6ad468c 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
@@ -124,7 +124,7 @@ public void updateApplicationRoleAssignedGroups(String roleId, String idpId, Lis
                         .getIdentityProviderManager().getIdPByResourceId(idpId, getTenantDomain(), true);
             }
             removeCommonValues(addedGroups, removedGroups);
-            applicationRoleMgtDAO.updateApplicationRoleAssignedGroups(roleId, identityProvider.getResourceId(),
+            applicationRoleMgtDAO.updateApplicationRoleAssignedGroups(roleId, identityProvider,
                     addedGroups, removedGroups, getTenantDomain());
         }   catch (IdentityProviderManagementException e) {
         throw new ApplicationRoleManagementException("Error while retrieving idp",
@@ -151,6 +151,20 @@ public ApplicationRole getApplicationRoleAssignedGroups(String roleId, String id
         }
     }
 
+    @Override
+    public List<ApplicationRole> getApplicationRolesByUserId(String userId)
+            throws ApplicationRoleManagementException {
+
+        return applicationRoleMgtDAO.getApplicationRolesByUserId(userId);
+    }
+
+    @Override
+    public List<ApplicationRole> getApplicationRolesByGroupId(String groupId)
+            throws ApplicationRoleManagementException {
+
+        return applicationRoleMgtDAO.getApplicationRolesByGroupId(groupId);
+    }
+
     private static String getTenantDomain() {
 
         return PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain();
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java
index 95697f521ecc..41f414c475e2 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java
@@ -44,14 +44,22 @@ public enum ErrorMessages {
                 "Error occurred while updating the role: %s of application: %s."),
         ERROR_CODE_DELETE_ROLE("65006", "Error occurred while deleting the role.",
                 "Error occurred while deleting the role: %s."),
-        ERROR_CODE_UPDATE_ROLE_ASSIGNED_USERS("65007", "Error occurred while assigning users to the role.",
-                "Error occurred while assigning users to the role: %s."),
+        ERROR_CODE_UPDATE_ROLE_ASSIGNED_USERS("65007", "Error occurred while assigning users to " +
+                "the role.", "Error occurred while assigning users to the role: %s."),
         ERROR_CODE_GET_ROLE_ASSIGNED_USERS("65008", "Error occurred while retrieving users of the role.",
                 "Error occurred while retrieving users of the role: %s."),
-        ERROR_CODE_UPDATE_ROLE_ASSIGNED_GROUPS("65007", "Error occurred while assigning groups to the role.",
-                "Error occurred while assigning groups to the role: %s."),
-        ERROR_CODE_GET_ROLE_ASSIGNED_GROUPS("65008", "Error occurred while retrieving groups of the role.",
-                "Error occurred while retrieving groups of the role: %s."),
+        ERROR_CODE_UPDATE_ROLE_ASSIGNED_GROUPS("65007", "Error occurred while assigning groups to " +
+                "the role.", "Error occurred while assigning groups to the role: %s."),
+        ERROR_CODE_GET_ROLE_ASSIGNED_GROUPS("65008", "Error occurred while retrieving groups of " +
+                "the role.", "Error occurred while retrieving groups of the role: %s."),
+        ERROR_CODE_GET_ROLES_BY_USER_ID("65009", "Error occurred while retrieving the roles of the " +
+                "application by userID", "Error occurred while retrieving the roles of application by " +
+                "userID: %s."),
+        ERROR_CODE_GET_ROLES_BY_GROUP_ID("65010", "Error occurred while retrieving the roles of the " +
+                "application by groupID", "Error occurred while retrieving the roles of application by " +
+                "groupID: %s."),
+        ERROR_CODE_GROUP_ID_NO_FOUND("65011", "Given group not found", "Given group not found " +
+                "for groupID: %s."),
 
         // Client Errors.
         ERROR_CODE_DUPLICATE_ROLE("60001", "Role already exists.",
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java
index a4ea631f4313..953c7791da80 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java
@@ -75,6 +75,14 @@ public class SQLConstants {
             "FROM GROUP_ROLE WHERE ROLE_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID +
             "; AND IDP_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_IDP_ID + ";";
 
+    public static final String GET_APPLICATION_ROLES_BY_USER_ID = "SELECT ar.ROLE_ID, ar.ROLE_NAME, ar.TENANT_ID, " +
+            "ar.APP_ID FROM APP_ROLE as ar INNER JOIN USER_ROLE as ur ON ar.ROLE_ID = ur.ROLE_ID WHERE ur.USER_ID = :"
+            + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_USER_ID + ";";
+
+    public static final String GET_APPLICATION_ROLES_BY_GROUP_ID = "SELECT ar.ROLE_ID, ar.ROLE_NAME, ar.TENANT_ID, " +
+            "ar.APP_ID FROM APP_ROLE as ar INNER JOIN GROUP_ROLE as gr ON ar.ROLE_ID = gr.ROLE_ID WHERE gr.GROUP_ID = :"
+            + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_GROUP_ID + ";";
+
     /**
      * SQL Placeholders.
      */
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java
index 9e6e368bfdef..1b8d2c31f934 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java
@@ -48,15 +48,19 @@ boolean isExistingRole(String applicationId, String roleName, String tenantDomai
 
     void updateApplicationRoleAssignedUsers(String roleId, List<String> addedUsers, List<String> removedUsers,
                                             String tenantDomain) throws
-            ApplicationRoleManagementServerException;
+            ApplicationRoleManagementException;
 
     ApplicationRole getApplicationRoleAssignedUsers(String roleId, String tenantDomain)
             throws ApplicationRoleManagementException;
 
-    void updateApplicationRoleAssignedGroups(String roleId, String idpId, List<String> addedGroups,
+    void updateApplicationRoleAssignedGroups(String roleId, IdentityProvider identityProvider, List<String> addedGroups,
                                              List<String> removedGroups, String tenantDomain)
             throws ApplicationRoleManagementException;
 
     ApplicationRole getApplicationRoleAssignedGroups(String roleId, IdentityProvider identityProvider,
                                                      String tenantDomain) throws ApplicationRoleManagementException;
+
+    List<ApplicationRole> getApplicationRolesByUserId(String userId) throws ApplicationRoleManagementException;
+
+    List<ApplicationRole> getApplicationRolesByGroupId(String groupId) throws ApplicationRoleManagementException;
 }
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
index 4e55878000b2..eceb02555129 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
@@ -27,6 +27,7 @@
 import org.wso2.carbon.identity.application.common.model.IdentityProvider;
 import org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants;
 import org.wso2.carbon.identity.application.role.mgt.dao.ApplicationRoleMgtDAO;
+import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementClientException;
 import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementException;
 import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementServerException;
 import org.wso2.carbon.identity.application.role.mgt.model.ApplicationRole;
@@ -44,6 +45,8 @@
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_CHECKING_ROLE_EXISTENCE;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_DELETE_ROLE;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_GET_ROLES_BY_APPLICATION;
+import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_GET_ROLES_BY_GROUP_ID;
+import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_GET_ROLES_BY_USER_ID;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_GET_ROLE_ASSIGNED_GROUPS;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_GET_ROLE_ASSIGNED_USERS;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_GET_ROLE_BY_ID;
@@ -206,7 +209,7 @@ public boolean isExistingRole(String applicationId, String roleName, String tena
     @Override
     public void updateApplicationRoleAssignedUsers(String roleId, List<String> addedUsers, List<String> removedUsers,
                                                    String tenantDomain)
-            throws ApplicationRoleManagementServerException {
+            throws ApplicationRoleManagementException {
 
         int tenantID;
         if (tenantDomain != null) {
@@ -214,6 +217,7 @@ public void updateApplicationRoleAssignedUsers(String roleId, List<String> added
         } else {
             tenantID = MultitenantConstants.INVALID_TENANT_ID;
         }
+        validateUserIds(addedUsers, tenantDomain);
 
         NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
         try {
@@ -265,8 +269,9 @@ public ApplicationRole getApplicationRoleAssignedUsers(String roleId, String ten
     }
 
     @Override
-    public void updateApplicationRoleAssignedGroups(String roleId, String idpId, List<String> addedGroups,
-                                                    List<String> removedGroups, String tenantDomain)
+    public void updateApplicationRoleAssignedGroups(String roleId, IdentityProvider identityProvider,
+                                                    List<String> addedGroups, List<String> removedGroups,
+                                                    String tenantDomain)
             throws ApplicationRoleManagementException {
 
         int tenantID;
@@ -275,7 +280,8 @@ public void updateApplicationRoleAssignedGroups(String roleId, String idpId, Lis
         } else {
             tenantID = MultitenantConstants.INVALID_TENANT_ID;
         }
-
+        validateGroupIds(identityProvider, addedGroups, tenantDomain);
+        validateGroupIds(identityProvider, removedGroups, tenantDomain);
         NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
         try {
             namedJdbcTemplate.withTransaction(template -> {
@@ -285,7 +291,8 @@ public void updateApplicationRoleAssignedGroups(String roleId, String idpId, Lis
                                 for (String groupId : addedGroups) {
                                     preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
                                     preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_GROUP_ID, groupId);
-                                    preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_IDP_ID, idpId);
+                                    preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_IDP_ID,
+                                            identityProvider.getResourceId());
                                     preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, tenantID);
                                     preparedStatement.addBatch();
                         }
@@ -349,6 +356,81 @@ public ApplicationRole getApplicationRoleAssignedGroups(String roleId, IdentityP
         }
     }
 
+    @Override
+    public List<ApplicationRole> getApplicationRolesByUserId(String userId) throws ApplicationRoleManagementException {
+
+        NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
+        try {
+            return namedJdbcTemplate.executeQuery(SQLConstants.GET_APPLICATION_ROLES_BY_USER_ID,
+                    (resultSet, rowNumber) ->
+                            new ApplicationRole(resultSet.getString(DB_SCHEMA_COLUMN_NAME_ROLE_ID),
+                                    resultSet.getString(DB_SCHEMA_COLUMN_NAME_ROLE_NAME),
+                                    resultSet.getString(DB_SCHEMA_COLUMN_NAME_APP_ID)),
+                    namedPreparedStatement -> {
+                        namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_USER_ID, userId);
+                    });
+        } catch (DataAccessException e) {
+            throw handleServerException(ERROR_CODE_GET_ROLES_BY_USER_ID, e, userId);
+        }
+    }
+
+    @Override
+    public List<ApplicationRole> getApplicationRolesByGroupId(String groupId)
+            throws ApplicationRoleManagementException {
+
+            NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
+            try {
+                return namedJdbcTemplate.executeQuery(SQLConstants.GET_APPLICATION_ROLES_BY_GROUP_ID,
+                        (resultSet, rowNumber) ->
+                                new ApplicationRole(resultSet.getString(DB_SCHEMA_COLUMN_NAME_ROLE_ID),
+                                        resultSet.getString(DB_SCHEMA_COLUMN_NAME_ROLE_NAME),
+                                        resultSet.getString(DB_SCHEMA_COLUMN_NAME_APP_ID)),
+                        namedPreparedStatement -> {
+                            namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_GROUP_ID, groupId);
+                        });
+            } catch (DataAccessException e) {
+                throw handleServerException(ERROR_CODE_GET_ROLES_BY_GROUP_ID, e, groupId);
+            }
+    }
+
+    public void validateGroupIds(IdentityProvider identityProvider, List<String> groups, String tenantDomain)
+            throws ApplicationRoleManagementException {
+
+        if (LOCAL_IDP.equals(identityProvider.getIdentityProviderName())) {
+            for (String groupId : groups) {
+                boolean isExists = groupIDResolver.isExists(groupId, tenantDomain);
+                if (!isExists) {
+                    throw new ApplicationRoleManagementClientException("Given groupId is not found",
+                                    "Given groupId is not found", "");
+                }
+            }
+        } else {
+            IdPGroup[] idpGroups = identityProvider.getIdPGroupConfig();
+            Map<String, String> idToNameMap = new HashMap<>();
+            for (IdPGroup idpGroup : idpGroups) {
+                idToNameMap.put(idpGroup.getIdpGroupId(), idpGroup.getIdpGroupName());
+            }
+            for (String groupId : groups) {
+                if (!idToNameMap.containsKey(groupId)) {
+                    throw new ApplicationRoleManagementClientException("Given groupId is not found",
+                            "Given groupId is not found", "");
+                }
+            }
+        }
+    }
+
+    public void validateUserIds(List<String> users, String tenantDomain)
+            throws ApplicationRoleManagementException {
+
+        for (String userId : users) {
+            boolean isExists = userIDResolver.isExists(userId, tenantDomain);
+            if (!isExists) {
+                throw new ApplicationRoleManagementClientException("Given user Id is not found",
+                        "Given user Id is not found", "");
+            }
+        }
+    }
+
     private String getUserNamesByID(String userID, String tenantDomain)
             throws ApplicationRoleManagementException {
 
@@ -360,4 +442,5 @@ private String getGroupNamesByID(String groupID, String tenantDomain)
 
         return groupIDResolver.getNameByID(groupID, tenantDomain);
     }
+
 }
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java
index 6b9e8164b6b7..1e3ea42a9c83 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java
@@ -103,7 +103,7 @@ public boolean isExistingRole(String applicationId, String roleName, String tena
     @Override
     public void updateApplicationRoleAssignedUsers(String roleId, List<String> addedUsers, List<String> removedUsers,
                                                    String tenantDomain)
-            throws ApplicationRoleManagementServerException {
+            throws ApplicationRoleManagementException {
 
         applicationRoleMgtDAO.updateApplicationRoleAssignedUsers(roleId, addedUsers, removedUsers, tenantDomain);
     }
@@ -112,15 +112,23 @@ public void updateApplicationRoleAssignedUsers(String roleId, List<String> added
     public ApplicationRole getApplicationRoleAssignedUsers(String roleId, String tenantDomain)
             throws ApplicationRoleManagementException {
 
+        ApplicationRole applicationRole = getApplicationRoleFromCache(roleId, tenantDomain);
+        if (applicationRole == null) {
+            applicationRole = applicationRoleMgtDAO.getApplicationRoleById(roleId, tenantDomain);
+            if (applicationRole != null) {
+                addToCache(applicationRole, tenantDomain);
+            }
+        }
         return applicationRoleMgtDAO.getApplicationRoleAssignedUsers(roleId, tenantDomain);
     }
 
     @Override
-    public void updateApplicationRoleAssignedGroups(String roleId, String idpId, List<String> addedGroups,
-                                                    List<String> removedGroups, String tenantDomain)
+    public void updateApplicationRoleAssignedGroups(String roleId, IdentityProvider identityProvider,
+                                                    List<String> addedGroups, List<String> removedGroups,
+                                                    String tenantDomain)
             throws ApplicationRoleManagementException {
 
-        applicationRoleMgtDAO.updateApplicationRoleAssignedGroups(roleId, idpId, addedGroups, removedGroups,
+        applicationRoleMgtDAO.updateApplicationRoleAssignedGroups(roleId, identityProvider, addedGroups, removedGroups,
                 tenantDomain);
     }
 
@@ -132,6 +140,20 @@ public ApplicationRole getApplicationRoleAssignedGroups(String roleId, IdentityP
         return applicationRoleMgtDAO.getApplicationRoleAssignedGroups(roleId, identityProvider, tenantDomain);
     }
 
+    @Override
+    public List<ApplicationRole> getApplicationRolesByUserId(String userId)
+            throws ApplicationRoleManagementException {
+
+        return applicationRoleMgtDAO.getApplicationRolesByUserId(userId);
+    }
+
+    @Override
+    public List<ApplicationRole> getApplicationRolesByGroupId(String groupId)
+            throws ApplicationRoleManagementException {
+
+        return applicationRoleMgtDAO.getApplicationRolesByGroupId(groupId);
+    }
+
     private ApplicationRole getApplicationRoleFromCache(String applicationRoleId, String tenantDomain) {
 
         ApplicationRole applicationRole = null;
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/GroupIDResolver.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/GroupIDResolver.java
index fe5cc862cb7b..36876d9a7fd0 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/GroupIDResolver.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/GroupIDResolver.java
@@ -26,7 +26,26 @@ public String getNameByID(String id, String tenantDomain) throws ApplicationRole
         return groupName;
     }
 
-    public String resolveGroupNameFromGroupID(String id) throws ApplicationRoleManagementException {
+    @Override
+    public boolean isExists(String id, String tenantDomain) throws ApplicationRoleManagementException {
+
+        return isGroupExists(id);
+    }
+
+    private boolean isGroupExists(String id) throws ApplicationRoleManagementException {
+
+        AbstractUserStoreManager userStoreManager;
+        try {
+            userStoreManager = getUserStoreManager(PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId());
+            return userStoreManager.isGroupExist(id);
+        } catch (UserStoreException e) {
+            throw new ApplicationRoleManagementServerException("Error occurred while retrieving the userstore manager "
+                    + "to resolve group name for the groupID", "Error occurred while retrieving the userstore manager "
+                    + "to resolve group name for the groupID: " + id, e);
+        }
+    }
+
+    private String resolveGroupNameFromGroupID(String id) throws ApplicationRoleManagementException {
 
         AbstractUserStoreManager userStoreManager;
         try {
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/IDResolver.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/IDResolver.java
index 893172d74e6f..1f4c6b303373 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/IDResolver.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/IDResolver.java
@@ -9,4 +9,6 @@ public interface IDResolver {
 
     String getNameByID(String id, String tenantDomain) throws ApplicationRoleManagementException;
 
+    boolean isExists(String id, String tenantDomain) throws ApplicationRoleManagementException;
+
 }
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/UserIDResolver.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/UserIDResolver.java
index 6491199a9082..6efb1b77070e 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/UserIDResolver.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/UserIDResolver.java
@@ -1,25 +1,20 @@
 package org.wso2.carbon.identity.application.role.mgt.util;
 
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementClientException;
 import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementException;
 import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementServerException;
+import org.wso2.carbon.identity.application.role.mgt.internal.ApplicationRoleMgtServiceComponentHolder;
+import org.wso2.carbon.user.api.UserRealm;
 import org.wso2.carbon.user.api.UserStoreException;
-import org.wso2.carbon.user.api.UserStoreManager;
 import org.wso2.carbon.user.core.common.AbstractUserStoreManager;
-
-import java.util.ArrayList;
-import java.util.List;
+import org.wso2.carbon.user.core.service.RealmService;
 
 /**
  * UserId Resolver.
  */
 public class UserIDResolver implements IDResolver {
 
-    private Log log = LogFactory.getLog(UserIDResolver.class);
-
     @Override
     public String getNameByID(String id, String tenantDomain) throws ApplicationRoleManagementException {
 
@@ -31,47 +26,44 @@ public String getNameByID(String id, String tenantDomain) throws ApplicationRole
         return userName;
     }
 
-    public List<String> getNamesByIDs(List<String> idList, String tenantDomain)
-            throws ApplicationRoleManagementException {
+    @Override
+    public boolean isExists(String id, String tenantDomain) throws ApplicationRoleManagementException {
 
-        List<String> usersList = new ArrayList<>();
-        for (String id : idList) {
-            usersList.add(getNameByID(id, tenantDomain));
+        return isGroupExists(id);
+    }
+
+    private boolean isGroupExists(String id) throws ApplicationRoleManagementException {
+
+        AbstractUserStoreManager userStoreManager;
+        try {
+            userStoreManager = getUserStoreManager(PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId());
+            return userStoreManager.isExistingUserWithID(id);
+        } catch (UserStoreException e) {
+            throw new ApplicationRoleManagementServerException("Error occurred while retrieving the userstore manager "
+                    + "to resolve group name for the groupID", "Error occurred while retrieving the userstore manager "
+                    + "to resolve group name for the groupID: " + id, e);
         }
-        return usersList;
     }
 
-    /**
-     * Retrieves the username of the given userID.
-     *
-     * @param id userID.
-     * @return username of the user.
-     * @throws ApplicationRoleManagementException ApplicationRoleManagementException.
-     */
     public String resolveUserNameFromUserID(String id) throws ApplicationRoleManagementException {
 
+        AbstractUserStoreManager userStoreManager;
         try {
-            UserStoreManager userStoreManager = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUserRealm()
-                    .getUserStoreManager();
-            try {
-                if (userStoreManager instanceof AbstractUserStoreManager) {
-                    return ((AbstractUserStoreManager) userStoreManager).getUserNameFromUserID(id);
-                }
-                if (log.isDebugEnabled()) {
-                    log.debug("Provided user store manager for the userID: " + id + ", is not an instance " +
-                            "of the AbstractUserStore manager");
-                }
-                throw new ApplicationRoleManagementClientException("Unable to get the username of the userID",
-                        "Unable to get the username of the userID: " + id + ".", "");
-            } catch (UserStoreException e) {
-                throw new ApplicationRoleManagementServerException("Error occurred while resolving username for " +
-                        "the userID Error occurred while resolving username for the userID: " + id, "");
-            }
+            userStoreManager = getUserStoreManager(PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId());
+            return userStoreManager.getUserNameFromUserID(id);
         } catch (UserStoreException e) {
             throw new ApplicationRoleManagementServerException("Error occurred while retrieving the userstore manager "
-                    + "to resolve username for the userID", "Error occurred while retrieving the userstore manager to "
-                    + "resolve username for the userID: " + id, e);
+                    + "to resolve username for the groupID", "Error occurred while retrieving the userstore manager "
+                    + "to resolve username for the groupID: " + id, e);
         }
     }
 
+    private AbstractUserStoreManager getUserStoreManager(int tenantId) throws UserStoreException {
+
+        RealmService realmService = ApplicationRoleMgtServiceComponentHolder.getInstance().getRealmService();
+        UserRealm tenantUserRealm = realmService.getTenantUserRealm(tenantId);
+
+        return (AbstractUserStoreManager) tenantUserRealm.getUserStoreManager();
+    }
+
 }

From be5dd89b41f28181209400a26a863e4cdf9da8e2 Mon Sep 17 00:00:00 2001
From: Thilina Shashimal Senarath <thilinasenarath97@gmail.com>
Date: Mon, 28 Aug 2023 08:53:55 +0530
Subject: [PATCH 05/21] fix app role update

---
 .../role/mgt/ApplicationRoleManager.java      |  16 +-
 .../role/mgt/ApplicationRoleManagerImpl.java  |  29 ++-
 .../ApplicationRoleMgtConstants.java          |  47 +++--
 .../role/mgt/constants/SQLConstants.java      |  31 +++-
 .../role/mgt/dao/ApplicationRoleMgtDAO.java   |  11 +-
 .../dao/impl/ApplicationRoleMgtDAOImpl.java   | 169 ++++++++++--------
 .../CacheBackedApplicationRoleMgtDAOImpl.java |  19 +-
 7 files changed, 206 insertions(+), 116 deletions(-)

diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java
index 89d4438c8614..8fc47b2386bc 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java
@@ -39,10 +39,14 @@ public interface ApplicationRoleManager {
     /**
      * Update application role.
      *
-     * @param applicationRole Application role.
+     * @param roleId role Id.
+     * @param newName new role name.
+     * @param addedScopes List of scopes to be added.
+     * @param removedScopes List of scopes to be removed.
      * @throws ApplicationRoleManagementException Error occurred while updating the application role.
      */
-    void updateApplicationRole(ApplicationRole applicationRole) throws ApplicationRoleManagementException;
+    void updateApplicationRole(String applicationId, String roleId, String newName, List<String> addedScopes,
+                               List<String> removedScopes) throws ApplicationRoleManagementException;
 
     /**
      * Get the application role by role id.
@@ -114,17 +118,21 @@ ApplicationRole getApplicationRoleAssignedGroups(String roleId, String idpId)
      * Get the list of application roles of a user.
      *
      * @param userId user ID.
+     * @param tenantDomain tenant domain.
      * @throws ApplicationRoleManagementException Error occurred while updating the application role.
      */
-    List<ApplicationRole> getApplicationRolesByUserId(String userId) throws ApplicationRoleManagementException;
+    List<ApplicationRole> getApplicationRolesByUserId(String userId, String tenantDomain)
+            throws ApplicationRoleManagementException;
 
     /**
      * Get the list of application roles of a group.
      *
      * @param groupId group ID.
+     * @param tenantDomain tenant domain.
      * @throws ApplicationRoleManagementException Error occurred while updating the application role.
      */
-    List<ApplicationRole> getApplicationRolesByGroupId(String groupId) throws ApplicationRoleManagementException;
+    List<ApplicationRole> getApplicationRolesByGroupId(String groupId, String tenantDomain)
+            throws ApplicationRoleManagementException;
 
 
 }
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
index 767cb6ad468c..85af5fb73506 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
@@ -33,6 +33,7 @@
 import java.util.List;
 
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_DUPLICATE_ROLE;
+import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_ROLE_NOT_FOUND;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.LOCAL_IDP;
 import static org.wso2.carbon.identity.application.role.mgt.util.ApplicationRoleMgtUtils.handleClientException;
 
@@ -70,9 +71,11 @@ public void addApplicationRole(ApplicationRole applicationRole) throws Applicati
     }
 
     @Override
-    public void updateApplicationRole(ApplicationRole applicationRole) throws ApplicationRoleManagementException {
+    public void updateApplicationRole(String applicationId, String roleId, String newName, List<String> addedScopes,
+                                      List<String> removedScopes) throws ApplicationRoleManagementException {
 
-        // TODO :
+        // TODO: Check authorized scopes for the app and filter out added permissions
+        applicationRoleMgtDAO.updateApplicationRole(roleId, newName, addedScopes, removedScopes, getTenantDomain());
     }
 
     @Override
@@ -97,6 +100,7 @@ public void deleteApplicationRole(String roleId) throws ApplicationRoleManagemen
     public void updateApplicationRoleAssignedUsers(String roleId, List<String> addedUsers, List<String> removedUsers)
             throws ApplicationRoleManagementException {
 
+        validateAppRoleId(roleId);
         removeCommonValues(addedUsers, removedUsers);
         applicationRoleMgtDAO.updateApplicationRoleAssignedUsers(roleId, addedUsers, removedUsers, getTenantDomain());
     }
@@ -105,6 +109,7 @@ public void updateApplicationRoleAssignedUsers(String roleId, List<String> added
     public ApplicationRole getApplicationRoleAssignedUsers(String roleId)
             throws ApplicationRoleManagementException {
 
+        validateAppRoleId(roleId);
         return applicationRoleMgtDAO.getApplicationRoleAssignedUsers(roleId, getTenantDomain());
     }
 
@@ -113,6 +118,7 @@ public void updateApplicationRoleAssignedGroups(String roleId, String idpId, Lis
                                                     List<String> removedGroups)
             throws ApplicationRoleManagementException {
 
+        validateAppRoleId(roleId);
         try {
             IdentityProvider identityProvider;
             if (LOCAL_IDP.equals(idpId)) {
@@ -135,6 +141,8 @@ public void updateApplicationRoleAssignedGroups(String roleId, String idpId, Lis
     @Override
     public ApplicationRole getApplicationRoleAssignedGroups(String roleId, String idpId)
             throws ApplicationRoleManagementException {
+
+        validateAppRoleId(roleId);
         try {
             IdentityProvider identityProvider;
             if (LOCAL_IDP.equalsIgnoreCase(idpId)) {
@@ -152,17 +160,26 @@ public ApplicationRole getApplicationRoleAssignedGroups(String roleId, String id
     }
 
     @Override
-    public List<ApplicationRole> getApplicationRolesByUserId(String userId)
+    public List<ApplicationRole> getApplicationRolesByUserId(String userId, String tenantDomain)
             throws ApplicationRoleManagementException {
 
-        return applicationRoleMgtDAO.getApplicationRolesByUserId(userId);
+        return applicationRoleMgtDAO.getApplicationRolesByUserId(userId, tenantDomain);
     }
 
     @Override
-    public List<ApplicationRole> getApplicationRolesByGroupId(String groupId)
+    public List<ApplicationRole> getApplicationRolesByGroupId(String groupId, String tenantDomain)
             throws ApplicationRoleManagementException {
 
-        return applicationRoleMgtDAO.getApplicationRolesByGroupId(groupId);
+        return applicationRoleMgtDAO.getApplicationRolesByGroupId(groupId, tenantDomain);
+    }
+
+    private void validateAppRoleId(String roleId) throws ApplicationRoleManagementException {
+
+        boolean isExists = applicationRoleMgtDAO.checkRoleExists(roleId, getTenantDomain());
+
+        if (!isExists) {
+            throw handleClientException(ERROR_CODE_ROLE_NOT_FOUND, roleId);
+        }
     }
 
     private static String getTenantDomain() {
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java
index 41f414c475e2..a473a4ef6730 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java
@@ -23,7 +23,7 @@
  */
 public class ApplicationRoleMgtConstants {
 
-    private static final String APP_ROLE_MGT_ERROR_CODE_PREFIX = "APM-";
+    private static final String APP_ROLE_MGT_ERROR_CODE_PREFIX = "APP-ROLE-";
     public static final String LOCAL_IDP = "LOCAL";
 
     /**
@@ -41,29 +41,38 @@ public enum ErrorMessages {
         ERROR_CODE_GET_ROLES_BY_APPLICATION("65004", "Error occurred while retrieving the roles of the application",
                 "Error occurred while retrieving the roles of application: %s."),
         ERROR_CODE_UPDATE_ROLE("65005", "Error occurred while updating the role.",
-                "Error occurred while updating the role: %s of application: %s."),
+                "Error occurred while updating the role with id: %s."),
         ERROR_CODE_DELETE_ROLE("65006", "Error occurred while deleting the role.",
                 "Error occurred while deleting the role: %s."),
-        ERROR_CODE_UPDATE_ROLE_ASSIGNED_USERS("65007", "Error occurred while assigning users to " +
-                "the role.", "Error occurred while assigning users to the role: %s."),
-        ERROR_CODE_GET_ROLE_ASSIGNED_USERS("65008", "Error occurred while retrieving users of the role.",
-                "Error occurred while retrieving users of the role: %s."),
-        ERROR_CODE_UPDATE_ROLE_ASSIGNED_GROUPS("65007", "Error occurred while assigning groups to " +
-                "the role.", "Error occurred while assigning groups to the role: %s."),
-        ERROR_CODE_GET_ROLE_ASSIGNED_GROUPS("65008", "Error occurred while retrieving groups of " +
-                "the role.", "Error occurred while retrieving groups of the role: %s."),
-        ERROR_CODE_GET_ROLES_BY_USER_ID("65009", "Error occurred while retrieving the roles of the " +
-                "application by userID", "Error occurred while retrieving the roles of application by " +
-                "userID: %s."),
-        ERROR_CODE_GET_ROLES_BY_GROUP_ID("65010", "Error occurred while retrieving the roles of the " +
-                "application by groupID", "Error occurred while retrieving the roles of application by " +
-                "groupID: %s."),
-        ERROR_CODE_GROUP_ID_NO_FOUND("65011", "Given group not found", "Given group not found " +
-                "for groupID: %s."),
+        ERROR_CODE_UPDATE_ROLE_ASSIGNED_USERS("65007", "Error occurred while updating assigned users to "
+                + "the role.", "Error occurred while updating assigned users to the roleId: %s."),
+        ERROR_CODE_GET_ROLE_ASSIGNED_USERS("65008", "Error occurred while retrieving assigned users of " +
+                "the role.", "Error occurred while retrieving users of the roleId: %s."),
+        ERROR_CODE_UPDATE_ROLE_ASSIGNED_GROUPS("65007", "Error occurred while updating assigned groups " +
+                "to the role.", "Error occurred while updating assigned groups to the roleId: %s."),
+        ERROR_CODE_GET_ROLE_ASSIGNED_GROUPS("65008", "Error occurred while retrieving assigned groups " +
+                "of the role.", "Error occurred while retrieving assigned groups of the roleId: %s."),
+        ERROR_CODE_GET_ROLES_BY_USER_ID("65009", "Error occurred while retrieving the app roles by " +
+                "userID", "Error occurred while retrieving the app roles by userID: %s."),
+        ERROR_CODE_GET_ROLES_BY_GROUP_ID("65010", "Error occurred while retrieving the app role by " +
+                "groupID", "Error occurred while retrieving the app role by groupID: %s."),
+        ERROR_CODE_CHECKING_ROLE_EXISTENCE_BY_ID("65011", "Error occurred while checking the role " +
+                "existence by id.", "Error occurred while checking whether the role with id : %s."),
 
         // Client Errors.
         ERROR_CODE_DUPLICATE_ROLE("60001", "Role already exists.",
-                "Role with name: %s already exists in application: %s.");
+                "Role with name: %s already exists in application: %s."),
+        ERROR_CODE_ROLE_NOT_FOUND("60002", "Role doesn't exist.",
+                "Role with id: %s doesn't exist."),
+        ERROR_CODE_USER_ALREADY_ASSIGNED("60003", "Unable to assign user to app role.",
+                                                 "User already assign for the roleId: %s."),
+        ERROR_CODE_GROUP_ALREADY_ASSIGNED("60004", "Unable to assign group to app role.",
+                                                  "Group already assign for the roleId: %s."),
+        ERROR_CODE_USER_NOT_FOUND("60005", "Unable to assign user to app role.",
+                "User not found for the userId: %s."),
+        ERROR_CODE_GROUP_NOT_FOUND("60006", "Unable to assign group to app role.",
+                "Group not found for the groupId: %s."),
+        ;
 
         private final String code;
         private final String message;
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java
index 953c7791da80..994aaecfaa8b 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java
@@ -43,9 +43,11 @@ public class SQLConstants {
 
     public static final String UPDATE_APPLICATION_ROLE_BY_ID = "UPDATE APP_ROLE SET ROLE_NAME = :" +
             SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_NAME + "; WHERE ROLE_ID = :" +
-            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + ";";
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + "; AND TENANT_ID = :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";";
     public static final String DELETE_APPLICATION_ROLE_BY_ID = "DELETE FROM APP_ROLE WHERE ROLE_ID = :" +
-            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + ";";
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + "; AND TENANT_ID = :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";";
 
     public static final String ADD_APPLICATION_ROLE_USER =  "INSERT INTO USER_ROLE (ROLE_ID, USER_ID, TENANT_ID) " +
             "VALUES (:" +
@@ -55,10 +57,12 @@ public class SQLConstants {
 
     public static final String DELETE_ASSIGNED_USER_APPLICATION_ROLE = "DELETE FROM USER_ROLE WHERE ROLE_ID = :" +
             SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + "; AND USER_ID = :" +
-            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_USER_ID + ";";
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_USER_ID + "; AND TENANT_ID = :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";";
 
     public static final String GET_ASSIGNED_USERS_OF_APPLICATION_ROLE = "SELECT USER_ID " +
-            "FROM USER_ROLE WHERE ROLE_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + ";";
+            "FROM USER_ROLE WHERE ROLE_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID +
+            "; AND TENANT_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";";
 
     public static final String ADD_APPLICATION_ROLE_GROUP =  "INSERT INTO GROUP_ROLE (ROLE_ID, GROUP_ID, IDP_ID," +
             " TENANT_ID) VALUES (:" +
@@ -69,19 +73,27 @@ public class SQLConstants {
 
     public static final String DELETE_ASSIGNED_GROUP_APPLICATION_ROLE = "DELETE FROM GROUP_ROLE WHERE ROLE_ID = :" +
             SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + "; AND GROUP_ID = :" +
-            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_GROUP_ID + ";";
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_GROUP_ID + "; AND TENANT_ID = :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";";
 
     public static final String GET_ASSIGNED_GROUPS_OF_APPLICATION_ROLE = "SELECT GROUP_ID, IDP_ID " +
             "FROM GROUP_ROLE WHERE ROLE_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID +
-            "; AND IDP_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_IDP_ID + ";";
+            "; AND IDP_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_IDP_ID +
+            "; AND TENANT_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";";
 
     public static final String GET_APPLICATION_ROLES_BY_USER_ID = "SELECT ar.ROLE_ID, ar.ROLE_NAME, ar.TENANT_ID, " +
             "ar.APP_ID FROM APP_ROLE as ar INNER JOIN USER_ROLE as ur ON ar.ROLE_ID = ur.ROLE_ID WHERE ur.USER_ID = :"
-            + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_USER_ID + ";";
+            + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_USER_ID + "; AND ar.TENANT_ID = :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";";
 
     public static final String GET_APPLICATION_ROLES_BY_GROUP_ID = "SELECT ar.ROLE_ID, ar.ROLE_NAME, ar.TENANT_ID, " +
             "ar.APP_ID FROM APP_ROLE as ar INNER JOIN GROUP_ROLE as gr ON ar.ROLE_ID = gr.ROLE_ID WHERE gr.GROUP_ID = :"
-            + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_GROUP_ID + ";";
+            + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_GROUP_ID + "; AND ar.TENANT_ID = :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";";
+
+    public static final String IS_APPLICATION_ROLE_EXISTS_BY_ID = "SELECT COUNT(1) FROM APP_ROLE WHERE ROLE_ID = :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + "; AND TENANT_ID = :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + "; ";
 
     /**
      * SQL Placeholders.
@@ -96,4 +108,7 @@ public static final class SQLPlaceholders {
         public static final String DB_SCHEMA_COLUMN_NAME_GROUP_ID = "GROUP_ID";
         public static final String DB_SCHEMA_COLUMN_NAME_IDP_ID = "IDP_ID";
     }
+
+    public static final String USER_ROLE_UNIQUE_CONSTRAINT = "user_role_unique";
+    public static final String GROUP_ROLE_UNIQUE_CONSTRAINT = "group_role_unique";
 }
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java
index 1b8d2c31f934..580da77dc8c9 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java
@@ -38,7 +38,8 @@ ApplicationRole getApplicationRoleById(String roleId, String tenantDomain)
 
     List<ApplicationRole> getApplicationRoles(String applicationId) throws ApplicationRoleManagementServerException;
 
-    void updateApplicationRole(String applicationId, String roleId, String tenantDomain)
+    void updateApplicationRole(String roleId, String newName, List<String> addedScopes, List<String> removedScopes,
+                               String tenantDomain)
             throws ApplicationRoleManagementServerException;
 
     void deleteApplicationRole(String roleId, String tenantDomain) throws ApplicationRoleManagementServerException;
@@ -46,6 +47,8 @@ void updateApplicationRole(String applicationId, String roleId, String tenantDom
     boolean isExistingRole(String applicationId, String roleName, String tenantDomain)
             throws ApplicationRoleManagementServerException;
 
+    boolean checkRoleExists(String roleId, String tenantDomain) throws ApplicationRoleManagementServerException;
+
     void updateApplicationRoleAssignedUsers(String roleId, List<String> addedUsers, List<String> removedUsers,
                                             String tenantDomain) throws
             ApplicationRoleManagementException;
@@ -60,7 +63,9 @@ void updateApplicationRoleAssignedGroups(String roleId, IdentityProvider identit
     ApplicationRole getApplicationRoleAssignedGroups(String roleId, IdentityProvider identityProvider,
                                                      String tenantDomain) throws ApplicationRoleManagementException;
 
-    List<ApplicationRole> getApplicationRolesByUserId(String userId) throws ApplicationRoleManagementException;
+    List<ApplicationRole> getApplicationRolesByUserId(String userId, String tenantDomain)
+            throws ApplicationRoleManagementException;
 
-    List<ApplicationRole> getApplicationRolesByGroupId(String groupId) throws ApplicationRoleManagementException;
+    List<ApplicationRole> getApplicationRolesByGroupId(String groupId, String tenantDomain)
+            throws ApplicationRoleManagementException;
 }
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
index eceb02555129..0281eb8518e8 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
@@ -18,6 +18,7 @@
 
 package org.wso2.carbon.identity.application.role.mgt.dao.impl;
 
+import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.wso2.carbon.database.utils.jdbc.NamedJdbcTemplate;
@@ -27,12 +28,12 @@
 import org.wso2.carbon.identity.application.common.model.IdentityProvider;
 import org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants;
 import org.wso2.carbon.identity.application.role.mgt.dao.ApplicationRoleMgtDAO;
-import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementClientException;
 import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementException;
 import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementServerException;
 import org.wso2.carbon.identity.application.role.mgt.model.ApplicationRole;
 import org.wso2.carbon.identity.application.role.mgt.model.Group;
 import org.wso2.carbon.identity.application.role.mgt.model.User;
+import org.wso2.carbon.identity.application.role.mgt.util.ApplicationRoleMgtUtils;
 import org.wso2.carbon.identity.application.role.mgt.util.GroupIDResolver;
 import org.wso2.carbon.identity.application.role.mgt.util.UserIDResolver;
 import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
@@ -43,6 +44,7 @@
 import java.util.Map;
 
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_CHECKING_ROLE_EXISTENCE;
+import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_CHECKING_ROLE_EXISTENCE_BY_ID;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_DELETE_ROLE;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_GET_ROLES_BY_APPLICATION;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_GET_ROLES_BY_GROUP_ID;
@@ -50,10 +52,14 @@
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_GET_ROLE_ASSIGNED_GROUPS;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_GET_ROLE_ASSIGNED_USERS;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_GET_ROLE_BY_ID;
+import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_GROUP_ALREADY_ASSIGNED;
+import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_GROUP_NOT_FOUND;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_INSERT_ROLE;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_UPDATE_ROLE;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_UPDATE_ROLE_ASSIGNED_GROUPS;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_UPDATE_ROLE_ASSIGNED_USERS;
+import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_USER_ALREADY_ASSIGNED;
+import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_USER_NOT_FOUND;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.LOCAL_IDP;
 import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_APP_ID;
 import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_GROUP_ID;
@@ -71,20 +77,13 @@
 public class ApplicationRoleMgtDAOImpl implements ApplicationRoleMgtDAO {
 
     private static final Log LOG = LogFactory.getLog(ApplicationRoleMgtDAOImpl.class);
-    private UserIDResolver userIDResolver = new UserIDResolver();
-    private GroupIDResolver groupIDResolver = new GroupIDResolver();
+    private final UserIDResolver userIDResolver = new UserIDResolver();
+    private final GroupIDResolver groupIDResolver = new GroupIDResolver();
 
     @Override
     public ApplicationRole addApplicationRole(ApplicationRole applicationRole, String tenantDomain)
             throws ApplicationRoleManagementServerException {
 
-        int tenantID;
-        if (tenantDomain != null) {
-            tenantID = IdentityTenantUtil.getTenantId(tenantDomain);
-        } else {
-            tenantID = MultitenantConstants.INVALID_TENANT_ID;
-        }
-
         NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
         try {
             namedJdbcTemplate.withTransaction(template -> {
@@ -92,7 +91,7 @@ public ApplicationRole addApplicationRole(ApplicationRole applicationRole, Strin
                     namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, applicationRole.getRoleId());
                     namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_APP_ID, applicationRole.getApplicationId());
                     namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_NAME, applicationRole.getRoleName());
-                    namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, tenantID);
+                    namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
                 }, null, false);
                 return null;
             });
@@ -107,13 +106,6 @@ public ApplicationRole addApplicationRole(ApplicationRole applicationRole, Strin
     public ApplicationRole getApplicationRoleById(String roleId, String tenantDomain)
             throws ApplicationRoleManagementServerException {
 
-        int tenantID;
-        if (tenantDomain != null) {
-            tenantID = IdentityTenantUtil.getTenantId(tenantDomain);
-        } else {
-            tenantID = MultitenantConstants.INVALID_TENANT_ID;
-        }
-
         NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
         try {
             return namedJdbcTemplate.fetchSingleRecord(SQLConstants.GET_APPLICATION_ROLE_BY_ID,
@@ -123,7 +115,7 @@ public ApplicationRole getApplicationRoleById(String roleId, String tenantDomain
                                     resultSet.getString(DB_SCHEMA_COLUMN_NAME_APP_ID)),
                     namedPreparedStatement -> {
                         namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
-                        namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, tenantID);
+                        namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
                     });
         } catch (DataAccessException e) {
             throw handleServerException(ERROR_CODE_GET_ROLE_BY_ID, e, roleId);
@@ -150,19 +142,26 @@ public List<ApplicationRole> getApplicationRoles(String applicationId)
     }
 
     @Override
-    public void updateApplicationRole(String applicationId, String roleId, String tenantDomain)
+    public void updateApplicationRole(String roleId, String newName, List<String> addedScopes,
+                                      List<String> removedScopes, String tenantDomain)
             throws ApplicationRoleManagementServerException {
 
         NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
         try {
             namedJdbcTemplate.withTransaction(template -> {
-                template.executeUpdate(SQLConstants.UPDATE_APPLICATION_ROLE_BY_ID, namedPreparedStatement -> {
-                    namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
-                });
+                if (StringUtils.isNotBlank(newName)) {
+                    template.executeUpdate(SQLConstants.UPDATE_APPLICATION_ROLE_BY_ID, namedPreparedStatement -> {
+                        namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_NAME, newName);
+                        namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
+                        namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
+                    });
+                }
+                // TODO: Add scopes
+                // TODO: Remove scopes
                 return null;
             });
         } catch (TransactionException e) {
-            throw handleServerException(ERROR_CODE_UPDATE_ROLE, e, roleId, applicationId);
+            throw handleServerException(ERROR_CODE_UPDATE_ROLE, e, roleId);
         }
     }
 
@@ -172,9 +171,10 @@ public void deleteApplicationRole(String roleId, String tenantDomain)
 
         NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
         try {
-            namedJdbcTemplate.executeQuery(SQLConstants.DELETE_APPLICATION_ROLE_BY_ID, (resultSet, rowNumber) -> null,
+            namedJdbcTemplate.executeUpdate(SQLConstants.DELETE_APPLICATION_ROLE_BY_ID,
                     namedPreparedStatement -> {
                         namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
+                        namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
                     });
         } catch (DataAccessException e) {
             throw handleServerException(ERROR_CODE_DELETE_ROLE, e, roleId);
@@ -185,12 +185,6 @@ public void deleteApplicationRole(String roleId, String tenantDomain)
     public boolean isExistingRole(String applicationId, String roleName, String tenantDomain)
             throws ApplicationRoleManagementServerException {
 
-        int tenantID;
-        if (tenantDomain != null) {
-            tenantID = IdentityTenantUtil.getTenantId(tenantDomain);
-        } else {
-            tenantID = MultitenantConstants.INVALID_TENANT_ID;
-        }
 
         NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
         try {
@@ -199,35 +193,45 @@ public boolean isExistingRole(String applicationId, String roleName, String tena
                     namedPreparedStatement -> {
                         namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_NAME, roleName);
                         namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_APP_ID, applicationId);
-                        namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, tenantID);
+                        namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
                     });
         } catch (DataAccessException e) {
             throw handleServerException(ERROR_CODE_CHECKING_ROLE_EXISTENCE, e, roleName, applicationId);
         }
     }
 
+    @Override
+    public boolean checkRoleExists(String roleId, String tenantDomain) throws ApplicationRoleManagementServerException {
+
+        NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
+        try {
+            return namedJdbcTemplate.fetchSingleRecord(SQLConstants.IS_APPLICATION_ROLE_EXISTS_BY_ID,
+                    (resultSet, rowNumber) -> resultSet.getInt(1) > 0,
+                    namedPreparedStatement -> {
+                        namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
+                        namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
+                    });
+        } catch (DataAccessException e) {
+            throw handleServerException(ERROR_CODE_CHECKING_ROLE_EXISTENCE_BY_ID, e, roleId);
+        }
+    }
+
     @Override
     public void updateApplicationRoleAssignedUsers(String roleId, List<String> addedUsers, List<String> removedUsers,
                                                    String tenantDomain)
             throws ApplicationRoleManagementException {
 
-        int tenantID;
-        if (tenantDomain != null) {
-            tenantID = IdentityTenantUtil.getTenantId(tenantDomain);
-        } else {
-            tenantID = MultitenantConstants.INVALID_TENANT_ID;
-        }
+        // Validate given userIds are exists.
         validateUserIds(addedUsers, tenantDomain);
-
+        validateUserIds(removedUsers, tenantDomain);
         NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
         try {
-            String sqlStmt = SQLConstants.ADD_APPLICATION_ROLE_USER;
             namedJdbcTemplate.withTransaction(template -> {
-                namedJdbcTemplate.executeBatchInsert(sqlStmt, (preparedStatement -> {
+                namedJdbcTemplate.executeBatchInsert(SQLConstants.ADD_APPLICATION_ROLE_USER, (preparedStatement -> {
                     for (String userId : addedUsers) {
                         preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
                         preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_USER_ID, userId);
-                        preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, tenantID);
+                        preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
                         preparedStatement.addBatch();
                     }
                 }), roleId);
@@ -236,11 +240,16 @@ public void updateApplicationRoleAssignedUsers(String roleId, List<String> added
                             namedPreparedStatement -> {
                                 namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
                                 namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_USER_ID, userId);
+                                namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID,
+                                        getTenantId(tenantDomain));
                             });
                 }
                 return null;
             });
         } catch (TransactionException e) {
+            if (checkUniqueKeyConstrainViolated(e)) {
+                throw ApplicationRoleMgtUtils.handleClientException(ERROR_CODE_USER_ALREADY_ASSIGNED, roleId);
+            }
             throw handleServerException(ERROR_CODE_UPDATE_ROLE_ASSIGNED_USERS, e, roleId);
         }
     }
@@ -256,6 +265,7 @@ public ApplicationRole getApplicationRoleAssignedUsers(String roleId, String ten
                     (resultSet, rowNumber) -> new User(resultSet.getString(DB_SCHEMA_COLUMN_NAME_USER_ID)),
                     namedPreparedStatement -> {
                         namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
+                        namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
                     });
             for (User user : users) {
                 user.setUserName(getUserNamesByID(user.getId(), tenantDomain));
@@ -274,12 +284,6 @@ public void updateApplicationRoleAssignedGroups(String roleId, IdentityProvider
                                                     String tenantDomain)
             throws ApplicationRoleManagementException {
 
-        int tenantID;
-        if (tenantDomain != null) {
-            tenantID = IdentityTenantUtil.getTenantId(tenantDomain);
-        } else {
-            tenantID = MultitenantConstants.INVALID_TENANT_ID;
-        }
         validateGroupIds(identityProvider, addedGroups, tenantDomain);
         validateGroupIds(identityProvider, removedGroups, tenantDomain);
         NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
@@ -293,7 +297,8 @@ public void updateApplicationRoleAssignedGroups(String roleId, IdentityProvider
                                     preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_GROUP_ID, groupId);
                                     preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_IDP_ID,
                                             identityProvider.getResourceId());
-                                    preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, tenantID);
+                                    preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID,
+                                            getTenantId(tenantDomain));
                                     preparedStatement.addBatch();
                         }
                     }), roleId);
@@ -304,12 +309,17 @@ public void updateApplicationRoleAssignedGroups(String roleId, IdentityProvider
                                 namedPreparedStatement -> {
                                     namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
                                     namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_GROUP_ID, groupId);
+                                    namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID,
+                                            getTenantId(tenantDomain));
                                 });
                     }
                 }
                 return null;
             });
         } catch (TransactionException e) {
+            if (checkUniqueKeyConstrainViolated(e)) {
+                throw ApplicationRoleMgtUtils.handleClientException(ERROR_CODE_GROUP_ALREADY_ASSIGNED, roleId);
+            }
             throw handleServerException(ERROR_CODE_UPDATE_ROLE_ASSIGNED_GROUPS, e, roleId);
         }
     }
@@ -329,6 +339,7 @@ public ApplicationRole getApplicationRoleAssignedGroups(String roleId, IdentityP
                         namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
                         namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_IDP_ID,
                                 identityProvider.getResourceId());
+                        namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
                     });
             if (LOCAL_IDP.equals(identityProvider.getIdentityProviderName())) {
                 for (Group group : groups) {
@@ -357,7 +368,8 @@ public ApplicationRole getApplicationRoleAssignedGroups(String roleId, IdentityP
     }
 
     @Override
-    public List<ApplicationRole> getApplicationRolesByUserId(String userId) throws ApplicationRoleManagementException {
+    public List<ApplicationRole> getApplicationRolesByUserId(String userId, String tenantDomain)
+            throws ApplicationRoleManagementException {
 
         NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
         try {
@@ -368,6 +380,7 @@ public List<ApplicationRole> getApplicationRolesByUserId(String userId) throws A
                                     resultSet.getString(DB_SCHEMA_COLUMN_NAME_APP_ID)),
                     namedPreparedStatement -> {
                         namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_USER_ID, userId);
+                        namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
                     });
         } catch (DataAccessException e) {
             throw handleServerException(ERROR_CODE_GET_ROLES_BY_USER_ID, e, userId);
@@ -375,22 +388,23 @@ public List<ApplicationRole> getApplicationRolesByUserId(String userId) throws A
     }
 
     @Override
-    public List<ApplicationRole> getApplicationRolesByGroupId(String groupId)
+    public List<ApplicationRole> getApplicationRolesByGroupId(String groupId, String tenantDomain)
             throws ApplicationRoleManagementException {
 
-            NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
-            try {
-                return namedJdbcTemplate.executeQuery(SQLConstants.GET_APPLICATION_ROLES_BY_GROUP_ID,
-                        (resultSet, rowNumber) ->
-                                new ApplicationRole(resultSet.getString(DB_SCHEMA_COLUMN_NAME_ROLE_ID),
-                                        resultSet.getString(DB_SCHEMA_COLUMN_NAME_ROLE_NAME),
-                                        resultSet.getString(DB_SCHEMA_COLUMN_NAME_APP_ID)),
-                        namedPreparedStatement -> {
-                            namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_GROUP_ID, groupId);
-                        });
-            } catch (DataAccessException e) {
-                throw handleServerException(ERROR_CODE_GET_ROLES_BY_GROUP_ID, e, groupId);
-            }
+        NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
+        try {
+            return namedJdbcTemplate.executeQuery(SQLConstants.GET_APPLICATION_ROLES_BY_GROUP_ID,
+                    (resultSet, rowNumber) ->
+                            new ApplicationRole(resultSet.getString(DB_SCHEMA_COLUMN_NAME_ROLE_ID),
+                                    resultSet.getString(DB_SCHEMA_COLUMN_NAME_ROLE_NAME),
+                                    resultSet.getString(DB_SCHEMA_COLUMN_NAME_APP_ID)),
+                    namedPreparedStatement -> {
+                        namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_GROUP_ID, groupId);
+                        namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
+                    });
+        } catch (DataAccessException e) {
+            throw handleServerException(ERROR_CODE_GET_ROLES_BY_GROUP_ID, e, groupId);
+        }
     }
 
     public void validateGroupIds(IdentityProvider identityProvider, List<String> groups, String tenantDomain)
@@ -400,8 +414,7 @@ public void validateGroupIds(IdentityProvider identityProvider, List<String> gro
             for (String groupId : groups) {
                 boolean isExists = groupIDResolver.isExists(groupId, tenantDomain);
                 if (!isExists) {
-                    throw new ApplicationRoleManagementClientException("Given groupId is not found",
-                                    "Given groupId is not found", "");
+                    throw ApplicationRoleMgtUtils.handleClientException(ERROR_CODE_GROUP_NOT_FOUND, groupId);
                 }
             }
         } else {
@@ -412,8 +425,7 @@ public void validateGroupIds(IdentityProvider identityProvider, List<String> gro
             }
             for (String groupId : groups) {
                 if (!idToNameMap.containsKey(groupId)) {
-                    throw new ApplicationRoleManagementClientException("Given groupId is not found",
-                            "Given groupId is not found", "");
+                    throw ApplicationRoleMgtUtils.handleClientException(ERROR_CODE_GROUP_NOT_FOUND, groupId);
                 }
             }
         }
@@ -425,8 +437,7 @@ public void validateUserIds(List<String> users, String tenantDomain)
         for (String userId : users) {
             boolean isExists = userIDResolver.isExists(userId, tenantDomain);
             if (!isExists) {
-                throw new ApplicationRoleManagementClientException("Given user Id is not found",
-                        "Given user Id is not found", "");
+                throw ApplicationRoleMgtUtils.handleClientException(ERROR_CODE_USER_NOT_FOUND, userId);
             }
         }
     }
@@ -443,4 +454,22 @@ private String getGroupNamesByID(String groupID, String tenantDomain)
         return groupIDResolver.getNameByID(groupID, tenantDomain);
     }
 
+    private boolean checkUniqueKeyConstrainViolated(TransactionException e) {
+
+        return e.getCause().getCause().getMessage().toLowerCase().
+                contains(SQLConstants.GROUP_ROLE_UNIQUE_CONSTRAINT.toLowerCase());
+    }
+
+    private int getTenantId(String tenantDomain) {
+
+        int tenantID;
+        if (tenantDomain != null) {
+            tenantID = IdentityTenantUtil.getTenantId(tenantDomain);
+        } else {
+            tenantID = MultitenantConstants.INVALID_TENANT_ID;
+        }
+        return tenantID;
+    }
+
+
 }
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java
index 1e3ea42a9c83..276a260389e2 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java
@@ -77,11 +77,12 @@ public List<ApplicationRole> getApplicationRoles(String applicationId)
     }
 
     @Override
-    public void updateApplicationRole(String applicationId, String roleId, String tenantDomain)
+    public void updateApplicationRole(String roleId, String newName, List<String> addedScopes,
+                                      List<String> removedScopes, String tenantDomain)
             throws ApplicationRoleManagementServerException {
 
         clearFromCache(roleId, tenantDomain);
-        applicationRoleMgtDAO.updateApplicationRole(applicationId, roleId, tenantDomain);
+        applicationRoleMgtDAO.updateApplicationRole(roleId, newName, addedScopes, removedScopes, tenantDomain);
     }
 
     @Override
@@ -100,6 +101,12 @@ public boolean isExistingRole(String applicationId, String roleName, String tena
         return applicationRoleMgtDAO.isExistingRole(applicationId, roleName, tenantDomain);
     }
 
+    @Override
+    public boolean checkRoleExists(String roleId, String tenantDomain) throws ApplicationRoleManagementServerException {
+
+        return applicationRoleMgtDAO.checkRoleExists(roleId, tenantDomain);
+    }
+
     @Override
     public void updateApplicationRoleAssignedUsers(String roleId, List<String> addedUsers, List<String> removedUsers,
                                                    String tenantDomain)
@@ -141,17 +148,17 @@ public ApplicationRole getApplicationRoleAssignedGroups(String roleId, IdentityP
     }
 
     @Override
-    public List<ApplicationRole> getApplicationRolesByUserId(String userId)
+    public List<ApplicationRole> getApplicationRolesByUserId(String userId, String tenantDomain)
             throws ApplicationRoleManagementException {
 
-        return applicationRoleMgtDAO.getApplicationRolesByUserId(userId);
+        return applicationRoleMgtDAO.getApplicationRolesByUserId(userId, tenantDomain);
     }
 
     @Override
-    public List<ApplicationRole> getApplicationRolesByGroupId(String groupId)
+    public List<ApplicationRole> getApplicationRolesByGroupId(String groupId, String tenantDomain)
             throws ApplicationRoleManagementException {
 
-        return applicationRoleMgtDAO.getApplicationRolesByGroupId(groupId);
+        return applicationRoleMgtDAO.getApplicationRolesByGroupId(groupId, tenantDomain);
     }
 
     private ApplicationRole getApplicationRoleFromCache(String applicationRoleId, String tenantDomain) {

From 64093777907089baf9e71c5643e45e6424e4c8d4 Mon Sep 17 00:00:00 2001
From: Thilina Shashimal Senarath <thilinasenarath97@gmail.com>
Date: Mon, 28 Aug 2023 09:01:03 +0530
Subject: [PATCH 06/21] add licenses

---
 .../application/role/mgt/model/Group.java      | 18 ++++++++++++++++++
 .../application/role/mgt/model/User.java       | 18 ++++++++++++++++++
 .../role/mgt/util/GroupIDResolver.java         | 18 ++++++++++++++++++
 .../application/role/mgt/util/IDResolver.java  | 18 ++++++++++++++++++
 .../role/mgt/util/UserIDResolver.java          | 18 ++++++++++++++++++
 5 files changed, 90 insertions(+)

diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/model/Group.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/model/Group.java
index d116f282b734..13c3e5895266 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/model/Group.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/model/Group.java
@@ -1,3 +1,21 @@
+/*
+ * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
 package org.wso2.carbon.identity.application.role.mgt.model;
 
 /**
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/model/User.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/model/User.java
index 8a43f73773cc..63d86bb6ef78 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/model/User.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/model/User.java
@@ -1,3 +1,21 @@
+/*
+ * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
 package org.wso2.carbon.identity.application.role.mgt.model;
 
 /**
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/GroupIDResolver.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/GroupIDResolver.java
index 36876d9a7fd0..a6418b532849 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/GroupIDResolver.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/GroupIDResolver.java
@@ -1,3 +1,21 @@
+/*
+ * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
 package org.wso2.carbon.identity.application.role.mgt.util;
 
 import org.wso2.carbon.context.PrivilegedCarbonContext;
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/IDResolver.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/IDResolver.java
index 1f4c6b303373..4fa78bd66d33 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/IDResolver.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/IDResolver.java
@@ -1,3 +1,21 @@
+/*
+ * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
 package org.wso2.carbon.identity.application.role.mgt.util;
 
 import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementException;
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/UserIDResolver.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/UserIDResolver.java
index 6efb1b77070e..f33e645c290a 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/UserIDResolver.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/UserIDResolver.java
@@ -1,3 +1,21 @@
+/*
+ * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
 package org.wso2.carbon.identity.application.role.mgt.util;
 
 import org.wso2.carbon.context.PrivilegedCarbonContext;

From f8cccb8ea06c1ffddbc1d9307eb2c2f460070c34 Mon Sep 17 00:00:00 2001
From: Thilina Shashimal Senarath <thilinasenarath97@gmail.com>
Date: Mon, 28 Aug 2023 13:29:00 +0530
Subject: [PATCH 07/21] fix idp null

---
 .../pom.xml                                   |  7 ++++
 .../role/mgt/ApplicationRoleManagerImpl.java  |  7 ++++
 .../ApplicationRoleMgtConstants.java          |  2 +
 .../dao/impl/ApplicationRoleMgtDAOImpl.java   | 12 +++---
 .../resources/dbscripts/h2.sql                | 37 +++++++++++++++++++
 5 files changed, 60 insertions(+), 5 deletions(-)

diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/pom.xml b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/pom.xml
index 428cd3b93d28..6dd09e1c5741 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/pom.xml
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/pom.xml
@@ -110,6 +110,13 @@
                     </instructions>
                 </configuration>
             </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>findbugs-maven-plugin</artifactId>
+                <configuration>
+                    <threshold>High</threshold>
+                </configuration>
+            </plugin>
         </plugins>
     </build>
 
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
index 85af5fb73506..4972f1ede653 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
@@ -33,6 +33,7 @@
 import java.util.List;
 
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_DUPLICATE_ROLE;
+import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_IDP_NOT_FOUND;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_ROLE_NOT_FOUND;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.LOCAL_IDP;
 import static org.wso2.carbon.identity.application.role.mgt.util.ApplicationRoleMgtUtils.handleClientException;
@@ -129,6 +130,9 @@ public void updateApplicationRoleAssignedGroups(String roleId, String idpId, Lis
                 identityProvider = ApplicationRoleMgtServiceComponentHolder.getInstance()
                         .getIdentityProviderManager().getIdPByResourceId(idpId, getTenantDomain(), true);
             }
+            if (identityProvider == null) {
+                throw handleClientException(ERROR_CODE_IDP_NOT_FOUND, idpId);
+            }
             removeCommonValues(addedGroups, removedGroups);
             applicationRoleMgtDAO.updateApplicationRoleAssignedGroups(roleId, identityProvider,
                     addedGroups, removedGroups, getTenantDomain());
@@ -152,6 +156,9 @@ public ApplicationRole getApplicationRoleAssignedGroups(String roleId, String id
                 identityProvider = ApplicationRoleMgtServiceComponentHolder.getInstance()
                         .getIdentityProviderManager().getIdPByResourceId(idpId, getTenantDomain(), true);
             }
+            if (identityProvider == null) {
+                throw handleClientException(ERROR_CODE_IDP_NOT_FOUND, idpId);
+            }
             return applicationRoleMgtDAO.getApplicationRoleAssignedGroups(roleId, identityProvider, getTenantDomain());
         } catch (IdentityProviderManagementException e) {
             throw new ApplicationRoleManagementException("Error while retrieving idp", "Error while retrieving idp " +
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java
index a473a4ef6730..b326ca5369bb 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java
@@ -72,6 +72,8 @@ public enum ErrorMessages {
                 "User not found for the userId: %s."),
         ERROR_CODE_GROUP_NOT_FOUND("60006", "Unable to assign group to app role.",
                 "Group not found for the groupId: %s."),
+        ERROR_CODE_IDP_NOT_FOUND("60002", "IDP doesn't exist.",
+                "IDP with id: %s doesn't exist."),
         ;
 
         private final String code;
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
index 0281eb8518e8..c795acc346a5 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
@@ -61,6 +61,7 @@
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_USER_ALREADY_ASSIGNED;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_USER_NOT_FOUND;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.LOCAL_IDP;
+import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.GROUP_ROLE_UNIQUE_CONSTRAINT;
 import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_APP_ID;
 import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_GROUP_ID;
 import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_IDP_ID;
@@ -68,6 +69,7 @@
 import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_NAME;
 import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID;
 import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_USER_ID;
+import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.USER_ROLE_UNIQUE_CONSTRAINT;
 import static org.wso2.carbon.identity.application.role.mgt.util.ApplicationRoleMgtUtils.getNewTemplate;
 import static org.wso2.carbon.identity.application.role.mgt.util.ApplicationRoleMgtUtils.handleServerException;
 
@@ -247,7 +249,7 @@ public void updateApplicationRoleAssignedUsers(String roleId, List<String> added
                 return null;
             });
         } catch (TransactionException e) {
-            if (checkUniqueKeyConstrainViolated(e)) {
+            if (checkUniqueKeyConstrainViolated(e, USER_ROLE_UNIQUE_CONSTRAINT)) {
                 throw ApplicationRoleMgtUtils.handleClientException(ERROR_CODE_USER_ALREADY_ASSIGNED, roleId);
             }
             throw handleServerException(ERROR_CODE_UPDATE_ROLE_ASSIGNED_USERS, e, roleId);
@@ -317,7 +319,7 @@ public void updateApplicationRoleAssignedGroups(String roleId, IdentityProvider
                 return null;
             });
         } catch (TransactionException e) {
-            if (checkUniqueKeyConstrainViolated(e)) {
+            if (checkUniqueKeyConstrainViolated(e, GROUP_ROLE_UNIQUE_CONSTRAINT)) {
                 throw ApplicationRoleMgtUtils.handleClientException(ERROR_CODE_GROUP_ALREADY_ASSIGNED, roleId);
             }
             throw handleServerException(ERROR_CODE_UPDATE_ROLE_ASSIGNED_GROUPS, e, roleId);
@@ -454,10 +456,10 @@ private String getGroupNamesByID(String groupID, String tenantDomain)
         return groupIDResolver.getNameByID(groupID, tenantDomain);
     }
 
-    private boolean checkUniqueKeyConstrainViolated(TransactionException e) {
+    private boolean checkUniqueKeyConstrainViolated(TransactionException e, String constraint) {
 
-        return e.getCause().getCause().getMessage().toLowerCase().
-                contains(SQLConstants.GROUP_ROLE_UNIQUE_CONSTRAINT.toLowerCase());
+        String errorMessage = e.getCause().getCause().getMessage();
+        return errorMessage.toLowerCase().contains(constraint.toLowerCase());
     }
 
     private int getTenantId(String tenantDomain) {
diff --git a/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/h2.sql b/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/h2.sql
index cf7c5532f0b7..6c876edf3df1 100644
--- a/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/h2.sql
+++ b/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/h2.sql
@@ -1261,6 +1261,43 @@ CREATE TABLE IF NOT EXISTS IDN_OAUTH_PAR (
     PARAMETERS MEDIUMTEXT
 );
 
+CREATE TABLE IF NOT EXISTS APP_ROLE (
+    ROLE_ID varchar(255) NOT NULL PRIMARY KEY,
+    ROLE_NAME varchar(255) NOT NULL,
+    TENANT_ID INTEGER NOT NULL,
+    APP_ID varchar(36) NOT NULL,
+    CURSOR_KEY SERIAL,
+    UNIQUE (ROLE_NAME, TENANT_ID, APP_ID),
+    FOREIGN KEY (APP_ID) REFERENCES SP_APP(UUID) ON DELETE CASCADE
+);
+CREATE TABLE IF NOT EXISTS SHARED_ROLE (
+    SHARED_ROLE_ID varchar(255) NOT NULL,
+    MAIN_ROLE_ID varchar(255) NOT NULL,
+    UNIQUE (SHARED_ROLE_ID, MAIN_ROLE_ID),
+    PRIMARY KEY (SHARED_ROLE_ID, MAIN_ROLE_ID),
+    FOREIGN KEY (SHARED_ROLE_ID) REFERENCES APP_ROLE(ROLE_ID) ON DELETE CASCADE,
+    FOREIGN KEY (MAIN_ROLE_ID) REFERENCES APP_ROLE(ROLE_ID) ON DELETE CASCADE
+);
+CREATE TABLE IF NOT EXISTS GROUP_ROLE (
+	ROLE_ID varchar(255) NOT NULL,
+	IDP_ID varchar(255) NOT NULL,
+	TENANT_ID varchar(255) NOT NULL,
+	GROUP_ID varchar(255) NOT NULL,
+	CURSOR_KEY SERIAL,
+	FOREIGN KEY (ROLE_ID) REFERENCES APP_ROLE(ROLE_ID) ON DELETE CASCADE,
+	FOREIGN KEY (IDP_ID) REFERENCES IDP(UUID) ON DELETE CASCADE,
+	CONSTRAINT GROUP_ROLE_UNIQUE UNIQUE (ROLE_ID, IDP_ID, GROUP_ID)
+);
+
+CREATE TABLE IF NOT EXISTS USER_ROLE (
+	ROLE_ID varchar(255) NOT NULL,
+	TENANT_ID varchar(255) NOT NULL,
+	USER_ID varchar(255) NOT NULL,
+	CURSOR_KEY SERIAL,
+	FOREIGN KEY (ROLE_ID) REFERENCES APP_ROLE(ROLE_ID) ON DELETE CASCADE,
+	CONSTRAINT USER_ROLE_UNIQUE UNIQUE (ROLE_ID, TENANT_ID, USER_ID)
+);
+
 -- --------------------------- INDEX CREATION -----------------------------
 -- IDN_OAUTH2_ACCESS_TOKEN --
 CREATE INDEX IDX_TC ON IDN_OAUTH2_ACCESS_TOKEN(TIME_CREATED);

From 24cef0ddab4f3a939bba19c631a624946129f2f3 Mon Sep 17 00:00:00 2001
From: Thilina Shashimal Senarath <thilinasenarath97@gmail.com>
Date: Mon, 28 Aug 2023 14:27:22 +0530
Subject: [PATCH 08/21] imporve error msg

---
 .../role/mgt/constants/ApplicationRoleMgtConstants.java     | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java
index b326ca5369bb..0428f4a7253e 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java
@@ -69,10 +69,10 @@ public enum ErrorMessages {
         ERROR_CODE_GROUP_ALREADY_ASSIGNED("60004", "Unable to assign group to app role.",
                                                   "Group already assign for the roleId: %s."),
         ERROR_CODE_USER_NOT_FOUND("60005", "Unable to assign user to app role.",
-                "User not found for the userId: %s."),
+                "Group with id: %s doesn't exist"),
         ERROR_CODE_GROUP_NOT_FOUND("60006", "Unable to assign group to app role.",
-                "Group not found for the groupId: %s."),
-        ERROR_CODE_IDP_NOT_FOUND("60002", "IDP doesn't exist.",
+                "Group with id: %s doesn't exist"),
+        ERROR_CODE_IDP_NOT_FOUND("60007", "IDP doesn't exist.",
                 "IDP with id: %s doesn't exist."),
         ;
 

From 5fc3a85d3ab062770b0eabeaa911da5b1d8dc9e5 Mon Sep 17 00:00:00 2001
From: Thilina Shashimal Senarath <thilinasenarath97@gmail.com>
Date: Tue, 29 Aug 2023 13:52:19 +0530
Subject: [PATCH 09/21] add return for patch app role

---
 .../role/mgt/ApplicationRoleManager.java       |  5 +++--
 .../role/mgt/ApplicationRoleManagerImpl.java   | 10 ++++++----
 .../role/mgt/dao/ApplicationRoleMgtDAO.java    |  9 +++++----
 .../dao/impl/ApplicationRoleMgtDAOImpl.java    | 18 +++++++++---------
 .../CacheBackedApplicationRoleMgtDAOImpl.java  | 12 ++++++------
 .../role/mgt/model/ApplicationRole.java        |  4 ++++
 6 files changed, 33 insertions(+), 25 deletions(-)

diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java
index 8fc47b2386bc..1fd7f1605eaf 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java
@@ -83,7 +83,8 @@ void updateApplicationRole(String applicationId, String roleId, String newName,
      * @param removedUsers List of user IDs to be unassigned.
      * @throws ApplicationRoleManagementException Error occurred while updating the application role.
      */
-    void updateApplicationRoleAssignedUsers(String roleId, List<String> addedUsers, List<String> removedUsers)
+    ApplicationRole updateApplicationRoleAssignedUsers(String roleId, List<String> addedUsers,
+                                                       List<String> removedUsers)
             throws ApplicationRoleManagementException;
 
     /**
@@ -102,7 +103,7 @@ void updateApplicationRoleAssignedUsers(String roleId, List<String> addedUsers,
      * @param removedGroups List of group IDs to be unassigned.
      * @throws ApplicationRoleManagementException Error occurred while updating the application role.
      */
-    void updateApplicationRoleAssignedGroups(String roleId, String idpId, List<String> addedGroups,
+    ApplicationRole updateApplicationRoleAssignedGroups(String roleId, String idpId, List<String> addedGroups,
                                              List<String> removedGroups) throws ApplicationRoleManagementException;
 
     /**
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
index 4972f1ede653..e2def326878e 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
@@ -98,12 +98,14 @@ public void deleteApplicationRole(String roleId) throws ApplicationRoleManagemen
     }
 
     @Override
-    public void updateApplicationRoleAssignedUsers(String roleId, List<String> addedUsers, List<String> removedUsers)
+    public ApplicationRole updateApplicationRoleAssignedUsers(String roleId, List<String> addedUsers,
+                                                              List<String> removedUsers)
             throws ApplicationRoleManagementException {
 
         validateAppRoleId(roleId);
         removeCommonValues(addedUsers, removedUsers);
-        applicationRoleMgtDAO.updateApplicationRoleAssignedUsers(roleId, addedUsers, removedUsers, getTenantDomain());
+        return applicationRoleMgtDAO.updateApplicationRoleAssignedUsers(roleId, addedUsers, removedUsers,
+                getTenantDomain());
     }
 
     @Override
@@ -115,7 +117,7 @@ public ApplicationRole getApplicationRoleAssignedUsers(String roleId)
     }
 
     @Override
-    public void updateApplicationRoleAssignedGroups(String roleId, String idpId, List<String> addedGroups,
+    public ApplicationRole updateApplicationRoleAssignedGroups(String roleId, String idpId, List<String> addedGroups,
                                                     List<String> removedGroups)
             throws ApplicationRoleManagementException {
 
@@ -134,7 +136,7 @@ public void updateApplicationRoleAssignedGroups(String roleId, String idpId, Lis
                 throw handleClientException(ERROR_CODE_IDP_NOT_FOUND, idpId);
             }
             removeCommonValues(addedGroups, removedGroups);
-            applicationRoleMgtDAO.updateApplicationRoleAssignedGroups(roleId, identityProvider,
+            return applicationRoleMgtDAO.updateApplicationRoleAssignedGroups(roleId, identityProvider,
                     addedGroups, removedGroups, getTenantDomain());
         }   catch (IdentityProviderManagementException e) {
         throw new ApplicationRoleManagementException("Error while retrieving idp",
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java
index 580da77dc8c9..f5d58bf46997 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java
@@ -49,15 +49,16 @@ boolean isExistingRole(String applicationId, String roleName, String tenantDomai
 
     boolean checkRoleExists(String roleId, String tenantDomain) throws ApplicationRoleManagementServerException;
 
-    void updateApplicationRoleAssignedUsers(String roleId, List<String> addedUsers, List<String> removedUsers,
-                                            String tenantDomain) throws
+    ApplicationRole updateApplicationRoleAssignedUsers(String roleId, List<String> addedUsers,
+                                                       List<String> removedUsers, String tenantDomain) throws
             ApplicationRoleManagementException;
 
     ApplicationRole getApplicationRoleAssignedUsers(String roleId, String tenantDomain)
             throws ApplicationRoleManagementException;
 
-    void updateApplicationRoleAssignedGroups(String roleId, IdentityProvider identityProvider, List<String> addedGroups,
-                                             List<String> removedGroups, String tenantDomain)
+    ApplicationRole updateApplicationRoleAssignedGroups(String roleId, IdentityProvider identityProvider,
+                                                        List<String> addedGroups, List<String> removedGroups,
+                                                        String tenantDomain)
             throws ApplicationRoleManagementException;
 
     ApplicationRole getApplicationRoleAssignedGroups(String roleId, IdentityProvider identityProvider,
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
index c795acc346a5..9314caba7eb0 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
@@ -219,8 +219,8 @@ public boolean checkRoleExists(String roleId, String tenantDomain) throws Applic
     }
 
     @Override
-    public void updateApplicationRoleAssignedUsers(String roleId, List<String> addedUsers, List<String> removedUsers,
-                                                   String tenantDomain)
+    public ApplicationRole updateApplicationRoleAssignedUsers(String roleId, List<String> addedUsers,
+                                                              List<String> removedUsers, String tenantDomain)
             throws ApplicationRoleManagementException {
 
         // Validate given userIds are exists.
@@ -228,7 +228,7 @@ public void updateApplicationRoleAssignedUsers(String roleId, List<String> added
         validateUserIds(removedUsers, tenantDomain);
         NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
         try {
-            namedJdbcTemplate.withTransaction(template -> {
+            return namedJdbcTemplate.withTransaction(template -> {
                 namedJdbcTemplate.executeBatchInsert(SQLConstants.ADD_APPLICATION_ROLE_USER, (preparedStatement -> {
                     for (String userId : addedUsers) {
                         preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
@@ -246,7 +246,7 @@ public void updateApplicationRoleAssignedUsers(String roleId, List<String> added
                                         getTenantId(tenantDomain));
                             });
                 }
-                return null;
+                return getApplicationRoleAssignedUsers(roleId, tenantDomain);
             });
         } catch (TransactionException e) {
             if (checkUniqueKeyConstrainViolated(e, USER_ROLE_UNIQUE_CONSTRAINT)) {
@@ -272,7 +272,7 @@ public ApplicationRole getApplicationRoleAssignedUsers(String roleId, String ten
             for (User user : users) {
                 user.setUserName(getUserNamesByID(user.getId(), tenantDomain));
             }
-            ApplicationRole applicationRole = new ApplicationRole(roleId);
+            ApplicationRole applicationRole = new ApplicationRole();
             applicationRole.setAssignedUsers(users);
             return  applicationRole;
         } catch (DataAccessException e) {
@@ -281,7 +281,7 @@ public ApplicationRole getApplicationRoleAssignedUsers(String roleId, String ten
     }
 
     @Override
-    public void updateApplicationRoleAssignedGroups(String roleId, IdentityProvider identityProvider,
+    public ApplicationRole updateApplicationRoleAssignedGroups(String roleId, IdentityProvider identityProvider,
                                                     List<String> addedGroups, List<String> removedGroups,
                                                     String tenantDomain)
             throws ApplicationRoleManagementException {
@@ -290,7 +290,7 @@ public void updateApplicationRoleAssignedGroups(String roleId, IdentityProvider
         validateGroupIds(identityProvider, removedGroups, tenantDomain);
         NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
         try {
-            namedJdbcTemplate.withTransaction(template -> {
+            return namedJdbcTemplate.withTransaction(template -> {
                 if (addedGroups.size() > 0) {
                     namedJdbcTemplate.executeBatchInsert(SQLConstants.ADD_APPLICATION_ROLE_GROUP,
                             (preparedStatement -> {
@@ -316,7 +316,7 @@ public void updateApplicationRoleAssignedGroups(String roleId, IdentityProvider
                                 });
                     }
                 }
-                return null;
+                return getApplicationRoleAssignedGroups(roleId, identityProvider, tenantDomain);
             });
         } catch (TransactionException e) {
             if (checkUniqueKeyConstrainViolated(e, GROUP_ROLE_UNIQUE_CONSTRAINT)) {
@@ -361,7 +361,7 @@ public ApplicationRole getApplicationRoleAssignedGroups(String roleId, IdentityP
                     }
                 }
             }
-            ApplicationRole applicationRole = new ApplicationRole(roleId);
+            ApplicationRole applicationRole = new ApplicationRole();
             applicationRole.setAssignedGroups(groups);
             return  applicationRole;
         } catch (DataAccessException e) {
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java
index 276a260389e2..fc1f63914a5a 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java
@@ -108,11 +108,11 @@ public boolean checkRoleExists(String roleId, String tenantDomain) throws Applic
     }
 
     @Override
-    public void updateApplicationRoleAssignedUsers(String roleId, List<String> addedUsers, List<String> removedUsers,
-                                                   String tenantDomain)
+    public ApplicationRole updateApplicationRoleAssignedUsers(String roleId, List<String> addedUsers,
+                                                              List<String> removedUsers, String tenantDomain)
             throws ApplicationRoleManagementException {
 
-        applicationRoleMgtDAO.updateApplicationRoleAssignedUsers(roleId, addedUsers, removedUsers, tenantDomain);
+        return applicationRoleMgtDAO.updateApplicationRoleAssignedUsers(roleId, addedUsers, removedUsers, tenantDomain);
     }
 
     @Override
@@ -130,13 +130,13 @@ public ApplicationRole getApplicationRoleAssignedUsers(String roleId, String ten
     }
 
     @Override
-    public void updateApplicationRoleAssignedGroups(String roleId, IdentityProvider identityProvider,
+    public ApplicationRole updateApplicationRoleAssignedGroups(String roleId, IdentityProvider identityProvider,
                                                     List<String> addedGroups, List<String> removedGroups,
                                                     String tenantDomain)
             throws ApplicationRoleManagementException {
 
-        applicationRoleMgtDAO.updateApplicationRoleAssignedGroups(roleId, identityProvider, addedGroups, removedGroups,
-                tenantDomain);
+        return applicationRoleMgtDAO.updateApplicationRoleAssignedGroups(roleId, identityProvider, addedGroups,
+                removedGroups, tenantDomain);
     }
 
     @Override
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/model/ApplicationRole.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/model/ApplicationRole.java
index 650378f522af..424a566cbd59 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/model/ApplicationRole.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/model/ApplicationRole.java
@@ -60,6 +60,10 @@ public ApplicationRole(String roleName, String applicationId) {
         this.applicationId = applicationId;
     }
 
+    public ApplicationRole() {
+
+    }
+
     public ApplicationRole(String roleId) {
 
         this.roleId = roleId;

From 7cedd732f2851ac8f024887f3e3fa55a47e6a39a Mon Sep 17 00:00:00 2001
From: Thilina Shashimal Senarath <thilinasenarath97@gmail.com>
Date: Thu, 31 Aug 2023 12:53:06 +0530
Subject: [PATCH 10/21] initial unit tests

---
 .../pom.xml                                   |   35 +-
 .../dao/impl/ApplicationRoleMgtDAOImpl.java   |   35 +-
 .../mgt/util/ApplicationRoleMgtUtils.java     |   78 +
 .../role/mgt/util/GroupIDResolver.java        |   86 -
 .../application/role/mgt/util/IDResolver.java |   32 -
 .../role/mgt/util/UserIDResolver.java         |   87 -
 .../role/mgt/ApplicationRoleManagerTest.java  |    7 +
 .../impl/ApplicationRoleMgtDAOImplTest.java   |  217 +++
 .../src/test/resources/dbscripts/h2.sql       | 1402 +++++++++++++++++
 .../test/resources/repository.conf/carbon.xml |  686 ++++++++
 .../repository.conf/identity/identity.xml     |  996 ++++++++++++
 .../src/test/resources/testng.xml             |   28 +
 12 files changed, 3459 insertions(+), 230 deletions(-)
 delete mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/GroupIDResolver.java
 delete mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/IDResolver.java
 delete mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/UserIDResolver.java
 create mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerTest.java
 create mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImplTest.java
 create mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/dbscripts/h2.sql
 create mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/repository.conf/carbon.xml
 create mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/repository.conf/identity/identity.xml
 create mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/testng.xml

diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/pom.xml b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/pom.xml
index 6dd09e1c5741..80bd924b84df 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/pom.xml
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/pom.xml
@@ -54,21 +54,46 @@
             <groupId>org.wso2.carbon.identity.framework</groupId>
             <artifactId>org.wso2.carbon.identity.core</artifactId>
         </dependency>
-        <!--Test Dependencies-->
         <dependency>
-            <groupId>org.testng</groupId>
-            <artifactId>testng</artifactId>
-            <scope>test</scope>
+            <groupId>org.wso2.carbon.identity.framework</groupId>
+            <artifactId>org.wso2.carbon.idp.mgt</artifactId>
         </dependency>
+        <!-- Test dependencies -->
         <dependency>
             <groupId>org.jacoco</groupId>
             <artifactId>org.jacoco.agent</artifactId>
             <classifier>runtime</classifier>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.testng</groupId>
+            <artifactId>testng</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.h2database</groupId>
+            <artifactId>h2</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.powermock</groupId>
+            <artifactId>powermock-api-mockito2</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.powermock</groupId>
+            <artifactId>powermock-module-testng</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.powermock</groupId>
+            <artifactId>powermock-module-testng-common</artifactId>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.wso2.carbon.identity.framework</groupId>
-            <artifactId>org.wso2.carbon.idp.mgt</artifactId>
+            <artifactId>org.wso2.carbon.identity.testutil</artifactId>
+            <scope>test</scope>
         </dependency>
     </dependencies>
 
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
index 9314caba7eb0..9ae78b615100 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
@@ -34,8 +34,6 @@
 import org.wso2.carbon.identity.application.role.mgt.model.Group;
 import org.wso2.carbon.identity.application.role.mgt.model.User;
 import org.wso2.carbon.identity.application.role.mgt.util.ApplicationRoleMgtUtils;
-import org.wso2.carbon.identity.application.role.mgt.util.GroupIDResolver;
-import org.wso2.carbon.identity.application.role.mgt.util.UserIDResolver;
 import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
 import org.wso2.carbon.utils.multitenancy.MultitenantConstants;
 
@@ -79,8 +77,6 @@
 public class ApplicationRoleMgtDAOImpl implements ApplicationRoleMgtDAO {
 
     private static final Log LOG = LogFactory.getLog(ApplicationRoleMgtDAOImpl.class);
-    private final UserIDResolver userIDResolver = new UserIDResolver();
-    private final GroupIDResolver groupIDResolver = new GroupIDResolver();
 
     @Override
     public ApplicationRole addApplicationRole(ApplicationRole applicationRole, String tenantDomain)
@@ -88,20 +84,18 @@ public ApplicationRole addApplicationRole(ApplicationRole applicationRole, Strin
 
         NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
         try {
-            namedJdbcTemplate.withTransaction(template -> {
-                template.executeInsert(SQLConstants.ADD_APPLICATION_ROLE, namedPreparedStatement -> {
-                    namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, applicationRole.getRoleId());
-                    namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_APP_ID, applicationRole.getApplicationId());
-                    namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_NAME, applicationRole.getRoleName());
-                    namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
-                }, null, false);
-                return null;
-            });
+            namedJdbcTemplate.withTransaction(template -> template.executeInsert(SQLConstants.ADD_APPLICATION_ROLE,
+                    namedPreparedStatement -> {
+                namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, applicationRole.getRoleId());
+                namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_APP_ID, applicationRole.getApplicationId());
+                namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_NAME, applicationRole.getRoleName());
+                namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
+            }, null, false));
+            return getApplicationRoleById(applicationRole.getRoleId(), tenantDomain);
         } catch (TransactionException e) {
             throw handleServerException(ERROR_CODE_INSERT_ROLE, e, applicationRole.getRoleName(),
                     applicationRole.getApplicationId());
         }
-        return applicationRole;
     }
 
     @Override
@@ -228,7 +222,7 @@ public ApplicationRole updateApplicationRoleAssignedUsers(String roleId, List<St
         validateUserIds(removedUsers, tenantDomain);
         NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
         try {
-            return namedJdbcTemplate.withTransaction(template -> {
+            namedJdbcTemplate.withTransaction(template -> {
                 namedJdbcTemplate.executeBatchInsert(SQLConstants.ADD_APPLICATION_ROLE_USER, (preparedStatement -> {
                     for (String userId : addedUsers) {
                         preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
@@ -246,8 +240,9 @@ public ApplicationRole updateApplicationRoleAssignedUsers(String roleId, List<St
                                         getTenantId(tenantDomain));
                             });
                 }
-                return getApplicationRoleAssignedUsers(roleId, tenantDomain);
+                return null;
             });
+            return getApplicationRoleAssignedUsers(roleId, tenantDomain);
         } catch (TransactionException e) {
             if (checkUniqueKeyConstrainViolated(e, USER_ROLE_UNIQUE_CONSTRAINT)) {
                 throw ApplicationRoleMgtUtils.handleClientException(ERROR_CODE_USER_ALREADY_ASSIGNED, roleId);
@@ -414,7 +409,7 @@ public void validateGroupIds(IdentityProvider identityProvider, List<String> gro
 
         if (LOCAL_IDP.equals(identityProvider.getIdentityProviderName())) {
             for (String groupId : groups) {
-                boolean isExists = groupIDResolver.isExists(groupId, tenantDomain);
+                boolean isExists = ApplicationRoleMgtUtils.isGroupExists(groupId);
                 if (!isExists) {
                     throw ApplicationRoleMgtUtils.handleClientException(ERROR_CODE_GROUP_NOT_FOUND, groupId);
                 }
@@ -437,7 +432,7 @@ public void validateUserIds(List<String> users, String tenantDomain)
             throws ApplicationRoleManagementException {
 
         for (String userId : users) {
-            boolean isExists = userIDResolver.isExists(userId, tenantDomain);
+            boolean isExists = ApplicationRoleMgtUtils.isUserExists(userId);
             if (!isExists) {
                 throw ApplicationRoleMgtUtils.handleClientException(ERROR_CODE_USER_NOT_FOUND, userId);
             }
@@ -447,13 +442,13 @@ public void validateUserIds(List<String> users, String tenantDomain)
     private String getUserNamesByID(String userID, String tenantDomain)
             throws ApplicationRoleManagementException {
 
-        return userIDResolver.getNameByID(userID, tenantDomain);
+        return ApplicationRoleMgtUtils.getUserNameByID(userID, tenantDomain);
     }
 
     private String getGroupNamesByID(String groupID, String tenantDomain)
             throws ApplicationRoleManagementException {
 
-        return groupIDResolver.getNameByID(groupID, tenantDomain);
+        return ApplicationRoleMgtUtils.getGroupNameByID(groupID, tenantDomain);
     }
 
     private boolean checkUniqueKeyConstrainViolated(TransactionException e, String constraint) {
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/ApplicationRoleMgtUtils.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/ApplicationRoleMgtUtils.java
index 98bfd2203113..f231e32b887c 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/ApplicationRoleMgtUtils.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/ApplicationRoleMgtUtils.java
@@ -19,11 +19,18 @@
 package org.wso2.carbon.identity.application.role.mgt.util;
 
 import org.apache.commons.lang.ArrayUtils;
+import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.database.utils.jdbc.NamedJdbcTemplate;
 import org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants;
 import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementClientException;
+import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementException;
 import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementServerException;
+import org.wso2.carbon.identity.application.role.mgt.internal.ApplicationRoleMgtServiceComponentHolder;
 import org.wso2.carbon.identity.core.util.IdentityDatabaseUtil;
+import org.wso2.carbon.user.api.UserRealm;
+import org.wso2.carbon.user.api.UserStoreException;
+import org.wso2.carbon.user.core.common.AbstractUserStoreManager;
+import org.wso2.carbon.user.core.service.RealmService;
 
 /**
  * Application role management util.
@@ -74,4 +81,75 @@ public static ApplicationRoleManagementClientException handleClientException(
         }
         return new ApplicationRoleManagementClientException(error.getMessage(), description, error.getCode());
     }
+
+    public static boolean isGroupExists(String id) throws ApplicationRoleManagementException {
+
+        AbstractUserStoreManager userStoreManager;
+        try {
+            userStoreManager = getUserStoreManager(PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId());
+            return userStoreManager.isGroupExist(id);
+        } catch (UserStoreException e) {
+            throw new ApplicationRoleManagementServerException("Error occurred while retrieving the userstore manager "
+                    + "to resolve group name for the groupID", "Error occurred while retrieving the userstore manager "
+                    + "to resolve group name for the groupID: " + id, e);
+        }
+    }
+    public static String getGroupNameByID(String id, String tenantDomain) throws ApplicationRoleManagementException {
+
+        String groupName;
+        AbstractUserStoreManager userStoreManager;
+        try {
+            userStoreManager = getUserStoreManager(PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId());
+            groupName =  userStoreManager.getGroupNameByGroupId(id);
+        } catch (UserStoreException e) {
+            throw new ApplicationRoleManagementServerException("Error occurred while retrieving the userstore manager "
+                    + "to resolve group name for the groupID", "Error occurred while retrieving the userstore manager "
+                    + "to resolve group name for the groupID: " + id, e);
+        }
+        if (groupName == null) {
+            String errorMessage = "A group doesn't exist with id: " + id + " in the tenantDomain: " + tenantDomain;
+            throw new ApplicationRoleManagementClientException(errorMessage, errorMessage, "");
+        }
+        return groupName;
+    }
+
+    public static boolean isUserExists(String id) throws ApplicationRoleManagementException {
+
+        AbstractUserStoreManager userStoreManager;
+        try {
+            userStoreManager = getUserStoreManager(PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId());
+            return userStoreManager.isExistingUserWithID(id);
+        } catch (UserStoreException e) {
+            throw new ApplicationRoleManagementServerException("Error occurred while retrieving the userstore manager "
+                    + "to resolve group name for the groupID", "Error occurred while retrieving the userstore manager "
+                    + "to resolve group name for the groupID: " + id, e);
+        }
+    }
+
+    public static String getUserNameByID(String id, String tenantDomain) throws ApplicationRoleManagementException {
+
+        String userName;
+        AbstractUserStoreManager userStoreManager;
+        try {
+            userStoreManager = getUserStoreManager(PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId());
+            userName =  userStoreManager.getUserNameFromUserID(id);
+        } catch (UserStoreException e) {
+            throw new ApplicationRoleManagementServerException("Error occurred while retrieving the userstore manager "
+                    + "to resolve username for the groupID", "Error occurred while retrieving the userstore manager "
+                    + "to resolve username for the groupID: " + id, e);
+        }
+        if (userName == null) {
+            String errorMessage = "A user doesn't exist with id: " + id + " in the tenantDomain: " + tenantDomain;
+            throw new ApplicationRoleManagementClientException(errorMessage, errorMessage, "");
+        }
+        return userName;
+    }
+
+    private static AbstractUserStoreManager getUserStoreManager(int tenantId) throws UserStoreException {
+
+        RealmService realmService = ApplicationRoleMgtServiceComponentHolder.getInstance().getRealmService();
+        UserRealm tenantUserRealm = realmService.getTenantUserRealm(tenantId);
+
+        return (AbstractUserStoreManager) tenantUserRealm.getUserStoreManager();
+    }
 }
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/GroupIDResolver.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/GroupIDResolver.java
deleted file mode 100644
index a6418b532849..000000000000
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/GroupIDResolver.java
+++ /dev/null
@@ -1,86 +0,0 @@
-/*
- * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
- *
- * WSO2 LLC. licenses this file to you under the Apache License,
- * Version 2.0 (the "License"); you may not use this file except
- * in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.wso2.carbon.identity.application.role.mgt.util;
-
-import org.wso2.carbon.context.PrivilegedCarbonContext;
-import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementClientException;
-import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementException;
-import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementServerException;
-import org.wso2.carbon.identity.application.role.mgt.internal.ApplicationRoleMgtServiceComponentHolder;
-import org.wso2.carbon.user.api.UserRealm;
-import org.wso2.carbon.user.api.UserStoreException;
-import org.wso2.carbon.user.core.common.AbstractUserStoreManager;
-import org.wso2.carbon.user.core.service.RealmService;
-
-/**
- * GroupId Resolver.
- */
-public class GroupIDResolver implements IDResolver {
-
-    @Override
-    public String getNameByID(String id, String tenantDomain) throws ApplicationRoleManagementException {
-
-        String groupName = resolveGroupNameFromGroupID(id);
-        if (groupName == null) {
-            String errorMessage = "A group doesn't exist with id: " + id + " in the tenantDomain: " + tenantDomain;
-            throw new ApplicationRoleManagementClientException(errorMessage, errorMessage, "");
-        }
-        return groupName;
-    }
-
-    @Override
-    public boolean isExists(String id, String tenantDomain) throws ApplicationRoleManagementException {
-
-        return isGroupExists(id);
-    }
-
-    private boolean isGroupExists(String id) throws ApplicationRoleManagementException {
-
-        AbstractUserStoreManager userStoreManager;
-        try {
-            userStoreManager = getUserStoreManager(PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId());
-            return userStoreManager.isGroupExist(id);
-        } catch (UserStoreException e) {
-            throw new ApplicationRoleManagementServerException("Error occurred while retrieving the userstore manager "
-                    + "to resolve group name for the groupID", "Error occurred while retrieving the userstore manager "
-                    + "to resolve group name for the groupID: " + id, e);
-        }
-    }
-
-    private String resolveGroupNameFromGroupID(String id) throws ApplicationRoleManagementException {
-
-        AbstractUserStoreManager userStoreManager;
-        try {
-            userStoreManager = getUserStoreManager(PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId());
-            return userStoreManager.getGroupNameByGroupId(id);
-        } catch (UserStoreException e) {
-            throw new ApplicationRoleManagementServerException("Error occurred while retrieving the userstore manager "
-                    + "to resolve group name for the groupID", "Error occurred while retrieving the userstore manager "
-                    + "to resolve group name for the groupID: " + id, e);
-        }
-    }
-
-    private AbstractUserStoreManager getUserStoreManager(int tenantId) throws UserStoreException {
-
-        RealmService realmService = ApplicationRoleMgtServiceComponentHolder.getInstance().getRealmService();
-        UserRealm tenantUserRealm = realmService.getTenantUserRealm(tenantId);
-
-        return (AbstractUserStoreManager) tenantUserRealm.getUserStoreManager();
-    }
-}
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/IDResolver.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/IDResolver.java
deleted file mode 100644
index 4fa78bd66d33..000000000000
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/IDResolver.java
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
- *
- * WSO2 LLC. licenses this file to you under the Apache License,
- * Version 2.0 (the "License"); you may not use this file except
- * in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.wso2.carbon.identity.application.role.mgt.util;
-
-import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementException;
-
-/**
- * Id Resolver.
- */
-public interface IDResolver {
-
-    String getNameByID(String id, String tenantDomain) throws ApplicationRoleManagementException;
-
-    boolean isExists(String id, String tenantDomain) throws ApplicationRoleManagementException;
-
-}
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/UserIDResolver.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/UserIDResolver.java
deleted file mode 100644
index f33e645c290a..000000000000
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/UserIDResolver.java
+++ /dev/null
@@ -1,87 +0,0 @@
-/*
- * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.com).
- *
- * WSO2 LLC. licenses this file to you under the Apache License,
- * Version 2.0 (the "License"); you may not use this file except
- * in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.wso2.carbon.identity.application.role.mgt.util;
-
-import org.wso2.carbon.context.PrivilegedCarbonContext;
-import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementClientException;
-import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementException;
-import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementServerException;
-import org.wso2.carbon.identity.application.role.mgt.internal.ApplicationRoleMgtServiceComponentHolder;
-import org.wso2.carbon.user.api.UserRealm;
-import org.wso2.carbon.user.api.UserStoreException;
-import org.wso2.carbon.user.core.common.AbstractUserStoreManager;
-import org.wso2.carbon.user.core.service.RealmService;
-
-/**
- * UserId Resolver.
- */
-public class UserIDResolver implements IDResolver {
-
-    @Override
-    public String getNameByID(String id, String tenantDomain) throws ApplicationRoleManagementException {
-
-        String userName = resolveUserNameFromUserID(id);
-        if (userName == null) {
-            String errorMessage = "A user doesn't exist with id: " + id + " in the tenantDomain: " + tenantDomain;
-            throw new ApplicationRoleManagementClientException(errorMessage, errorMessage, "");
-        }
-        return userName;
-    }
-
-    @Override
-    public boolean isExists(String id, String tenantDomain) throws ApplicationRoleManagementException {
-
-        return isGroupExists(id);
-    }
-
-    private boolean isGroupExists(String id) throws ApplicationRoleManagementException {
-
-        AbstractUserStoreManager userStoreManager;
-        try {
-            userStoreManager = getUserStoreManager(PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId());
-            return userStoreManager.isExistingUserWithID(id);
-        } catch (UserStoreException e) {
-            throw new ApplicationRoleManagementServerException("Error occurred while retrieving the userstore manager "
-                    + "to resolve group name for the groupID", "Error occurred while retrieving the userstore manager "
-                    + "to resolve group name for the groupID: " + id, e);
-        }
-    }
-
-    public String resolveUserNameFromUserID(String id) throws ApplicationRoleManagementException {
-
-        AbstractUserStoreManager userStoreManager;
-        try {
-            userStoreManager = getUserStoreManager(PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId());
-            return userStoreManager.getUserNameFromUserID(id);
-        } catch (UserStoreException e) {
-            throw new ApplicationRoleManagementServerException("Error occurred while retrieving the userstore manager "
-                    + "to resolve username for the groupID", "Error occurred while retrieving the userstore manager "
-                    + "to resolve username for the groupID: " + id, e);
-        }
-    }
-
-    private AbstractUserStoreManager getUserStoreManager(int tenantId) throws UserStoreException {
-
-        RealmService realmService = ApplicationRoleMgtServiceComponentHolder.getInstance().getRealmService();
-        UserRealm tenantUserRealm = realmService.getTenantUserRealm(tenantId);
-
-        return (AbstractUserStoreManager) tenantUserRealm.getUserStoreManager();
-    }
-
-}
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerTest.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerTest.java
new file mode 100644
index 000000000000..084365c5813a
--- /dev/null
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerTest.java
@@ -0,0 +1,7 @@
+package org.wso2.carbon.identity.application.role.mgt;
+
+import org.powermock.modules.testng.PowerMockTestCase;
+
+public class ApplicationRoleManagerTest extends PowerMockTestCase {
+
+}
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImplTest.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImplTest.java
new file mode 100644
index 000000000000..e6ed6fba43e2
--- /dev/null
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImplTest.java
@@ -0,0 +1,217 @@
+package org.wso2.carbon.identity.application.role.mgt.dao.impl;
+
+import org.apache.commons.dbcp.BasicDataSource;
+import org.apache.commons.lang.StringUtils;
+import org.mockito.Mockito;
+import org.powermock.core.classloader.annotations.PrepareForTest;
+import org.powermock.modules.testng.PowerMockTestCase;
+import org.testng.Assert;
+import org.testng.annotations.AfterClass;
+import org.testng.annotations.BeforeClass;
+import org.testng.annotations.DataProvider;
+import org.testng.annotations.Test;
+import org.wso2.carbon.database.utils.jdbc.NamedJdbcTemplate;
+import org.wso2.carbon.identity.application.common.model.IdPGroup;
+import org.wso2.carbon.identity.application.common.model.IdentityProvider;
+import org.wso2.carbon.identity.application.role.mgt.model.ApplicationRole;
+import org.wso2.carbon.identity.application.role.mgt.util.ApplicationRoleMgtUtils;
+import org.wso2.carbon.identity.core.persistence.JDBCPersistenceManager;
+import org.wso2.carbon.identity.core.util.IdentityDatabaseUtil;
+import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
+
+import java.nio.file.Paths;
+import java.sql.Connection;
+import java.sql.SQLException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.sql.DataSource;
+
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.powermock.api.mockito.PowerMockito.mockStatic;
+import static org.powermock.api.mockito.PowerMockito.when;
+
+@PrepareForTest({DataSource.class, JDBCPersistenceManager.class, IdentityTenantUtil.class,
+        ApplicationRoleMgtUtils.class, IdentityDatabaseUtil.class})
+public class ApplicationRoleMgtDAOImplTest extends PowerMockTestCase {
+
+    private static final String DB_NAME = "application_role_mgt_dao_db";
+    private static final String TENANT_DOMAIN = "TEST_TENANT_DOMAIN";
+    private static final int TENANT_ID = 2;
+    private static final int APP_ID = 1;
+    private static final String APP_NAME = "TEST_APP_NAME";
+    private static final String USER_STORE = "TEST_USER_STORE";
+    private static final String USERNAME = "TEST_USERNAME";
+    private static final String AUTH_TYPE = "TEST_AUTH_TYPE";
+    private static final String ROLE_ID = "TEST_ROLE_ID";
+    private static final String ROLE_NAME = "TEST_ROLE_NAME";
+    private static final int IDP_ID = 1;
+    private static final String IDP_NAME = "TEST_IDP_NAME";
+
+    private static Map<String, BasicDataSource> dataSourceMap = new HashMap<>();
+    private ApplicationRoleMgtDAOImpl daoImpl;
+    Connection connection = null;
+
+    @BeforeClass
+    public void setUp() throws Exception {
+
+        daoImpl = new ApplicationRoleMgtDAOImpl();
+        initiateH2Database(getFilePath());
+        populateApplication();
+        populateIdp();
+    }
+
+    @AfterClass
+    public void tearDown() throws Exception {
+
+        closeH2Database();
+    }
+
+    @Test
+    public void testAddApplicationRole() throws Exception {
+
+        mockStatic(IdentityTenantUtil.class);
+        when(IdentityTenantUtil.getTenantId(TENANT_DOMAIN)).thenReturn(TENANT_ID);
+        mockStatic(IdentityDatabaseUtil.class);
+        Mockito.when(IdentityDatabaseUtil.getDataSource()).thenReturn(dataSourceMap.get(DB_NAME));
+        ApplicationRole applicationRole = new ApplicationRole();
+        applicationRole.setApplicationId(String.valueOf(APP_ID));
+        applicationRole.setRoleId(ROLE_ID);
+        applicationRole.setRoleName(ROLE_NAME);
+        ApplicationRole addedApplicationRole = daoImpl.addApplicationRole(applicationRole, TENANT_DOMAIN);
+        Assert.assertNotNull(addedApplicationRole);
+    }
+
+    @DataProvider
+    public Object[][] updateApplicationRoleAssignedUsersData() {
+        return new Object[][]{
+                {new ArrayList<>(Arrays.asList("USER_1", "USER_2", "USER_3")),
+                        new ArrayList<>(Collections.emptyList()),
+                },
+
+        };
+    }
+
+    @Test(dataProvider = "updateApplicationRoleAssignedUsersData", priority = 2)
+    public void testUpdateApplicationRoleAssignedUsers(List<String> addedUsers, List<String> removedUsers)
+            throws Exception {
+
+        mockStatic(ApplicationRoleMgtUtils.class);
+        mockStatic(IdentityTenantUtil.class);
+        when(IdentityTenantUtil.getTenantId(TENANT_DOMAIN)).thenReturn(TENANT_ID);
+        when(ApplicationRoleMgtUtils.getNewTemplate()).thenReturn(new NamedJdbcTemplate(dataSourceMap.get(DB_NAME)));
+        when(ApplicationRoleMgtUtils.isUserExists(anyString())).thenReturn(true);
+        ApplicationRole role =
+                daoImpl.updateApplicationRoleAssignedUsers(ROLE_ID, addedUsers, removedUsers, TENANT_DOMAIN);
+        Assert.assertEquals(role.getAssignedUsers().size(), addedUsers.size());
+    }
+
+    @DataProvider
+    public Object[][] updateApplicationRoleAssignedGroupsData() {
+        return new Object[][]{
+                {new ArrayList<>(Arrays.asList("GROUP_1", "GROUP_2", "GROUP_3")),
+                        new ArrayList<>(Collections.emptyList()),
+                },
+
+        };
+    }
+
+    @Test(dataProvider = "updateApplicationRoleAssignedGroupsData", priority = 2)
+    public void testUpdateApplicationRoleAssignedGroups(List<String> addedGroups, List<String> removedGroups)
+            throws Exception {
+
+        mockStatic(ApplicationRoleMgtUtils.class);
+        mockStatic(IdentityTenantUtil.class);
+        when(IdentityTenantUtil.getTenantId(TENANT_DOMAIN)).thenReturn(TENANT_ID);
+        when(ApplicationRoleMgtUtils.getNewTemplate()).thenReturn(new NamedJdbcTemplate(dataSourceMap.get(DB_NAME)));
+        when(ApplicationRoleMgtUtils.isGroupExists(anyString())).thenReturn(true);
+        IdentityProvider identityProvider = new IdentityProvider();
+        identityProvider.setResourceId(String.valueOf(IDP_ID));
+        List<IdPGroup> idPGroups = new ArrayList<>();
+        for (String group: addedGroups) {
+            IdPGroup idPGroup = new IdPGroup();
+            idPGroup.setIdpGroupId(group);
+            idPGroup.setIdpGroupName(group);
+            idPGroups.add(idPGroup);
+        }
+        identityProvider.setIdPGroupConfig(idPGroups.toArray(new IdPGroup[0]));
+        ApplicationRole role =
+                daoImpl.updateApplicationRoleAssignedGroups(ROLE_ID, identityProvider, addedGroups, removedGroups,
+                        TENANT_DOMAIN);
+        Assert.assertEquals(role.getAssignedGroups().size(), addedGroups.size());
+    }
+
+    private void populateApplication() throws Exception {
+
+        String domainDataSQL = "INSERT INTO SP_APP (ID, TENANT_ID, APP_NAME, USER_STORE, USERNAME, AUTH_TYPE, UUID) " +
+                "VALUES " + "(" + APP_ID + "," + TENANT_ID + ",'" + APP_NAME + "','" + USER_STORE + "','" + USERNAME
+                + "','" + AUTH_TYPE + "','" + APP_ID + "')";
+
+        try {
+            connection.createStatement().executeUpdate(domainDataSQL);
+        } catch (SQLException e) {
+            String errorMessage = "Error while Adding test data for SP_APP table";
+            throw new Exception(errorMessage, e);
+        }
+    }
+
+    private void populateIdp() throws Exception {
+
+        String domainDataSQL = "INSERT INTO IDP (ID, TENANT_ID, NAME, UUID) " +
+                "VALUES " + "(" + IDP_ID + "," + TENANT_ID + ",'" + IDP_NAME + "','" + IDP_ID + "')";
+
+        try {
+            connection.createStatement().executeUpdate(domainDataSQL);
+        } catch (SQLException e) {
+            String errorMessage = "Error while Adding test data for IDP table";
+            throw new Exception(errorMessage, e);
+        }
+    }
+
+    /**
+     * Initiate H2 database.
+     *
+     * @param scriptPath Path to the database script.
+     * @throws Exception Error when initiating H2 database.
+     */
+    private void initiateH2Database(String scriptPath) throws Exception {
+
+        BasicDataSource dataSource = new BasicDataSource();
+        dataSource.setDriverClassName("org.h2.Driver");
+        dataSource.setUsername("username");
+        dataSource.setPassword("password");
+        dataSource.setUrl("jdbc:h2:mem:test" + DB_NAME);
+        dataSource.setTestOnBorrow(true);
+        dataSource.setValidationQuery("select 1");
+        connection = dataSource.getConnection();
+        connection.createStatement().executeUpdate("RUNSCRIPT FROM '" + scriptPath + "'");
+        dataSourceMap.put(DB_NAME, dataSource);
+    }
+
+
+    /**
+     * Close H2 database.
+     *
+     * @throws Exception Error when closing H2 database.
+     */
+    public static void closeH2Database() throws Exception {
+
+        BasicDataSource dataSource = dataSourceMap.get(DB_NAME);
+        if (dataSource != null) {
+            dataSource.close();
+        }
+    }
+
+    private static String getFilePath() {
+
+        if (StringUtils.isNotBlank("h2.sql")) {
+            return Paths.get(System.getProperty("user.dir"), "src", "test", "resources", "dbscripts", "h2.sql")
+                    .toString();
+        }
+        throw new IllegalArgumentException("DB Script file name cannot be empty.");
+    }
+}
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/dbscripts/h2.sql b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/dbscripts/h2.sql
new file mode 100644
index 000000000000..e8e1f919401b
--- /dev/null
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/dbscripts/h2.sql
@@ -0,0 +1,1402 @@
+CREATE TABLE IF NOT EXISTS IDN_BASE_TABLE (
+            PRODUCT_NAME VARCHAR (20),
+            PRIMARY KEY (PRODUCT_NAME)
+);
+
+INSERT INTO IDN_BASE_TABLE values ('WSO2 Identity Server');
+
+CREATE TABLE IF NOT EXISTS IDN_OAUTH_CONSUMER_APPS (
+            ID INTEGER NOT NULL AUTO_INCREMENT,
+            CONSUMER_KEY VARCHAR (255),
+            CONSUMER_SECRET VARCHAR (2048),
+            USERNAME VARCHAR (255),
+            TENANT_ID INTEGER DEFAULT 0,
+            USER_DOMAIN VARCHAR(50),
+            APP_NAME VARCHAR (255),
+            OAUTH_VERSION VARCHAR (128),
+            CALLBACK_URL VARCHAR (2048),
+            GRANT_TYPES VARCHAR (1024),
+            PKCE_MANDATORY CHAR(1) DEFAULT '0',
+            PKCE_SUPPORT_PLAIN CHAR(1) DEFAULT '0',
+            APP_STATE VARCHAR (25) DEFAULT 'ACTIVE',
+            USER_ACCESS_TOKEN_EXPIRE_TIME BIGINT DEFAULT 3600,
+            APP_ACCESS_TOKEN_EXPIRE_TIME BIGINT DEFAULT 3600,
+            REFRESH_TOKEN_EXPIRE_TIME BIGINT DEFAULT 84600,
+            ID_TOKEN_EXPIRE_TIME BIGINT DEFAULT 3600,
+            CONSTRAINT CONSUMER_KEY_CONSTRAINT UNIQUE (CONSUMER_KEY),
+            PRIMARY KEY (ID)
+);
+
+CREATE TABLE IF NOT EXISTS IDN_OAUTH2_SCOPE_VALIDATORS (
+	APP_ID INTEGER NOT NULL,
+	SCOPE_VALIDATOR VARCHAR (128) NOT NULL,
+	PRIMARY KEY (APP_ID,SCOPE_VALIDATOR),
+	FOREIGN KEY (APP_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS IDN_OAUTH1A_REQUEST_TOKEN (
+            REQUEST_TOKEN VARCHAR (512),
+            REQUEST_TOKEN_SECRET VARCHAR (512),
+            CONSUMER_KEY_ID INTEGER,
+            CALLBACK_URL VARCHAR (2048),
+            SCOPE VARCHAR(2048),
+            AUTHORIZED VARCHAR (128),
+            OAUTH_VERIFIER VARCHAR (512),
+            AUTHZ_USER VARCHAR (512),
+            TENANT_ID INTEGER DEFAULT -1,
+            PRIMARY KEY (REQUEST_TOKEN),
+            FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS IDN_OAUTH1A_ACCESS_TOKEN (
+            ACCESS_TOKEN VARCHAR (512),
+            ACCESS_TOKEN_SECRET VARCHAR (512),
+            CONSUMER_KEY_ID INTEGER,
+            SCOPE VARCHAR(2048),
+            AUTHZ_USER VARCHAR (512),
+            TENANT_ID INTEGER DEFAULT -1,
+            PRIMARY KEY (ACCESS_TOKEN),
+            FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS IDN_OAUTH2_ACCESS_TOKEN (
+            TOKEN_ID VARCHAR (255),
+            ACCESS_TOKEN VARCHAR (2048),
+            REFRESH_TOKEN VARCHAR (2048),
+            CONSUMER_KEY_ID INTEGER,
+            AUTHZ_USER VARCHAR (100),
+            TENANT_ID INTEGER,
+            USER_DOMAIN VARCHAR(50),
+            USER_TYPE VARCHAR (25),
+            GRANT_TYPE VARCHAR (50),
+            TIME_CREATED TIMESTAMP DEFAULT 0,
+            REFRESH_TOKEN_TIME_CREATED TIMESTAMP DEFAULT 0,
+            VALIDITY_PERIOD BIGINT,
+            REFRESH_TOKEN_VALIDITY_PERIOD BIGINT,
+            TOKEN_SCOPE_HASH VARCHAR (32),
+            TOKEN_STATE VARCHAR (25) DEFAULT 'ACTIVE',
+            TOKEN_STATE_ID VARCHAR (128) DEFAULT 'NONE',
+            SUBJECT_IDENTIFIER VARCHAR(255),
+            ACCESS_TOKEN_HASH VARCHAR (512),
+            REFRESH_TOKEN_HASH VARCHAR (512),
+            IDP_ID INTEGER DEFAULT -1 NOT NULL,
+            TOKEN_BINDING_REF VARCHAR (32) DEFAULT 'NONE',
+            CONSENTED_TOKEN VARCHAR(6),
+            PRIMARY KEY (TOKEN_ID),
+            FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE,
+            CONSTRAINT CON_APP_KEY UNIQUE (CONSUMER_KEY_ID,AUTHZ_USER,TENANT_ID,USER_DOMAIN,USER_TYPE,TOKEN_SCOPE_HASH,
+                                           TOKEN_STATE,TOKEN_STATE_ID,IDP_ID,TOKEN_BINDING_REF)
+);
+
+CREATE TABLE IF NOT EXISTS IDN_OAUTH2_TOKEN_BINDING (
+            TOKEN_ID VARCHAR (255),
+            TOKEN_BINDING_TYPE VARCHAR (32),
+            TOKEN_BINDING_REF VARCHAR (32),
+            TOKEN_BINDING_VALUE VARCHAR (1024),
+            TENANT_ID INTEGER DEFAULT -1,
+            UNIQUE (TOKEN_ID,TOKEN_BINDING_TYPE,TOKEN_BINDING_VALUE),
+            FOREIGN KEY (TOKEN_ID) REFERENCES IDN_OAUTH2_ACCESS_TOKEN(TOKEN_ID) ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS IDN_OAUTH2_ACCESS_TOKEN_AUDIT (
+            ID INTEGER NOT NULL AUTO_INCREMENT,
+            TOKEN_ID VARCHAR (255),
+            ACCESS_TOKEN VARCHAR(2048),
+            REFRESH_TOKEN VARCHAR(2048),
+            CONSUMER_KEY_ID INTEGER,
+            AUTHZ_USER VARCHAR (100),
+            TENANT_ID INTEGER,
+            USER_DOMAIN VARCHAR(50),
+            USER_TYPE VARCHAR (25),
+            GRANT_TYPE VARCHAR (50),
+            TIME_CREATED TIMESTAMP NULL,
+            REFRESH_TOKEN_TIME_CREATED TIMESTAMP NULL,
+            VALIDITY_PERIOD BIGINT,
+            REFRESH_TOKEN_VALIDITY_PERIOD BIGINT,
+            TOKEN_SCOPE_HASH VARCHAR(32),
+            TOKEN_STATE VARCHAR(25),
+            TOKEN_STATE_ID VARCHAR (128) ,
+            SUBJECT_IDENTIFIER VARCHAR(255),
+            ACCESS_TOKEN_HASH VARCHAR(512),
+            REFRESH_TOKEN_HASH VARCHAR(512),
+            INVALIDATED_TIME TIMESTAMP NULL,
+            IDP_ID INTEGER DEFAULT -1 NOT NULL,
+            PRIMARY KEY(ID)
+);
+
+
+CREATE TABLE IF NOT EXISTS IDN_OAUTH2_AUTHORIZATION_CODE (
+            CODE_ID VARCHAR (255),
+            AUTHORIZATION_CODE VARCHAR (2048),
+            CONSUMER_KEY_ID INTEGER,
+            CALLBACK_URL VARCHAR (2048),
+            SCOPE VARCHAR(2048),
+            AUTHZ_USER VARCHAR (100),
+            TENANT_ID INTEGER,
+            USER_DOMAIN VARCHAR(50),
+            TIME_CREATED TIMESTAMP,
+            VALIDITY_PERIOD BIGINT,
+            STATE VARCHAR (25) DEFAULT 'ACTIVE',
+            TOKEN_ID VARCHAR(255),
+            SUBJECT_IDENTIFIER VARCHAR(255),
+            PKCE_CODE_CHALLENGE VARCHAR (255),
+            PKCE_CODE_CHALLENGE_METHOD VARCHAR(128),
+            AUTHORIZATION_CODE_HASH VARCHAR (512),
+            IDP_ID INTEGER DEFAULT -1 NOT NULL,
+            PRIMARY KEY (CODE_ID),
+            FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS IDN_OAUTH2_AUTHZ_CODE_SCOPE(
+            CODE_ID   VARCHAR(255),
+            SCOPE     VARCHAR(255),
+            TENANT_ID INTEGER DEFAULT -1,
+            PRIMARY KEY (CODE_ID, SCOPE),
+            FOREIGN KEY (CODE_ID) REFERENCES IDN_OAUTH2_AUTHORIZATION_CODE (CODE_ID) ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS IDN_OAUTH2_DEVICE_FLOW (
+            CODE_ID VARCHAR(255),
+            DEVICE_CODE VARCHAR(255),
+            USER_CODE VARCHAR(25),
+            QUANTIFIER INTEGER NOT NULL DEFAULT 0,
+            CONSUMER_KEY_ID INTEGER,
+            LAST_POLL_TIME TIMESTAMP NOT NULL,
+            EXPIRY_TIME TIMESTAMP NOT NULL,
+            TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+            POLL_TIME BIGINT,
+            STATUS VARCHAR (25) DEFAULT 'PENDING',
+            AUTHZ_USER VARCHAR (100),
+            TENANT_ID INTEGER,
+            USER_DOMAIN VARCHAR(50),
+            IDP_ID INTEGER,
+            PRIMARY KEY (DEVICE_CODE),
+            UNIQUE (CODE_ID),
+            CONSTRAINT USRCDE_QNTFR_CONSTRAINT UNIQUE (USER_CODE, QUANTIFIER),
+            FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS IDN_OAUTH2_DEVICE_FLOW_SCOPES (
+            ID INTEGER NOT NULL AUTO_INCREMENT,
+            SCOPE_ID VARCHAR(255),
+            SCOPE VARCHAR(255),
+            PRIMARY KEY (ID),
+            FOREIGN KEY (SCOPE_ID) REFERENCES IDN_OAUTH2_DEVICE_FLOW(CODE_ID) ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS IDN_OAUTH2_ACCESS_TOKEN_SCOPE (
+            TOKEN_ID VARCHAR (255),
+            TOKEN_SCOPE VARCHAR (255),
+            TENANT_ID INTEGER DEFAULT -1,
+            PRIMARY KEY (TOKEN_ID, TOKEN_SCOPE),
+            FOREIGN KEY (TOKEN_ID) REFERENCES IDN_OAUTH2_ACCESS_TOKEN(TOKEN_ID) ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS IDN_OAUTH2_SCOPE (
+            SCOPE_ID INTEGER NOT NULL AUTO_INCREMENT,
+            NAME VARCHAR(255) NOT NULL,
+            DISPLAY_NAME VARCHAR(255) NOT NULL,
+            DESCRIPTION VARCHAR(512),
+            TENANT_ID INTEGER NOT NULL DEFAULT -1,
+            SCOPE_TYPE VARCHAR(255) NOT NULL,
+            PRIMARY KEY (SCOPE_ID),
+            UNIQUE (NAME, TENANT_ID)
+);
+
+CREATE TABLE IF NOT EXISTS IDN_OAUTH2_SCOPE_BINDING (
+            ID INTEGER NOT NULL AUTO_INCREMENT,
+            SCOPE_ID INTEGER NOT NULL,
+            SCOPE_BINDING VARCHAR(255) NOT NULL,
+            BINDING_TYPE  VARCHAR(255) NOT NULL,
+            FOREIGN KEY (SCOPE_ID) REFERENCES IDN_OAUTH2_SCOPE(SCOPE_ID) ON DELETE CASCADE,
+            UNIQUE (SCOPE_ID, SCOPE_BINDING, BINDING_TYPE),
+            PRIMARY KEY (ID)
+);
+
+CREATE TABLE IF NOT EXISTS IDN_OAUTH2_RESOURCE_SCOPE (
+            RESOURCE_PATH VARCHAR(255) NOT NULL,
+            SCOPE_ID INTEGER NOT NULL,
+            TENANT_ID INTEGER DEFAULT -1,
+            PRIMARY KEY (RESOURCE_PATH),
+            FOREIGN KEY (SCOPE_ID) REFERENCES IDN_OAUTH2_SCOPE (SCOPE_ID) ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS IDN_SCIM_GROUP (
+            ID INTEGER NOT NULL AUTO_INCREMENT,
+            TENANT_ID INTEGER NOT NULL,
+            ROLE_NAME VARCHAR(255) NOT NULL,
+            ATTR_NAME VARCHAR(1024) NOT NULL,
+            ATTR_VALUE VARCHAR(1024),
+            UNIQUE(TENANT_ID, ROLE_NAME, ATTR_NAME),
+            PRIMARY KEY (ID)
+);
+
+
+
+CREATE TABLE IF NOT EXISTS IDN_OPENID_REMEMBER_ME (
+            USER_NAME VARCHAR(255) NOT NULL,
+            TENANT_ID INTEGER DEFAULT 0,
+            COOKIE_VALUE VARCHAR(1024),
+            CREATED_TIME TIMESTAMP,
+            PRIMARY KEY (USER_NAME, TENANT_ID)
+);
+
+CREATE TABLE IF NOT EXISTS IDN_OPENID_USER_RPS (
+			USER_NAME VARCHAR(255) NOT NULL,
+			TENANT_ID INTEGER DEFAULT 0,
+			RP_URL VARCHAR(255) NOT NULL,
+			TRUSTED_ALWAYS VARCHAR(128) DEFAULT 'FALSE',
+			LAST_VISIT DATE NOT NULL,
+			VISIT_COUNT INTEGER DEFAULT 0,
+			DEFAULT_PROFILE_NAME VARCHAR(255) DEFAULT 'DEFAULT',
+			PRIMARY KEY (USER_NAME, TENANT_ID, RP_URL)
+);
+
+CREATE TABLE IF NOT EXISTS IDN_OPENID_ASSOCIATIONS (
+			HANDLE VARCHAR(255) NOT NULL,
+			ASSOC_TYPE VARCHAR(255) NOT NULL,
+			EXPIRE_IN TIMESTAMP NOT NULL,
+			MAC_KEY VARCHAR(255) NOT NULL,
+			ASSOC_STORE VARCHAR(128) DEFAULT 'SHARED',
+      TENANT_ID INTEGER DEFAULT -1,
+			PRIMARY KEY (HANDLE)
+);
+
+CREATE TABLE IDN_STS_STORE (
+            ID INTEGER AUTO_INCREMENT,
+            TOKEN_ID VARCHAR(255) NOT NULL,
+            TOKEN_CONTENT BLOB(1024) NOT NULL,
+            CREATE_DATE TIMESTAMP NOT NULL,
+            EXPIRE_DATE TIMESTAMP NOT NULL,
+            STATE INTEGER DEFAULT 0,
+            PRIMARY KEY (ID)
+);
+
+CREATE TABLE IDN_IDENTITY_USER_DATA (
+            TENANT_ID INTEGER DEFAULT -1234,
+            USER_NAME VARCHAR(255) NOT NULL,
+            DATA_KEY VARCHAR(255) NOT NULL,
+            DATA_VALUE VARCHAR(2048),
+            PRIMARY KEY (TENANT_ID, USER_NAME, DATA_KEY)
+);
+
+CREATE TABLE IDN_IDENTITY_META_DATA (
+            USER_NAME VARCHAR(255) NOT NULL,
+            TENANT_ID INTEGER DEFAULT -1234,
+            METADATA_TYPE VARCHAR(255) NOT NULL,
+            METADATA VARCHAR(255) NOT NULL,
+            VALID VARCHAR(255) NOT NULL,
+            PRIMARY KEY (TENANT_ID, USER_NAME, METADATA_TYPE,METADATA)
+);
+
+CREATE TABLE IF NOT EXISTS IDN_THRIFT_SESSION (
+            SESSION_ID VARCHAR(255) NOT NULL,
+            USER_NAME VARCHAR(255) NOT NULL,
+            CREATED_TIME VARCHAR(255) NOT NULL,
+            LAST_MODIFIED_TIME VARCHAR(255) NOT NULL,
+            TENANT_ID INTEGER DEFAULT -1,
+            PRIMARY KEY (SESSION_ID)
+);
+
+CREATE TABLE IDN_AUTH_SESSION_STORE (
+            SESSION_ID VARCHAR (100) NOT NULL,
+            SESSION_TYPE VARCHAR(100) NOT NULL,
+            OPERATION VARCHAR(10) NOT NULL,
+            SESSION_OBJECT BLOB,
+            TIME_CREATED BIGINT,
+            TENANT_ID INTEGER DEFAULT -1,
+            EXPIRY_TIME BIGINT,
+            PRIMARY KEY (SESSION_ID, SESSION_TYPE, TIME_CREATED, OPERATION)
+);
+
+
+CREATE TABLE IDN_AUTH_TEMP_SESSION_STORE (
+            SESSION_ID VARCHAR (100) NOT NULL,
+            SESSION_TYPE VARCHAR(100) NOT NULL,
+            OPERATION VARCHAR(10) NOT NULL,
+            SESSION_OBJECT BLOB,
+            TIME_CREATED BIGINT,
+            TENANT_ID INTEGER DEFAULT -1,
+            EXPIRY_TIME BIGINT,
+            PRIMARY KEY (SESSION_ID, SESSION_TYPE, TIME_CREATED, OPERATION)
+);
+
+CREATE TABLE IF NOT EXISTS IDN_AUTH_USER (
+            USER_ID VARCHAR(255) NOT NULL,
+            USER_NAME VARCHAR(255) NOT NULL,
+            TENANT_ID INTEGER NOT NULL,
+            DOMAIN_NAME VARCHAR(255) NOT NULL,
+            IDP_ID INTEGER NOT NULL,
+            PRIMARY KEY (USER_ID),
+            CONSTRAINT USER_STORE_CONSTRAINT UNIQUE (USER_NAME, TENANT_ID, DOMAIN_NAME, IDP_ID));
+
+CREATE TABLE IF NOT EXISTS IDN_AUTH_USER_SESSION_MAPPING (
+            ID INTEGER NOT NULL AUTO_INCREMENT,
+            USER_ID VARCHAR(255) NOT NULL,
+            SESSION_ID VARCHAR(255) NOT NULL,
+            CONSTRAINT USER_SESSION_STORE_CONSTRAINT UNIQUE (USER_ID, SESSION_ID),
+            PRIMARY KEY (ID));
+
+CREATE TABLE IF NOT EXISTS IDN_AUTH_SESSION_APP_INFO (
+            SESSION_ID VARCHAR (100) NOT NULL,
+            SUBJECT VARCHAR (100) NOT NULL,
+            APP_ID INTEGER NOT NULL,
+            INBOUND_AUTH_TYPE VARCHAR (255) NOT NULL,
+            PRIMARY KEY (SESSION_ID, SUBJECT, APP_ID, INBOUND_AUTH_TYPE));
+
+CREATE TABLE IF NOT EXISTS IDN_AUTH_SESSION_META_DATA (
+            SESSION_ID VARCHAR (100) NOT NULL,
+            PROPERTY_TYPE VARCHAR (100) NOT NULL,
+            `VALUE` VARCHAR (255) NOT NULL,
+            PRIMARY KEY (SESSION_ID, PROPERTY_TYPE, `VALUE`)
+            );
+
+CREATE TABLE IF NOT EXISTS SP_APP (
+        ID INTEGER NOT NULL AUTO_INCREMENT,
+        TENANT_ID INTEGER NOT NULL,
+        APP_NAME VARCHAR (255) NOT NULL ,
+        USER_STORE VARCHAR (255) NOT NULL,
+        USERNAME VARCHAR (255) NOT NULL ,
+        DESCRIPTION VARCHAR (1024),
+        ROLE_CLAIM VARCHAR (512),
+        AUTH_TYPE VARCHAR (255) NOT NULL,
+        PROVISIONING_USERSTORE_DOMAIN VARCHAR (512),
+        IS_LOCAL_CLAIM_DIALECT CHAR(1) DEFAULT '1',
+        IS_SEND_LOCAL_SUBJECT_ID CHAR(1) DEFAULT '0',
+        IS_SEND_AUTH_LIST_OF_IDPS CHAR(1) DEFAULT '0',
+        IS_USE_TENANT_DOMAIN_SUBJECT CHAR(1) DEFAULT '1',
+        IS_USE_USER_DOMAIN_SUBJECT CHAR(1) DEFAULT '1',
+        ENABLE_AUTHORIZATION CHAR(1) DEFAULT '0',
+        SUBJECT_CLAIM_URI VARCHAR (512),
+        IS_SAAS_APP CHAR(1) DEFAULT '0',
+        IS_DUMB_MODE CHAR(1) DEFAULT '0',
+        UUID CHAR(36),
+        IMAGE_URL VARCHAR(1024),
+        ACCESS_URL VARCHAR(1024),
+        IS_DISCOVERABLE CHAR(1) DEFAULT '0',
+
+        PRIMARY KEY (ID));
+
+ALTER TABLE SP_APP ADD CONSTRAINT APPLICATION_NAME_CONSTRAINT UNIQUE(APP_NAME, TENANT_ID);
+ALTER TABLE SP_APP ADD CONSTRAINT APPLICATION_UUID_CONSTRAINT UNIQUE(UUID);
+
+CREATE TABLE IF NOT EXISTS SP_METADATA (
+            ID INTEGER AUTO_INCREMENT,
+            SP_ID INTEGER,
+            NAME VARCHAR(255) NOT NULL,
+            `VALUE` VARCHAR(255) NOT NULL,
+            DISPLAY_NAME VARCHAR(255),
+            TENANT_ID INTEGER DEFAULT -1,
+            PRIMARY KEY (ID),
+            CONSTRAINT SP_METADATA_CONSTRAINT UNIQUE (SP_ID, NAME),
+            FOREIGN KEY (SP_ID) REFERENCES SP_APP(ID) ON DELETE CASCADE);
+
+CREATE TABLE IF NOT EXISTS SP_INBOUND_AUTH (
+            ID INTEGER NOT NULL AUTO_INCREMENT,
+            TENANT_ID INTEGER NOT NULL,
+            INBOUND_AUTH_KEY VARCHAR (255),
+            INBOUND_AUTH_TYPE VARCHAR (255) NOT NULL,
+            INBOUND_CONFIG_TYPE VARCHAR (255) NOT NULL,
+            PROP_NAME VARCHAR (255),
+            PROP_VALUE VARCHAR (1024) ,
+            APP_ID INTEGER NOT NULL,
+            PRIMARY KEY (ID));
+
+ALTER TABLE SP_INBOUND_AUTH ADD CONSTRAINT APPLICATION_ID_CONSTRAINT FOREIGN KEY (APP_ID) REFERENCES SP_APP (ID) ON DELETE CASCADE;
+
+CREATE TABLE IF NOT EXISTS SP_AUTH_STEP (
+            ID INTEGER NOT NULL AUTO_INCREMENT,
+            TENANT_ID INTEGER NOT NULL,
+            STEP_ORDER INTEGER DEFAULT 1,
+            APP_ID INTEGER NOT NULL ,
+            IS_SUBJECT_STEP CHAR(1) DEFAULT '0',
+            IS_ATTRIBUTE_STEP CHAR(1) DEFAULT '0',
+            PRIMARY KEY (ID));
+
+ALTER TABLE SP_AUTH_STEP ADD CONSTRAINT APPLICATION_ID_CONSTRAINT_STEP FOREIGN KEY (APP_ID) REFERENCES SP_APP (ID) ON DELETE CASCADE;
+
+CREATE TABLE IF NOT EXISTS SP_FEDERATED_IDP (
+            ID INTEGER NOT NULL,
+            TENANT_ID INTEGER NOT NULL,
+            AUTHENTICATOR_ID INTEGER NOT NULL,
+            PRIMARY KEY (ID, AUTHENTICATOR_ID));
+
+ALTER TABLE SP_FEDERATED_IDP ADD CONSTRAINT STEP_ID_CONSTRAINT FOREIGN KEY (ID) REFERENCES SP_AUTH_STEP (ID) ON DELETE CASCADE;
+
+CREATE TABLE IF NOT EXISTS SP_CLAIM_DIALECT (
+	   	ID INTEGER NOT NULL AUTO_INCREMENT,
+	   	TENANT_ID INTEGER NOT NULL,
+	   	SP_DIALECT VARCHAR (512) NOT NULL,
+	   	APP_ID INTEGER NOT NULL,
+	   	PRIMARY KEY (ID));
+
+ALTER TABLE SP_CLAIM_DIALECT ADD CONSTRAINT DIALECTID_APPID_CONSTRAINT FOREIGN KEY (APP_ID) REFERENCES SP_APP (ID) ON DELETE CASCADE;
+
+CREATE TABLE IF NOT EXISTS SP_CLAIM_MAPPING (
+	   	ID INTEGER NOT NULL AUTO_INCREMENT,
+	   	TENANT_ID INTEGER NOT NULL,
+	   	IDP_CLAIM VARCHAR (512) NOT NULL ,
+	   	SP_CLAIM VARCHAR (512) NOT NULL ,
+	   	APP_ID INTEGER NOT NULL,
+	   	IS_REQUESTED VARCHAR(128) DEFAULT '0',
+		IS_MANDATORY VARCHAR(128) DEFAULT '0',
+	   	DEFAULT_VALUE VARCHAR(255),
+	   	PRIMARY KEY (ID));
+
+ALTER TABLE SP_CLAIM_MAPPING ADD CONSTRAINT CLAIMID_APPID_CONSTRAINT FOREIGN KEY (APP_ID) REFERENCES SP_APP (ID) ON DELETE CASCADE;
+
+CREATE TABLE IF NOT EXISTS SP_ROLE_MAPPING (
+	    	ID INTEGER NOT NULL AUTO_INCREMENT,
+	    	TENANT_ID INTEGER NOT NULL,
+	    	IDP_ROLE VARCHAR (255) NOT NULL ,
+	    	SP_ROLE VARCHAR (255) NOT NULL ,
+	    	APP_ID INTEGER NOT NULL,
+	    	PRIMARY KEY (ID));
+
+ALTER TABLE SP_ROLE_MAPPING ADD CONSTRAINT ROLEID_APPID_CONSTRAINT FOREIGN KEY (APP_ID) REFERENCES SP_APP (ID) ON DELETE CASCADE;
+
+CREATE TABLE IF NOT EXISTS SP_REQ_PATH_AUTHENTICATOR (
+	    	ID INTEGER NOT NULL AUTO_INCREMENT,
+	    	TENANT_ID INTEGER NOT NULL,
+	    	AUTHENTICATOR_NAME VARCHAR (255) NOT NULL ,
+	    	APP_ID INTEGER NOT NULL,
+	    	PRIMARY KEY (ID));
+
+ALTER TABLE SP_REQ_PATH_AUTHENTICATOR ADD CONSTRAINT REQ_AUTH_APPID_CONSTRAINT FOREIGN KEY (APP_ID) REFERENCES SP_APP (ID) ON DELETE CASCADE;
+
+CREATE TABLE IF NOT EXISTS SP_PROVISIONING_CONNECTOR (
+	    	ID INTEGER NOT NULL AUTO_INCREMENT,
+	    	TENANT_ID INTEGER NOT NULL,
+	    	IDP_NAME VARCHAR (255) NOT NULL ,
+	    	CONNECTOR_NAME VARCHAR (255) NOT NULL ,
+	    	APP_ID INTEGER NOT NULL,
+	    	IS_JIT_ENABLED CHAR(1) NOT NULL DEFAULT '0',
+	    	BLOCKING CHAR(1) NOT NULL DEFAULT '0',
+	    	RULE_ENABLED CHAR(1) NOT NULL DEFAULT '0',
+	    	PRIMARY KEY (ID));
+
+ALTER TABLE SP_PROVISIONING_CONNECTOR ADD CONSTRAINT PRO_CONNECTOR_APPID_CONSTRAINT FOREIGN KEY (APP_ID) REFERENCES SP_APP (ID) ON DELETE CASCADE;
+
+CREATE TABLE IF NOT EXISTS SP_AUTH_SCRIPT (
+  ID         INTEGER AUTO_INCREMENT NOT NULL,
+  TENANT_ID  INTEGER                NOT NULL,
+  APP_ID     INTEGER                NOT NULL,
+  TYPE       VARCHAR(255)           NOT NULL,
+  CONTENT    BLOB    DEFAULT NULL,
+  IS_ENABLED CHAR(1) NOT NULL DEFAULT '0',
+  PRIMARY KEY (ID));
+
+CREATE TABLE SP_TEMPLATE (
+  ID         INTEGER AUTO_INCREMENT NOT NULL,
+  TENANT_ID  INTEGER                NOT NULL,
+  NAME VARCHAR(255) NOT NULL,
+  DESCRIPTION VARCHAR(1023),
+  CONTENT BLOB DEFAULT NULL,
+  PRIMARY KEY (ID),
+  CONSTRAINT SP_TEMPLATE_CONSTRAINT UNIQUE (TENANT_ID, NAME));
+
+CREATE TABLE IF NOT EXISTS IDN_AUTH_WAIT_STATUS (
+  ID              INTEGER AUTO_INCREMENT NOT NULL,
+  TENANT_ID       INTEGER                NOT NULL,
+  LONG_WAIT_KEY   VARCHAR(255)           NOT NULL,
+  WAIT_STATUS     CHAR(1) NOT NULL DEFAULT '1',
+  TIME_CREATED    TIMESTAMP DEFAULT 0,
+  EXPIRE_TIME     TIMESTAMP DEFAULT 0,
+  PRIMARY KEY (ID),
+  CONSTRAINT IDN_AUTH_WAIT_STATUS_KEY UNIQUE (LONG_WAIT_KEY));
+
+CREATE TABLE IF NOT EXISTS IDP (
+  ID                         INTEGER               AUTO_INCREMENT,
+  TENANT_ID                  INTEGER,
+  NAME                       VARCHAR(254) NOT NULL,
+  IS_ENABLED                 CHAR(1)      NOT NULL DEFAULT '1',
+  IS_PRIMARY                 CHAR(1)      NOT NULL DEFAULT '0',
+  HOME_REALM_ID              VARCHAR(254),
+  IMAGE                      MEDIUMBLOB,
+  CERTIFICATE                BLOB,
+  ALIAS                      VARCHAR(254),
+  INBOUND_PROV_ENABLED       CHAR(1)      NOT NULL DEFAULT '0',
+  INBOUND_PROV_USER_STORE_ID VARCHAR(254),
+  USER_CLAIM_URI             VARCHAR(254),
+  ROLE_CLAIM_URI             VARCHAR(254),
+  DESCRIPTION                VARCHAR(1024),
+  DEFAULT_AUTHENTICATOR_NAME VARCHAR(254),
+  DEFAULT_PRO_CONNECTOR_NAME VARCHAR(254),
+  PROVISIONING_ROLE          VARCHAR(128),
+  IS_FEDERATION_HUB          CHAR(1)      NOT NULL DEFAULT '0',
+  IS_LOCAL_CLAIM_DIALECT     CHAR(1)      NOT NULL DEFAULT '0',
+  DISPLAY_NAME               VARCHAR(255),
+  IMAGE_URL                  VARCHAR(1024),
+  UUID                       CHAR(36) NOT NULL,
+  PRIMARY KEY (ID),
+  UNIQUE (TENANT_ID, NAME),
+  UNIQUE (UUID)
+);
+
+CREATE TABLE IF NOT EXISTS IDP_ROLE (
+			ID INTEGER AUTO_INCREMENT,
+			IDP_ID INTEGER,
+			TENANT_ID INTEGER,
+			ROLE VARCHAR(254),
+			PRIMARY KEY (ID),
+			UNIQUE (IDP_ID, ROLE),
+			FOREIGN KEY (IDP_ID) REFERENCES IDP(ID) ON DELETE CASCADE);
+
+CREATE TABLE IF NOT EXISTS IDP_GROUP (
+			ID INTEGER AUTO_INCREMENT NOT NULL,
+			IDP_ID INTEGER NOT NULL,
+			TENANT_ID INTEGER NOT NULL,
+			GROUP_NAME VARCHAR(255) NOT NULL,
+			UUID CHAR(36) NOT NULL,
+			PRIMARY KEY (ID),
+			UNIQUE (IDP_ID, GROUP_NAME),
+			UNIQUE (UUID),
+			FOREIGN KEY (IDP_ID) REFERENCES IDP(ID) ON DELETE CASCADE);
+
+CREATE TABLE IF NOT EXISTS IDP_ROLE_MAPPING (
+			ID INTEGER AUTO_INCREMENT,
+			IDP_ROLE_ID INTEGER,
+			TENANT_ID INTEGER,
+			USER_STORE_ID VARCHAR (253),
+			LOCAL_ROLE VARCHAR(253),
+			PRIMARY KEY (ID),
+			UNIQUE (IDP_ROLE_ID, TENANT_ID, USER_STORE_ID, LOCAL_ROLE),
+			FOREIGN KEY (IDP_ROLE_ID) REFERENCES IDP_ROLE(ID) ON DELETE CASCADE);
+
+CREATE TABLE IF NOT EXISTS IDP_CLAIM (
+			ID INTEGER AUTO_INCREMENT,
+			IDP_ID INTEGER,
+			TENANT_ID INTEGER,
+			CLAIM VARCHAR(254),
+			PRIMARY KEY (ID),
+			UNIQUE (IDP_ID, CLAIM),
+			FOREIGN KEY (IDP_ID) REFERENCES IDP(ID) ON DELETE CASCADE);
+
+CREATE TABLE IF NOT EXISTS IDP_CLAIM_MAPPING (
+			ID INTEGER AUTO_INCREMENT,
+			IDP_CLAIM_ID INTEGER,
+			TENANT_ID INTEGER,
+			LOCAL_CLAIM VARCHAR(253),
+			DEFAULT_VALUE VARCHAR(255),
+			IS_REQUESTED VARCHAR(128) DEFAULT '0',
+			PRIMARY KEY (ID),
+			UNIQUE (IDP_CLAIM_ID, TENANT_ID, LOCAL_CLAIM),
+			FOREIGN KEY (IDP_CLAIM_ID) REFERENCES IDP_CLAIM(ID) ON DELETE CASCADE);
+
+CREATE TABLE IF NOT EXISTS IDP_AUTHENTICATOR (
+            ID INTEGER AUTO_INCREMENT,
+            TENANT_ID INTEGER,
+            IDP_ID INTEGER,
+            NAME VARCHAR(255) NOT NULL,
+            IS_ENABLED CHAR (1) DEFAULT '1',
+            DISPLAY_NAME VARCHAR(255),
+            PRIMARY KEY (ID),
+            UNIQUE (TENANT_ID, IDP_ID, NAME),
+            FOREIGN KEY (IDP_ID) REFERENCES IDP(ID) ON DELETE CASCADE);
+
+CREATE TABLE IF NOT EXISTS IDP_METADATA (
+            ID INTEGER AUTO_INCREMENT,
+            IDP_ID INTEGER,
+            NAME VARCHAR(255) NOT NULL,
+            `VALUE` VARCHAR(255) NOT NULL,
+            DISPLAY_NAME VARCHAR(255),
+            TENANT_ID INTEGER DEFAULT -1,
+            PRIMARY KEY (ID),
+            CONSTRAINT IDP_METADATA_CONSTRAINT UNIQUE (IDP_ID, NAME),
+            FOREIGN KEY (IDP_ID) REFERENCES IDP(ID) ON DELETE CASCADE);
+
+CREATE TABLE IF NOT EXISTS IDP_AUTHENTICATOR_PROPERTY (
+            ID INTEGER AUTO_INCREMENT,
+            TENANT_ID INTEGER,
+            AUTHENTICATOR_ID INTEGER,
+            PROPERTY_KEY VARCHAR(255) NOT NULL,
+            PROPERTY_VALUE VARCHAR(2047),
+            IS_SECRET CHAR (1) DEFAULT '0',
+            PRIMARY KEY (ID),
+            UNIQUE (TENANT_ID, AUTHENTICATOR_ID, PROPERTY_KEY),
+            FOREIGN KEY (AUTHENTICATOR_ID) REFERENCES IDP_AUTHENTICATOR(ID) ON DELETE CASCADE);
+
+CREATE TABLE IF NOT EXISTS IDP_PROVISIONING_CONFIG (
+            ID INTEGER AUTO_INCREMENT,
+            TENANT_ID INTEGER,
+            IDP_ID INTEGER,
+            PROVISIONING_CONNECTOR_TYPE VARCHAR(255) NOT NULL,
+            IS_ENABLED CHAR (1) DEFAULT '0',
+            IS_BLOCKING CHAR (1) DEFAULT '0',
+            IS_RULES_ENABLED CHAR (1) DEFAULT '0',
+            PRIMARY KEY (ID),
+            UNIQUE (TENANT_ID, IDP_ID, PROVISIONING_CONNECTOR_TYPE),
+            FOREIGN KEY (IDP_ID) REFERENCES IDP(ID) ON DELETE CASCADE);
+
+CREATE TABLE IF NOT EXISTS IDP_PROV_CONFIG_PROPERTY (
+            ID INTEGER AUTO_INCREMENT,
+            TENANT_ID INTEGER,
+            PROVISIONING_CONFIG_ID INTEGER,
+            PROPERTY_KEY VARCHAR(255) NOT NULL,
+            PROPERTY_VALUE VARCHAR(2048),
+            PROPERTY_BLOB_VALUE BLOB,
+            PROPERTY_TYPE VARCHAR(32) NOT NULL,
+            IS_SECRET CHAR (1) DEFAULT '0',
+            PRIMARY KEY (ID),
+            UNIQUE (TENANT_ID, PROVISIONING_CONFIG_ID, PROPERTY_KEY),
+            FOREIGN KEY (PROVISIONING_CONFIG_ID) REFERENCES IDP_PROVISIONING_CONFIG(ID) ON DELETE CASCADE);
+
+CREATE TABLE IF NOT EXISTS IDP_PROVISIONING_ENTITY (
+            ID INTEGER AUTO_INCREMENT,
+            PROVISIONING_CONFIG_ID INTEGER,
+            ENTITY_TYPE VARCHAR(255) NOT NULL,
+            ENTITY_LOCAL_USERSTORE VARCHAR(255) NOT NULL,
+            ENTITY_NAME VARCHAR(255) NOT NULL,
+            ENTITY_VALUE VARCHAR(255),
+            TENANT_ID INTEGER,
+            ENTITY_LOCAL_ID VARCHAR(255),
+            PRIMARY KEY (ID),
+            UNIQUE (ENTITY_TYPE, TENANT_ID, ENTITY_LOCAL_USERSTORE, ENTITY_NAME, PROVISIONING_CONFIG_ID),
+            UNIQUE (PROVISIONING_CONFIG_ID, ENTITY_TYPE, ENTITY_VALUE),
+            FOREIGN KEY (PROVISIONING_CONFIG_ID) REFERENCES IDP_PROVISIONING_CONFIG(ID) ON DELETE CASCADE);
+
+CREATE TABLE IF NOT EXISTS IDP_LOCAL_CLAIM (
+            ID INTEGER AUTO_INCREMENT,
+            TENANT_ID INTEGER,
+            IDP_ID INTEGER,
+            CLAIM_URI VARCHAR(255) NOT NULL,
+            DEFAULT_VALUE VARCHAR(255),
+            IS_REQUESTED VARCHAR(128) DEFAULT '0',
+            PRIMARY KEY (ID),
+            UNIQUE (TENANT_ID, IDP_ID, CLAIM_URI),
+            FOREIGN KEY (IDP_ID) REFERENCES IDP(ID) ON DELETE CASCADE);
+
+CREATE TABLE IF NOT EXISTS IDN_ASSOCIATED_ID (
+	    ID INTEGER AUTO_INCREMENT,
+	    IDP_USER_ID VARCHAR(255) NOT NULL,
+	    TENANT_ID INTEGER DEFAULT -1234,
+	    IDP_ID INTEGER NOT NULL,
+	    DOMAIN_NAME VARCHAR(255) NOT NULL,
+ 	    USER_NAME VARCHAR(255) NOT NULL,
+        ASSOCIATION_ID CHAR(36) NOT NULL,
+	    PRIMARY KEY (ID),
+	    UNIQUE(IDP_USER_ID, TENANT_ID, IDP_ID),
+	    FOREIGN KEY (IDP_ID) REFERENCES IDP(ID) ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS IDN_USER_ACCOUNT_ASSOCIATION (
+            ASSOCIATION_KEY VARCHAR(255) NOT NULL,
+            TENANT_ID INTEGER,
+            DOMAIN_NAME VARCHAR(255) NOT NULL,
+            USER_NAME VARCHAR(255) NOT NULL,
+            PRIMARY KEY (TENANT_ID, DOMAIN_NAME, USER_NAME));
+
+CREATE TABLE IF NOT EXISTS FIDO_DEVICE_STORE (
+        TENANT_ID INTEGER,
+        DOMAIN_NAME VARCHAR(255) NOT NULL,
+        USER_NAME VARCHAR(45) NOT NULL,
+        TIME_REGISTERED TIMESTAMP,
+        KEY_HANDLE VARCHAR(200) NOT NULL,
+        DEVICE_DATA VARCHAR(2048) NOT NULL,
+      	PRIMARY KEY (TENANT_ID, DOMAIN_NAME, USER_NAME, KEY_HANDLE));
+
+CREATE TABLE IF NOT EXISTS FIDO2_DEVICE_STORE (
+            TENANT_ID INTEGER,
+            DOMAIN_NAME VARCHAR(255) NOT NULL,
+            USER_NAME VARCHAR(45) NOT NULL,
+            TIME_REGISTERED TIMESTAMP,
+            USER_HANDLE VARCHAR(200) NOT NULL,
+            CREDENTIAL_ID VARCHAR(200) NOT NULL,
+            PUBLIC_KEY_COSE VARCHAR(2048) NOT NULL,
+            SIGNATURE_COUNT BIGINT,
+            USER_IDENTITY VARCHAR(200) NOT NULL,
+            DISPLAY_NAME VARCHAR(255),
+            IS_USERNAMELESS_SUPPORTED CHAR(1) DEFAULT '0',
+            PRIMARY KEY (TENANT_ID, DOMAIN_NAME, USER_NAME, USER_HANDLE));
+
+CREATE TABLE IF NOT EXISTS WF_REQUEST (
+    UUID VARCHAR (45),
+    CREATED_BY VARCHAR (255),
+    TENANT_ID INTEGER DEFAULT -1,
+    OPERATION_TYPE VARCHAR (50),
+    CREATED_AT TIMESTAMP,
+    UPDATED_AT TIMESTAMP,
+    STATUS VARCHAR (30),
+    REQUEST BLOB,
+    PRIMARY KEY (UUID)
+);
+
+CREATE TABLE IF NOT EXISTS WF_BPS_PROFILE (
+    PROFILE_NAME VARCHAR(45),
+    HOST_URL_MANAGER VARCHAR(255),
+    HOST_URL_WORKER VARCHAR(255),
+    USERNAME VARCHAR(100),
+    PASSWORD VARCHAR(1023),
+    CALLBACK_HOST VARCHAR (45),
+    CALLBACK_USERNAME VARCHAR(100),
+    CALLBACK_PASSWORD VARCHAR(255),
+    TENANT_ID INTEGER DEFAULT -1,
+    PRIMARY KEY (PROFILE_NAME, TENANT_ID)
+);
+
+CREATE TABLE IF NOT EXISTS WF_WORKFLOW(
+    ID VARCHAR (45),
+    WF_NAME VARCHAR (45),
+    DESCRIPTION VARCHAR (255),
+    TEMPLATE_ID VARCHAR (45),
+    IMPL_ID VARCHAR (45),
+    TENANT_ID INTEGER DEFAULT -1,
+    PRIMARY KEY (ID)
+);
+
+CREATE TABLE IF NOT EXISTS WF_WORKFLOW_ASSOCIATION(
+    ID INTEGER NOT NULL AUTO_INCREMENT,
+    ASSOC_NAME VARCHAR (45),
+    EVENT_ID VARCHAR(45),
+    ASSOC_CONDITION VARCHAR (2000),
+    WORKFLOW_ID VARCHAR (45),
+    IS_ENABLED CHAR (1) DEFAULT '1',
+    TENANT_ID INTEGER DEFAULT -1,
+    PRIMARY KEY(ID),
+    FOREIGN KEY (WORKFLOW_ID) REFERENCES WF_WORKFLOW(ID)ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS WF_WORKFLOW_CONFIG_PARAM(
+    WORKFLOW_ID VARCHAR (45),
+    PARAM_NAME VARCHAR (45),
+    PARAM_VALUE VARCHAR (1000),
+    PARAM_QNAME VARCHAR (45),
+    PARAM_HOLDER VARCHAR (45),
+    TENANT_ID INTEGER DEFAULT -1,
+    PRIMARY KEY (WORKFLOW_ID, PARAM_NAME, PARAM_QNAME, PARAM_HOLDER),
+    FOREIGN KEY (WORKFLOW_ID) REFERENCES WF_WORKFLOW(ID)ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS WF_REQUEST_ENTITY_RELATIONSHIP(
+  REQUEST_ID VARCHAR (45),
+  ENTITY_NAME VARCHAR (255),
+  ENTITY_TYPE VARCHAR (50),
+  TENANT_ID INTEGER DEFAULT -1,
+  PRIMARY KEY(REQUEST_ID, ENTITY_NAME, ENTITY_TYPE, TENANT_ID),
+  FOREIGN KEY (REQUEST_ID) REFERENCES WF_REQUEST(UUID)ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS WF_WORKFLOW_REQUEST_RELATION(
+  RELATIONSHIP_ID VARCHAR (45),
+  WORKFLOW_ID VARCHAR (45),
+  REQUEST_ID VARCHAR (45),
+  UPDATED_AT TIMESTAMP,
+  STATUS VARCHAR (30),
+  TENANT_ID INTEGER DEFAULT -1,
+  PRIMARY KEY (RELATIONSHIP_ID),
+  FOREIGN KEY (WORKFLOW_ID) REFERENCES WF_WORKFLOW(ID)ON DELETE CASCADE,
+  FOREIGN KEY (REQUEST_ID) REFERENCES WF_REQUEST(UUID)ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS IDN_RECOVERY_DATA (
+  USER_NAME VARCHAR(255) NOT NULL,
+  USER_DOMAIN VARCHAR(127) NOT NULL,
+  TENANT_ID INTEGER DEFAULT -1,
+  CODE VARCHAR(255) NOT NULL,
+  SCENARIO VARCHAR(255) NOT NULL,
+  STEP VARCHAR(127) NOT NULL,
+  TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  REMAINING_SETS VARCHAR(2500) DEFAULT NULL,
+  PRIMARY KEY(USER_NAME, USER_DOMAIN, TENANT_ID, SCENARIO,STEP),
+  UNIQUE(CODE)
+);
+
+CREATE TABLE IF NOT EXISTS IDN_PASSWORD_HISTORY_DATA (
+  ID INTEGER NOT NULL AUTO_INCREMENT,
+  USER_NAME   VARCHAR(255) NOT NULL,
+  USER_DOMAIN VARCHAR(127) NOT NULL,
+  TENANT_ID   INTEGER DEFAULT -1,
+  SALT_VALUE  VARCHAR(255),
+  HASH        VARCHAR(255) NOT NULL,
+  TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  PRIMARY KEY (ID),
+  UNIQUE (USER_NAME,USER_DOMAIN,TENANT_ID,SALT_VALUE,HASH)
+);
+
+CREATE TABLE IF NOT EXISTS IDN_CLAIM_DIALECT (
+  ID INTEGER NOT NULL AUTO_INCREMENT,
+  DIALECT_URI VARCHAR (255) NOT NULL,
+  TENANT_ID INTEGER NOT NULL,
+  PRIMARY KEY (ID),
+  CONSTRAINT DIALECT_URI_CONSTRAINT UNIQUE (DIALECT_URI, TENANT_ID)
+);
+
+CREATE TABLE IF NOT EXISTS IDN_CLAIM (
+  ID INTEGER NOT NULL AUTO_INCREMENT,
+  DIALECT_ID INTEGER NOT NULL,
+  CLAIM_URI VARCHAR (255) NOT NULL,
+  TENANT_ID INTEGER NOT NULL,
+  PRIMARY KEY (ID),
+  FOREIGN KEY (DIALECT_ID) REFERENCES IDN_CLAIM_DIALECT(ID) ON DELETE CASCADE,
+  CONSTRAINT CLAIM_URI_CONSTRAINT UNIQUE (DIALECT_ID, CLAIM_URI, TENANT_ID)
+);
+
+CREATE TABLE IF NOT EXISTS IDN_CLAIM_MAPPED_ATTRIBUTE (
+  ID INTEGER NOT NULL AUTO_INCREMENT,
+  LOCAL_CLAIM_ID INTEGER,
+  USER_STORE_DOMAIN_NAME VARCHAR (255) NOT NULL,
+  ATTRIBUTE_NAME VARCHAR (255) NOT NULL,
+  TENANT_ID INTEGER NOT NULL,
+  PRIMARY KEY (ID),
+  FOREIGN KEY (LOCAL_CLAIM_ID) REFERENCES IDN_CLAIM(ID) ON DELETE CASCADE,
+  CONSTRAINT USER_STORE_DOMAIN_CONSTRAINT UNIQUE (LOCAL_CLAIM_ID, USER_STORE_DOMAIN_NAME, TENANT_ID)
+);
+
+CREATE TABLE IF NOT EXISTS IDN_CLAIM_PROPERTY (
+  ID INTEGER NOT NULL AUTO_INCREMENT,
+  LOCAL_CLAIM_ID INTEGER,
+  PROPERTY_NAME VARCHAR (255) NOT NULL,
+  PROPERTY_VALUE VARCHAR (255) NOT NULL,
+  TENANT_ID INTEGER NOT NULL,
+  PRIMARY KEY (ID),
+  FOREIGN KEY (LOCAL_CLAIM_ID) REFERENCES IDN_CLAIM(ID) ON DELETE CASCADE,
+  CONSTRAINT PROPERTY_NAME_CONSTRAINT UNIQUE (LOCAL_CLAIM_ID, PROPERTY_NAME, TENANT_ID)
+);
+
+CREATE TABLE IF NOT EXISTS IDN_CLAIM_MAPPING (
+  ID INTEGER NOT NULL AUTO_INCREMENT,
+  EXT_CLAIM_ID INTEGER NOT NULL,
+  MAPPED_LOCAL_CLAIM_ID INTEGER NOT NULL,
+  TENANT_ID INTEGER NOT NULL,
+  PRIMARY KEY (ID),
+  FOREIGN KEY (EXT_CLAIM_ID) REFERENCES IDN_CLAIM(ID) ON DELETE CASCADE,
+  FOREIGN KEY (MAPPED_LOCAL_CLAIM_ID) REFERENCES IDN_CLAIM(ID) ON DELETE CASCADE,
+  CONSTRAINT EXT_TO_LOC_MAPPING_CONSTRN UNIQUE (EXT_CLAIM_ID, TENANT_ID)
+);
+
+CREATE TABLE IF NOT EXISTS  IDN_SAML2_ASSERTION_STORE (
+  ID INTEGER NOT NULL AUTO_INCREMENT,
+  SAML2_ID  VARCHAR(255) ,
+  SAML2_ISSUER  VARCHAR(255) ,
+  SAML2_SUBJECT  VARCHAR(255) ,
+  SAML2_SESSION_INDEX  VARCHAR(255) ,
+  SAML2_AUTHN_CONTEXT_CLASS_REF  VARCHAR(255) ,
+  SAML2_ASSERTION  VARCHAR(4096) ,
+  ASSERTION BLOB ,
+  PRIMARY KEY (ID)
+);
+
+CREATE TABLE IDN_SAML2_ARTIFACT_STORE (
+  ID INT NOT NULL AUTO_INCREMENT,
+  SOURCE_ID VARCHAR(255) NOT NULL,
+  MESSAGE_HANDLER VARCHAR(255) NOT NULL,
+  AUTHN_REQ_DTO BLOB NOT NULL,
+  SESSION_ID VARCHAR(255) NOT NULL,
+  INIT_TIMESTAMP TIMESTAMP NOT NULL,
+  EXP_TIMESTAMP TIMESTAMP NOT NULL,
+  ASSERTION_ID VARCHAR(255),
+  PRIMARY KEY (`ID`)
+);
+
+CREATE TABLE IF NOT EXISTS IDN_OIDC_JTI (
+  JWT_ID VARCHAR(255),
+  TENANT_ID  INTEGER NOT NULL,
+  EXP_TIME TIMESTAMP NOT NULL ,
+  TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP ,
+  PRIMARY KEY (JWT_ID, TENANT_ID)
+);
+
+
+CREATE TABLE IF NOT EXISTS IDN_OIDC_PROPERTY (
+  ID INTEGER NOT NULL AUTO_INCREMENT,
+  TENANT_ID  INTEGER,
+  CONSUMER_KEY  VARCHAR(255) ,
+  PROPERTY_KEY  VARCHAR(255) NOT NULL,
+  PROPERTY_VALUE  VARCHAR(2047) ,
+  PRIMARY KEY (ID),
+  FOREIGN KEY (CONSUMER_KEY) REFERENCES IDN_OAUTH_CONSUMER_APPS(CONSUMER_KEY) ON DELETE CASCADE
+);
+CREATE TABLE IF NOT EXISTS IDN_OIDC_REQ_OBJECT_REFERENCE (
+  ID INTEGER NOT NULL AUTO_INCREMENT,
+  CONSUMER_KEY_ID INTEGER ,
+  CODE_ID VARCHAR(255) ,
+  TOKEN_ID VARCHAR(255) ,
+  SESSION_DATA_KEY VARCHAR(255),
+  PRIMARY KEY (ID),
+  FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE,
+  FOREIGN KEY (TOKEN_ID) REFERENCES IDN_OAUTH2_ACCESS_TOKEN(TOKEN_ID) ON DELETE CASCADE,
+  FOREIGN KEY (CODE_ID) REFERENCES IDN_OAUTH2_AUTHORIZATION_CODE(CODE_ID) ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS IDN_OIDC_REQ_OBJECT_CLAIMS (
+  ID INTEGER NOT NULL AUTO_INCREMENT,
+  REQ_OBJECT_ID INTEGER,
+  CLAIM_ATTRIBUTE VARCHAR(255) ,
+  ESSENTIAL CHAR(1) NOT NULL DEFAULT '0',
+  `VALUE` VARCHAR(255) ,
+  IS_USERINFO CHAR(1) NOT NULL DEFAULT '0',
+  PRIMARY KEY (ID),
+  FOREIGN KEY (REQ_OBJECT_ID) REFERENCES IDN_OIDC_REQ_OBJECT_REFERENCE (ID) ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS IDN_OIDC_REQ_OBJ_CLAIM_VALUES (
+  ID INTEGER NOT NULL AUTO_INCREMENT,
+  REQ_OBJECT_CLAIMS_ID INTEGER ,
+  CLAIM_VALUES VARCHAR(255) ,
+  PRIMARY KEY (ID),
+  FOREIGN KEY (REQ_OBJECT_CLAIMS_ID) REFERENCES  IDN_OIDC_REQ_OBJECT_CLAIMS(ID) ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS IDN_CERTIFICATE (
+            ID INTEGER NOT NULL AUTO_INCREMENT,
+            NAME VARCHAR(100),
+            CERTIFICATE_IN_PEM BLOB,
+            TENANT_ID INTEGER DEFAULT 0,
+            PRIMARY KEY(ID),
+            CONSTRAINT CERTIFICATE_UNIQUE_KEY UNIQUE (NAME, TENANT_ID)
+);
+
+CREATE TABLE IF NOT EXISTS IDN_OIDC_SCOPE_CLAIM_MAPPING (
+            ID INTEGER NOT NULL AUTO_INCREMENT,
+            SCOPE_ID INTEGER NOT NULL,
+            EXTERNAL_CLAIM_ID INTEGER NOT NULL,
+            PRIMARY KEY (ID),
+            FOREIGN KEY (SCOPE_ID) REFERENCES IDN_OAUTH2_SCOPE(SCOPE_ID) ON DELETE CASCADE,
+            FOREIGN KEY (EXTERNAL_CLAIM_ID) REFERENCES IDN_CLAIM(ID) ON DELETE CASCADE,
+            UNIQUE (SCOPE_ID, EXTERNAL_CLAIM_ID)
+);
+
+CREATE TABLE IF NOT EXISTS IDN_FUNCTION_LIBRARY (
+	NAME VARCHAR(255) NOT NULL,
+	DESCRIPTION VARCHAR(1023),
+	TYPE VARCHAR(255) NOT NULL,
+	TENANT_ID INTEGER NOT NULL,
+	DATA BLOB NOT NULL,
+	PRIMARY KEY (TENANT_ID,NAME)
+);
+
+CREATE TABLE IF NOT EXISTS IDN_OAUTH2_CIBA_AUTH_CODE (
+    AUTH_CODE_KEY CHAR (36),
+    AUTH_REQ_ID CHAR (36),
+    ISSUED_TIME TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    CONSUMER_KEY VARCHAR(255),
+    LAST_POLLED_TIME TIMESTAMP NOT NULL,
+    POLLING_INTERVAL INTEGER,
+    EXPIRES_IN  INTEGER,
+    AUTHENTICATED_USER_NAME VARCHAR(255),
+    USER_STORE_DOMAIN VARCHAR(100),
+    TENANT_ID INTEGER,
+    AUTH_REQ_STATUS VARCHAR (100) DEFAULT 'REQUESTED',
+    IDP_ID INTEGER,
+    UNIQUE(AUTH_REQ_ID),
+    PRIMARY KEY (AUTH_CODE_KEY),
+    FOREIGN KEY (CONSUMER_KEY) REFERENCES IDN_OAUTH_CONSUMER_APPS(CONSUMER_KEY) ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS IDN_OAUTH2_CIBA_REQUEST_SCOPES (
+    ID INTEGER NOT NULL AUTO_INCREMENT,
+    AUTH_CODE_KEY  CHAR (36),
+    SCOPE VARCHAR (255),
+    FOREIGN KEY (AUTH_CODE_KEY) REFERENCES IDN_OAUTH2_CIBA_AUTH_CODE(AUTH_CODE_KEY) ON DELETE CASCADE,
+    PRIMARY KEY (ID)
+);
+
+CREATE TABLE IF NOT EXISTS IDN_FED_AUTH_SESSION_MAPPING (
+	ID INTEGER NOT NULL AUTO_INCREMENT,
+	IDP_SESSION_ID VARCHAR(255) NOT NULL,
+	SESSION_ID VARCHAR(255) NOT NULL,
+	IDP_NAME VARCHAR(255) NOT NULL,
+	AUTHENTICATOR_ID VARCHAR(255),
+	PROTOCOL_TYPE VARCHAR(255),
+	TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+	TENANT_ID INTEGER NOT NULL DEFAULT 0,
+	IDP_ID INTEGER NOT NULL DEFAULT 0,
+	FOREIGN KEY (IDP_ID) REFERENCES IDP(ID) ON DELETE CASCADE,
+	PRIMARY KEY (ID),
+	UNIQUE (IDP_SESSION_ID, TENANT_ID, IDP_ID)
+);
+
+CREATE TABLE IF NOT EXISTS IDN_CONFIG_TYPE (
+    ID VARCHAR(255) NOT NULL,
+    NAME VARCHAR(255) NOT NULL,
+    DESCRIPTION VARCHAR(1023) NULL,
+    PRIMARY KEY (ID),
+    CONSTRAINT TYPE_NAME_CONSTRAINT UNIQUE (NAME)
+);
+
+INSERT INTO IDN_CONFIG_TYPE (ID, NAME, DESCRIPTION) VALUES
+('9ab0ef95-13e9-4ed5-afaf-d29bed62f7bd', 'IDP_TEMPLATE', 'Template type to uniquely identify IDP templates'),
+('3c4ac3d0-5903-4e3d-aaca-38df65b33bfd', 'APPLICATION_TEMPLATE', 'Template type to uniquely identify Application templates'),
+('8ec6dbf1-218a-49bf-bc34-0d2db52d151c', 'CORS_CONFIGURATION', 'A resource type to keep the tenant CORS configurations'),
+('669b99ca-cdb0-44a6-8cae-babed3b585df', 'Publisher', 'A resource type to keep the event publisher configurations'),
+('73f6d9ca-62f4-4566-bab9-2a930ae51ba8', 'BRANDING_PREFERENCES', 'A resource type to keep the tenant branding preferences'),
+('899c69b2-8bf7-46b5-9666-f7f99f90d6cc', 'fido-config', 'A resource type to store FIDO authenticator related preferences'),
+('7f24050f-3e3d-4a00-b10f-fd5450d6523e', 'input-validation-configurations', 'A resource type to store input validation related configurations'),
+('f4e83b8a-d1c4-a0d6-03a7-d48e268c60c5', 'PK_JWT_CONFIGURATION', 'A resource type to keep the tenant private key jwt configuration.'),
+('9ec61e9d-f0e6-4952-9a09-ab842aeb2db2', 'ATTRIBUTE_CONFIGURATION', 'A resource type to store attribute related configurations.');
+
+CREATE TABLE IF NOT EXISTS IDN_CONFIG_RESOURCE (
+    ID VARCHAR(255) NOT NULL,
+    TENANT_ID INT NOT NULL,
+    NAME VARCHAR(255) NOT NULL,
+    CREATED_TIME TIMESTAMP NOT NULL,
+    LAST_MODIFIED TIMESTAMP NOT NULL,
+    HAS_FILE BOOLEAN NOT NULL,
+    HAS_ATTRIBUTE BOOLEAN NOT NULL,
+    TYPE_ID VARCHAR(255) NOT NULL,
+    UNIQUE (NAME, TENANT_ID, TYPE_ID),
+    PRIMARY KEY (ID)
+);
+ALTER TABLE IDN_CONFIG_RESOURCE
+ADD CONSTRAINT TYPE_ID_FOREIGN_CONSTRAINT FOREIGN KEY (TYPE_ID) REFERENCES IDN_CONFIG_TYPE (ID)
+ON DELETE CASCADE ON UPDATE CASCADE;
+
+CREATE TABLE IF NOT EXISTS IDN_CONFIG_ATTRIBUTE (
+    ID VARCHAR(255) NOT NULL,
+    RESOURCE_ID VARCHAR(255) NOT NULL,
+    ATTR_KEY VARCHAR(255) NOT NULL,
+    ATTR_VALUE VARCHAR(1023) NULL,
+    PRIMARY KEY (ID),
+    UNIQUE (RESOURCE_ID, ATTR_KEY)
+);
+ALTER TABLE IDN_CONFIG_ATTRIBUTE
+ADD CONSTRAINT RESOURCE_ID_ATTRIBUTE_FOREIGN_CONSTRAINT FOREIGN KEY (RESOURCE_ID) REFERENCES
+IDN_CONFIG_RESOURCE (ID) ON DELETE CASCADE ON UPDATE CASCADE;
+
+CREATE TABLE IF NOT EXISTS IDN_CONFIG_FILE (
+    ID VARCHAR(255) NOT NULL,
+    `VALUE` BLOB NULL,
+    RESOURCE_ID VARCHAR(255) NOT NULL,
+    NAME VARCHAR(255) NULL,
+    PRIMARY KEY (ID)
+);
+ALTER TABLE IDN_CONFIG_FILE
+ADD CONSTRAINT RESOURCE_ID_FILE_FOREIGN_CONSTRAINT FOREIGN KEY (RESOURCE_ID) REFERENCES
+IDN_CONFIG_RESOURCE (ID) ON DELETE CASCADE ON UPDATE CASCADE;
+
+CREATE TABLE IF NOT EXISTS IDN_REMOTE_FETCH_CONFIG (
+	ID VARCHAR(255) NOT NULL,
+	TENANT_ID INTEGER NOT NULL,
+	IS_ENABLED CHAR(1) NOT NULL,
+	REPO_MANAGER_TYPE VARCHAR(255) NOT NULL,
+	ACTION_LISTENER_TYPE VARCHAR(255) NOT NULL,
+	CONFIG_DEPLOYER_TYPE VARCHAR(255) NOT NULL,
+	REMOTE_FETCH_NAME VARCHAR(255),
+	REMOTE_RESOURCE_URI VARCHAR(255) NOT NULL,
+	ATTRIBUTES_JSON MEDIUMTEXT NOT NULL,
+	PRIMARY KEY (ID),
+	CONSTRAINT UC_REMOTE_RESOURCE_TYPE UNIQUE (TENANT_ID, CONFIG_DEPLOYER_TYPE)
+);
+
+CREATE TABLE IF NOT EXISTS IDN_REMOTE_FETCH_REVISIONS (
+	ID VARCHAR(255) NOT NULL,
+	CONFIG_ID VARCHAR(255) NOT NULL,
+	FILE_PATH VARCHAR(255) NOT NULL,
+	FILE_HASH VARCHAR(255),
+	DEPLOYED_DATE TIMESTAMP,
+	LAST_SYNC_TIME TIMESTAMP,
+	DEPLOYMENT_STATUS VARCHAR(255),
+	ITEM_NAME VARCHAR(255),
+	DEPLOY_ERR_LOG MEDIUMTEXT,
+	PRIMARY KEY (ID),
+	FOREIGN KEY (CONFIG_ID) REFERENCES IDN_REMOTE_FETCH_CONFIG(ID) ON DELETE CASCADE,
+	CONSTRAINT UC_REVISIONS UNIQUE (CONFIG_ID, ITEM_NAME)
+);
+
+
+CREATE TABLE IF NOT EXISTS IDN_USER_FUNCTIONALITY_MAPPING (
+    ID VARCHAR(255) NOT NULL,
+    USER_ID VARCHAR(255) NOT NULL,
+    TENANT_ID INTEGER NOT NULL,
+    FUNCTIONALITY_ID VARCHAR(255) NOT NULL,
+    IS_FUNCTIONALITY_LOCKED BOOLEAN NOT NULL,
+    FUNCTIONALITY_UNLOCK_TIME BIGINT NOT NULL,
+    FUNCTIONALITY_LOCK_REASON VARCHAR(1023),
+    FUNCTIONALITY_LOCK_REASON_CODE VARCHAR(255),
+    PRIMARY KEY (ID),
+    CONSTRAINT IDN_USER_FUNCTIONALITY_MAPPING_CONSTRAINT UNIQUE (USER_ID, TENANT_ID, FUNCTIONALITY_ID)
+);
+
+CREATE TABLE IF NOT EXISTS IDN_USER_FUNCTIONALITY_PROPERTY (
+    ID VARCHAR(255) NOT NULL,
+    USER_ID VARCHAR(255) NOT NULL,
+    TENANT_ID INTEGER NOT NULL,
+    FUNCTIONALITY_ID VARCHAR(255) NOT NULL,
+    PROPERTY_NAME VARCHAR(255),
+    PROPERTY_VALUE VARCHAR(255),
+    PRIMARY KEY (ID),
+    CONSTRAINT IDN_USER_FUNCTIONALITY_PROPERTY_CONSTRAINT UNIQUE (USER_ID, TENANT_ID, FUNCTIONALITY_ID, PROPERTY_NAME)
+);
+
+CREATE TABLE IF NOT EXISTS IDN_CORS_ORIGIN (
+    ID        INT           NOT NULL AUTO_INCREMENT,
+    TENANT_ID INT           NOT NULL,
+    ORIGIN    VARCHAR(2048) NOT NULL,
+    UUID      CHAR(36)      NOT NULL,
+
+    PRIMARY KEY (ID),
+    UNIQUE (TENANT_ID, ORIGIN),
+    UNIQUE (UUID)
+);
+
+CREATE TABLE IF NOT EXISTS IDN_CORS_ASSOCIATION (
+    IDN_CORS_ORIGIN_ID INT NOT NULL,
+    SP_APP_ID          INT NOT NULL,
+
+    PRIMARY KEY (IDN_CORS_ORIGIN_ID, SP_APP_ID),
+    FOREIGN KEY (IDN_CORS_ORIGIN_ID) REFERENCES IDN_CORS_ORIGIN (ID) ON DELETE CASCADE,
+    FOREIGN KEY (SP_APP_ID) REFERENCES SP_APP (ID) ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS IDN_OAUTH2_USER_CONSENT (
+    ID INTEGER NOT NULL AUTO_INCREMENT,
+    USER_ID VARCHAR(255) NOT NULL,
+    APP_ID CHAR(36) NOT NULL,
+    TENANT_ID INTEGER NOT NULL DEFAULT -1,
+    CONSENT_ID VARCHAR(255) NOT NULL,
+    PRIMARY KEY (ID),
+    FOREIGN KEY (APP_ID) REFERENCES SP_APP(UUID) ON DELETE CASCADE,
+    UNIQUE (USER_ID, APP_ID, TENANT_ID),
+    UNIQUE (CONSENT_ID)
+);
+
+CREATE TABLE IF NOT EXISTS IDN_OAUTH2_USER_CONSENTED_SCOPES (
+    ID INTEGER NOT NULL AUTO_INCREMENT,
+    CONSENT_ID VARCHAR(255) NOT NULL,
+    TENANT_ID INTEGER NOT NULL DEFAULT -1,
+    SCOPE VARCHAR(255) NOT NULL,
+    CONSENT BOOLEAN NOT NULL,
+    PRIMARY KEY (ID),
+    FOREIGN KEY (CONSENT_ID) REFERENCES IDN_OAUTH2_USER_CONSENT(CONSENT_ID) ON DELETE CASCADE,
+    UNIQUE (CONSENT_ID, SCOPE)
+);
+
+CREATE TABLE IF NOT EXISTS IDN_SECRET_TYPE (
+  ID          VARCHAR(255)  NOT NULL,
+  NAME        VARCHAR(255)  NOT NULL,
+  DESCRIPTION VARCHAR(1023) NULL,
+  PRIMARY KEY (ID),
+  CONSTRAINT SECRET_TYPE_NAME_CONSTRAINT UNIQUE (NAME)
+);
+
+INSERT INTO IDN_SECRET_TYPE (ID, NAME, DESCRIPTION) VALUES
+('1358bdbf-e0cc-4268-a42c-c3e0960e13f0', 'ADAPTIVE_AUTH_CALL_CHOREO', 'Secret type to uniquely identify secrets relevant to callChoreo adaptive auth function'),
+('c508ca28-60c0-4493-a758-77e4173ffdb9', 'IDP_SECRET_PROPERTIES', 'Secret type to uniquely identify secrets relevant to identity providers'),
+('433df096-62b7-4a36-b3eb-1bed9150ed35', 'IDVP_SECRET_PROPERTIES', 'Secret type to uniquely identify secrets relevant to identity verification providers');
+
+CREATE TABLE IF NOT EXISTS IDN_SECRET (
+  ID            VARCHAR(255) NOT NULL,
+  TENANT_ID     INT          NOT NULL,
+  SECRET_NAME VARCHAR(1023) NOT NULL,
+  SECRET_VALUE VARCHAR(8000) NOT NULL,
+  CREATED_TIME TIMESTAMP NOT NULL,
+  LAST_MODIFIED TIMESTAMP NOT NULL,
+  TYPE_ID       VARCHAR(255) NOT NULL,
+  DESCRIPTION VARCHAR(1023) NULL,
+  KEY_ID VARCHAR(255) NULL,
+  PRIMARY KEY (ID),
+  FOREIGN KEY (TYPE_ID) REFERENCES IDN_SECRET_TYPE(ID) ON DELETE CASCADE,
+  UNIQUE (SECRET_NAME, TENANT_ID, TYPE_ID)
+);
+
+CREATE TABLE IF NOT EXISTS SP_SHARED_APP (
+    ID INTEGER NOT NULL AUTO_INCREMENT,
+    MAIN_APP_ID CHAR(36) NOT NULL,
+    OWNER_ORG_ID CHAR(36) NOT NULL,
+    SHARED_APP_ID CHAR(36) NOT NULL,
+    SHARED_ORG_ID CHAR(36) NOT NULL,
+    SHARE_WITH_ALL_CHILDREN BOOLEAN DEFAULT FALSE,
+    PRIMARY KEY (ID),
+    FOREIGN KEY (MAIN_APP_ID) REFERENCES SP_APP(UUID) ON DELETE CASCADE,
+    FOREIGN KEY (SHARED_APP_ID) REFERENCES SP_APP(UUID) ON DELETE CASCADE,
+    UNIQUE (MAIN_APP_ID, OWNER_ORG_ID, SHARED_ORG_ID),
+    UNIQUE (SHARED_APP_ID)
+);
+
+CREATE TABLE IF NOT EXISTS IDVP (
+	ID          INTEGER NOT NULL AUTO_INCREMENT,
+	UUID        CHAR(36) NOT NULL,
+	TENANT_ID   INTEGER NOT NULL,
+	IDVP_TYPE   VARCHAR(254),
+	NAME        VARCHAR(254),
+	DESCRIPTION VARCHAR(1024),
+	IS_ENABLED  CHAR(1) NOT NULL DEFAULT '0',
+	PRIMARY KEY (ID),
+	UNIQUE (TENANT_ID, NAME),
+    UNIQUE (UUID)
+);
+
+CREATE TABLE IF NOT EXISTS IDVP_CLAIM_MAPPING (
+    ID            INTEGER NOT NULL AUTO_INCREMENT,
+    IDVP_ID       INTEGER NOT NULL,
+    TENANT_ID     INTEGER NOT NULL,
+    CLAIM         VARCHAR(254),
+    LOCAL_CLAIM   VARCHAR(254),
+    PRIMARY KEY (ID),
+    UNIQUE (IDVP_ID, CLAIM, TENANT_ID),
+    FOREIGN KEY (IDVP_ID) REFERENCES IDVP(ID) ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS IDVP_CONFIG (
+	ID              INTEGER NOT NULL AUTO_INCREMENT,
+	IDVP_ID         INTEGER NOT NULL,
+	TENANT_ID       INTEGER NOT NULL,
+	PROPERTY_KEY    VARCHAR(254) NOT NULL,
+  	PROPERTY_VALUE  VARCHAR(1024),
+  	IS_SECRET       CHAR (1) DEFAULT '0',
+	PRIMARY KEY (ID),
+	UNIQUE (IDVP_ID, PROPERTY_KEY, TENANT_ID),
+	FOREIGN KEY (IDVP_ID) REFERENCES IDVP(ID) ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS IDV_CLAIM (
+	ID          INTEGER NOT NULL AUTO_INCREMENT,
+	UUID        CHAR(36) NOT NULL,
+	USER_ID     VARCHAR(254) NOT NULL,
+	CLAIM_URI   VARCHAR(254),
+	IDVP_ID     CHAR(36) NOT NULL,
+	TENANT_ID   INTEGER NOT NULL,
+	IS_VERIFIED CHAR(1) NOT NULL DEFAULT '0',
+	METADATA    BLOB,
+	PRIMARY KEY (ID),
+	UNIQUE (CLAIM_URI, TENANT_ID, USER_ID, IDVP_ID),
+    UNIQUE (UUID),
+    FOREIGN KEY (IDVP_ID) REFERENCES IDVP(UUID) ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS IDN_OAUTH_PAR (
+    REQ_URI_REF VARCHAR(255) PRIMARY KEY,
+    CLIENT_ID VARCHAR(255),
+    SCHEDULED_EXPIRY BIGINT,
+    PARAMETERS MEDIUMTEXT
+);
+
+CREATE TABLE IF NOT EXISTS APP_ROLE (
+    ROLE_ID varchar(255) NOT NULL PRIMARY KEY,
+    ROLE_NAME varchar(255) NOT NULL,
+    TENANT_ID INTEGER NOT NULL,
+    APP_ID varchar(36) NOT NULL,
+    CURSOR_KEY SERIAL,
+    UNIQUE (ROLE_NAME, TENANT_ID, APP_ID),
+    FOREIGN KEY (APP_ID) REFERENCES SP_APP(UUID) ON DELETE CASCADE
+);
+CREATE TABLE IF NOT EXISTS SHARED_ROLE (
+    SHARED_ROLE_ID varchar(255) NOT NULL,
+    MAIN_ROLE_ID varchar(255) NOT NULL,
+    UNIQUE (SHARED_ROLE_ID, MAIN_ROLE_ID),
+    PRIMARY KEY (SHARED_ROLE_ID, MAIN_ROLE_ID),
+    FOREIGN KEY (SHARED_ROLE_ID) REFERENCES APP_ROLE(ROLE_ID) ON DELETE CASCADE,
+    FOREIGN KEY (MAIN_ROLE_ID) REFERENCES APP_ROLE(ROLE_ID) ON DELETE CASCADE
+);
+CREATE TABLE IF NOT EXISTS GROUP_ROLE (
+	ROLE_ID varchar(255) NOT NULL,
+	IDP_ID varchar(255) NOT NULL,
+	TENANT_ID varchar(255) NOT NULL,
+	GROUP_ID varchar(255) NOT NULL,
+	CURSOR_KEY SERIAL,
+	FOREIGN KEY (ROLE_ID) REFERENCES APP_ROLE(ROLE_ID) ON DELETE CASCADE,
+	FOREIGN KEY (IDP_ID) REFERENCES IDP(UUID) ON DELETE CASCADE,
+	CONSTRAINT GROUP_ROLE_UNIQUE UNIQUE (ROLE_ID, IDP_ID, GROUP_ID)
+);
+
+CREATE TABLE IF NOT EXISTS USER_ROLE (
+	ROLE_ID varchar(255) NOT NULL,
+	TENANT_ID varchar(255) NOT NULL,
+	USER_ID varchar(255) NOT NULL,
+	CURSOR_KEY SERIAL,
+	FOREIGN KEY (ROLE_ID) REFERENCES APP_ROLE(ROLE_ID) ON DELETE CASCADE,
+	CONSTRAINT USER_ROLE_UNIQUE UNIQUE (ROLE_ID, TENANT_ID, USER_ID)
+);
+
+-- --------------------------- INDEX CREATION -----------------------------
+-- IDN_OAUTH2_ACCESS_TOKEN --
+CREATE INDEX IDX_TC ON IDN_OAUTH2_ACCESS_TOKEN(TIME_CREATED);
+CREATE INDEX IDX_ATH ON IDN_OAUTH2_ACCESS_TOKEN(ACCESS_TOKEN_HASH);
+CREATE INDEX IDX_AT_TI_UD ON IDN_OAUTH2_ACCESS_TOKEN(AUTHZ_USER, TENANT_ID, TOKEN_STATE, USER_DOMAIN);
+CREATE INDEX IDX_AT_AT ON IDN_OAUTH2_ACCESS_TOKEN(ACCESS_TOKEN);
+CREATE INDEX IDX_AT_RTH ON IDN_OAUTH2_ACCESS_TOKEN(REFRESH_TOKEN_HASH);
+CREATE INDEX IDX_AT_RT ON IDN_OAUTH2_ACCESS_TOKEN(REFRESH_TOKEN);
+CREATE INDEX IDX_TBR_TS ON IDN_OAUTH2_ACCESS_TOKEN(TOKEN_BINDING_REF, TOKEN_STATE);
+
+-- IDN_OAUTH2_AUTHORIZATION_CODE --
+CREATE INDEX IDX_AUTHORIZATION_CODE_HASH ON IDN_OAUTH2_AUTHORIZATION_CODE (AUTHORIZATION_CODE_HASH, CONSUMER_KEY_ID);
+CREATE INDEX IDX_AUTHORIZATION_CODE_AU_TI ON IDN_OAUTH2_AUTHORIZATION_CODE (AUTHZ_USER, TENANT_ID, USER_DOMAIN, STATE);
+CREATE INDEX IDX_AC_CKID ON IDN_OAUTH2_AUTHORIZATION_CODE(CONSUMER_KEY_ID);
+CREATE INDEX IDX_AC_TID ON IDN_OAUTH2_AUTHORIZATION_CODE(TOKEN_ID);
+CREATE INDEX IDX_AC_AC_CKID ON IDN_OAUTH2_AUTHORIZATION_CODE(AUTHORIZATION_CODE, CONSUMER_KEY_ID);
+CREATE INDEX IDX_AT_CKID_AU_TID_UD_TSH_TS ON IDN_OAUTH2_ACCESS_TOKEN(CONSUMER_KEY_ID, AUTHZ_USER, TENANT_ID, USER_DOMAIN, TOKEN_SCOPE_HASH, TOKEN_STATE);
+
+-- IDN_SCIM_GROUP --
+CREATE INDEX IDX_IDN_SCIM_GROUP_TI_RN ON IDN_SCIM_GROUP (TENANT_ID, ROLE_NAME);
+CREATE INDEX IDX_IDN_SCIM_GROUP_TI_RN_AN ON IDN_SCIM_GROUP (TENANT_ID, ROLE_NAME, ATTR_NAME);
+
+-- IDN_AUTH_SESSION_STORE --
+CREATE INDEX IDX_IDN_AUTH_SESSION_TIME ON IDN_AUTH_SESSION_STORE (TIME_CREATED);
+CREATE INDEX IDX_IDN_AUTH_SSTR_ST_OP_ID_TM ON IDN_AUTH_SESSION_STORE (OPERATION, SESSION_TYPE, SESSION_ID, TIME_CREATED);
+CREATE INDEX IDX_IDN_AUTH_SSTR_ET_ID ON IDN_AUTH_SESSION_STORE (EXPIRY_TIME, SESSION_ID);
+
+-- IDN_AUTH_TEMP_SESSION_STORE --
+CREATE INDEX IDX_IDN_AUTH_TMP_SESSION_TIME ON IDN_AUTH_TEMP_SESSION_STORE (TIME_CREATED);
+
+-- IDN_OIDC_SCOPE_CLAIM_MAPPING --
+CREATE INDEX IDX_AT_SI_ECI ON IDN_OIDC_SCOPE_CLAIM_MAPPING(SCOPE_ID, EXTERNAL_CLAIM_ID);
+
+-- IDN_OAUTH2_SCOPE --
+CREATE INDEX IDX_SC_TID ON IDN_OAUTH2_SCOPE(TENANT_ID);
+
+-- IDN_OAUTH2_SCOPE_BINDING --
+CREATE INDEX IDX_SB_SCPID ON IDN_OAUTH2_SCOPE_BINDING(SCOPE_ID);
+
+-- IDN_OIDC_REQ_OBJECT_REFERENCE --
+CREATE INDEX IDX_OROR_TID ON IDN_OIDC_REQ_OBJECT_REFERENCE(TOKEN_ID);
+
+-- IDN_OAUTH2_ACCESS_TOKEN_SCOPE --
+CREATE INDEX IDX_ATS_TID ON IDN_OAUTH2_ACCESS_TOKEN_SCOPE(TOKEN_ID);
+
+-- SP_TEMPLATE --
+CREATE INDEX IDX_SP_TEMPLATE ON SP_TEMPLATE (TENANT_ID, NAME);
+
+-- IDN_AUTH_USER --
+CREATE INDEX IDX_AUTH_USER_UN_TID_DN ON IDN_AUTH_USER (USER_NAME, TENANT_ID, DOMAIN_NAME);
+CREATE INDEX IDX_AUTH_USER_DN_TOD ON IDN_AUTH_USER (DOMAIN_NAME, TENANT_ID);
+
+-- IDN_AUTH_USER_SESSION_MAPPING --
+CREATE INDEX IDX_USER_ID ON IDN_AUTH_USER_SESSION_MAPPING (USER_ID);
+CREATE INDEX IDX_SESSION_ID ON IDN_AUTH_USER_SESSION_MAPPING (SESSION_ID);
+
+-- IDN_AUTH_SESSION_APP_INFO --
+CREATE INDEX IDX_AUTH_SAI_UN_AID_SID ON IDN_AUTH_SESSION_APP_INFO (APP_ID, SUBJECT, SESSION_ID);
+
+-- IDN_OAUTH_CONSUMER_APPS --
+CREATE INDEX IDX_OCA_UM_TID_UD_APN ON IDN_OAUTH_CONSUMER_APPS(USERNAME,TENANT_ID,USER_DOMAIN, APP_NAME);
+
+-- IDX_SPI_APP --
+CREATE INDEX IDX_SPI_APP ON SP_INBOUND_AUTH(APP_ID);
+
+-- IDN_OIDC_PROPERTY --
+CREATE INDEX IDX_IOP_CK ON IDN_OIDC_PROPERTY(CONSUMER_KEY);
+
+-- IDN_FIDO2_PROPERTY --
+CREATE INDEX IDX_FIDO2_STR ON FIDO2_DEVICE_STORE(USER_NAME, TENANT_ID, DOMAIN_NAME, CREDENTIAL_ID, USER_HANDLE);
+
+-- IDN_ASSOCIATED_ID --
+CREATE INDEX IDX_AI_DN_UN_AI ON IDN_ASSOCIATED_ID(DOMAIN_NAME, USER_NAME, ASSOCIATION_ID);
+
+-- IDN_OAUTH2_TOKEN_BINDING --
+CREATE INDEX IDX_IDN_AUTH_BIND ON IDN_OAUTH2_TOKEN_BINDING (TOKEN_BINDING_REF);
+CREATE INDEX IDX_TK_VALUE_TYPE ON IDN_OAUTH2_TOKEN_BINDING (TOKEN_BINDING_VALUE, TOKEN_BINDING_TYPE);
+
+-- IDN_FED_AUTH_SESSION_MAPPING --
+CREATE INDEX IDX_FEDERATED_AUTH_SESSION_ID ON IDN_FED_AUTH_SESSION_MAPPING (SESSION_ID);
+
+-- IDN_REMOTE_FETCH_REVISIONS --
+CREATE INDEX IDX_REMOTE_FETCH_REVISION_CONFIG_ID ON IDN_REMOTE_FETCH_REVISIONS (CONFIG_ID);
+
+-- IDN_CORS_ASSOCIATION --
+CREATE INDEX IDX_CORS_SP_APP_ID ON IDN_CORS_ASSOCIATION (SP_APP_ID);
+
+-- IDN_CORS_ASSOCIATION --
+CREATE INDEX IDX_CORS_ORIGIN_ID ON IDN_CORS_ASSOCIATION (IDN_CORS_ORIGIN_ID);
+
+-- IDN_SECRET --
+CREATE INDEX IDN_SECRET_TYPE_ID ON IDN_SECRET (TYPE_ID);
+
+-- IDN_CLAIM --
+CREATE INDEX IDX_CLAIM_TI_CU ON IDN_CLAIM (TENANT_ID, CLAIM_URI);
+
+-- IDP_AUTHENTICATOR_PROPERTY --
+CREATE INDEX IDX_AUTH_PROP_AUTH_ID ON IDP_AUTHENTICATOR_PROPERTY (AUTHENTICATOR_ID);
+
+-- IDN_CONFIG_FILE --
+CREATE INDEX IDX_CON_FILE_RES_ID ON IDN_CONFIG_FILE (RESOURCE_ID);
+
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/repository.conf/carbon.xml b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/repository.conf/carbon.xml
new file mode 100644
index 000000000000..b46fba1be7df
--- /dev/null
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/repository.conf/carbon.xml
@@ -0,0 +1,686 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!--
+  ~ Copyright (c) 2023, WSO2 LLC. (http://www.wso2.org) All Rights Reserved.
+  ~
+  ~ WSO2 LLC. licenses this file to you under the Apache License,
+  ~ Version 2.0 (the "License"); you may not use this file except
+  ~ in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~ http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing,
+  ~ software distributed under the License is distributed on an
+  ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  ~ KIND, either express or implied.  See the License for the
+  ~ specific language governing permissions and limitations
+  ~ under the License.
+  -->
+
+<!--
+    This is the main server configuration file
+
+    ${carbon.home} represents the carbon.home system property.
+    Other system properties can be specified in a similar manner.
+-->
+<Server xmlns="http://wso2.org/projects/carbon/carbon.xml">
+
+    <!--
+       Product Name
+    -->
+    <Name>WSO2 Identity Server</Name>
+
+    <!--
+       machine readable unique key to identify each product
+    -->
+    <ServerKey>IS</ServerKey>
+
+    <!--
+       Product Version
+    -->
+    <Version>5.3.0</Version>
+
+    <!--
+       Host name or IP address of the machine hosting this server
+       e.g. www.wso2.org, 192.168.1.10
+       This is will become part of the End Point Reference of the
+       services deployed on this server instance.
+    -->
+    <HostName>localhost</HostName>
+
+    <!--
+    Host name to be used for the Carbon management console
+    -->
+    <MgtHostName>localhost</MgtHostName>
+
+    <!--
+        The URL of the back end server. This is where the admin services are hosted and
+        will be used by the clients in the front end server.
+        This is required only for the Front-end server. This is used when seperating BE server from FE server
+       -->
+    <ServerURL>local:/${carbon.context}/services/</ServerURL>
+    <!--
+    <ServerURL>https://localhost:${carbon.management.port}${carbon.context}/services/</ServerURL>
+    -->
+    <!--
+    The URL of the index page. This is where the user will be redirected after signing in to the
+    carbon server.
+    -->
+    <!-- IndexPageURL>/carbon/admin/index.jsp</IndexPageURL-->
+
+    <!--
+    For cApp deployment, we have to identify the roles that can be acted by the current server.
+    The following property is used for that purpose. Any number of roles can be defined here.
+    Regular expressions can be used in the role.
+    Ex : <Role>.*</Role> means this server can act any role
+    -->
+    <ServerRoles>
+        <Role>IdentityServer</Role>
+    </ServerRoles>
+
+    <!-- uncommnet this line to subscribe to a bam instance automatically -->
+    <!--<BamServerURL>https://bamhost:bamport/services/</BamServerURL>-->
+
+    <!--
+       The fully qualified name of the server
+    -->
+    <Package>org.wso2.carbon</Package>
+
+    <!--
+       Webapp context root of WSO2 Carbon management console.
+    -->
+    <WebContextRoot>/</WebContextRoot>
+
+    <!--
+    	Proxy context path is a useful parameter to add a proxy path when a Carbon server is fronted by reverse proxy. In addtion
+        to the proxy host and proxy port this parameter allows you add a path component to external URLs. e.g.
+     		URL of the Carbon server -> https://10.100.1.1:9443/carbon
+   		URL of the reverse proxy -> https://prod.abc.com/appserver/carbon
+
+   	appserver - proxy context path. This specially required whenever you are generating URLs to displace in
+   	Carbon UI components.
+    -->
+    <!--
+    	<MgtProxyContextPath></MgtProxyContextPath>
+    	<ProxyContextPath></ProxyContextPath>
+    -->
+
+    <!-- In-order to  get the registry http Port from the back-end when the default http transport is not the same-->
+    <!--RegistryHttpPort>9763</RegistryHttpPort-->
+
+    <!--
+    Number of items to be displayed on a management console page. This is used at the
+    backend server for pagination of various items.
+    -->
+    <ItemsPerPage>15</ItemsPerPage>
+
+    <!-- The endpoint URL of the cloud instance management Web service -->
+    <!--<InstanceMgtWSEndpoint>https://ec2.amazonaws.com/</InstanceMgtWSEndpoint>-->
+
+    <!--
+       Ports used by this server
+    -->
+    <Ports>
+
+        <!-- Ports offset. This entry will set the value of the ports defined below to
+         the define value + Offset.
+         e.g. Offset=2 and HTTPS port=9443 will set the effective HTTPS port to 9445
+         -->
+        <Offset>0</Offset>
+
+        <!-- The JMX Ports -->
+        <JMX>
+            <!--The port RMI registry is exposed-->
+            <RMIRegistryPort>9999</RMIRegistryPort>
+            <!--The port RMI server should be exposed-->
+            <RMIServerPort>11111</RMIServerPort>
+        </JMX>
+
+        <!-- Embedded LDAP server specific ports -->
+        <EmbeddedLDAP>
+            <!-- Port which embedded LDAP server runs -->
+            <LDAPServerPort>10389</LDAPServerPort>
+            <!-- Port which KDC (Kerberos Key Distribution Center) server runs -->
+            <KDCServerPort>8000</KDCServerPort>
+        </EmbeddedLDAP>
+
+        <!--
+                 Override datasources JNDIproviderPort defined in bps.xml and datasources.properties files
+        -->
+        <!--<JNDIProviderPort>2199</JNDIProviderPort>-->
+        <!--Override receive port of thrift based entitlement service.-->
+        <ThriftEntitlementReceivePort>10500</ThriftEntitlementReceivePort>
+
+        <!--
+         This is the proxy port of the worker cluster. These need to be configured in a scenario where
+         manager node is not exposed through the load balancer through which the workers are exposed
+         therefore doesn't have a proxy port.
+        <WorkerHttpProxyPort>80</WorkerHttpProxyPort>
+        <WorkerHttpsProxyPort>443</WorkerHttpsProxyPort>
+        -->
+
+    </Ports>
+
+    <!--
+        JNDI Configuration
+    -->
+    <JNDI>
+        <!--
+             The fully qualified name of the default initial context factory
+        -->
+        <DefaultInitialContextFactory>org.wso2.carbon.tomcat.jndi.CarbonJavaURLContextFactory</DefaultInitialContextFactory>
+        <!--
+             The restrictions that are done to various JNDI Contexts in a Multi-tenant environment
+        -->
+        <Restrictions>
+            <!--
+                Contexts that will be available only to the super-tenant
+            -->
+            <!-- <SuperTenantOnly>
+                <UrlContexts>
+                    <UrlContext>
+                        <Scheme>foo</Scheme>
+                    </UrlContext>
+                    <UrlContext>
+                        <Scheme>bar</Scheme>
+                    </UrlContext>
+                </UrlContexts>
+            </SuperTenantOnly> -->
+            <!--
+                Contexts that are common to all tenants
+            -->
+            <AllTenants>
+                <UrlContexts>
+                    <UrlContext>
+                        <Scheme>java</Scheme>
+                    </UrlContext>
+                    <!-- <UrlContext>
+                        <Scheme>foo</Scheme>
+                    </UrlContext> -->
+                </UrlContexts>
+            </AllTenants>
+            <!--
+                 All other contexts not mentioned above will be available on a per-tenant basis
+                 (i.e. will not be shared among tenants)
+            -->
+        </Restrictions>
+    </JNDI>
+
+    <!--
+        Property to determine if the server is running an a cloud deployment environment.
+        This property should only be used to determine deployment specific details that are
+        applicable only in a cloud deployment, i.e when the server deployed *-as-a-service.
+    -->
+    <IsCloudDeployment>false</IsCloudDeployment>
+
+    <!--
+	Property to determine whether usage data should be collected for metering purposes
+    -->
+    <EnableMetering>false</EnableMetering>
+
+    <!-- The Max time a thread should take for execution in seconds -->
+    <MaxThreadExecutionTime>600</MaxThreadExecutionTime>
+
+    <!--
+        A flag to enable or disable Ghost Deployer. By default this is set to false. That is
+        because the Ghost Deployer works only with the HTTP/S transports. If you are using
+        other transports, don't enable Ghost Deployer.
+    -->
+    <GhostDeployment>
+        <Enabled>false</Enabled>
+    </GhostDeployment>
+
+
+    <!--
+        Eager loading or lazy loading is a design pattern commonly used in computer programming which
+        will initialize an object upon creation or load on-demand. In carbon, lazy loading is used to
+        load tenant when a request is received only. Similarly Eager loading is used to enable load
+        existing tenants after carbon server starts up. Using this feature, you will be able to include
+        or exclude tenants which are to be loaded when server startup.
+
+        We can enable only one LoadingPolicy at a given time.
+
+        1. Tenant Lazy Loading
+           This is the default behaviour and enabled by default. With this policy, tenants are not loaded at
+           server startup, but loaded based on-demand (i.e when a request is received for a tenant).
+           The default tenant idle time is 30 minutes.
+
+        2. Tenant Eager Loading
+           This is by default not enabled. It can be be enabled by un-commenting the <EagerLoading> section.
+           The eager loading configurations supported are as below. These configurations can be given as the
+           value for <Include> element with eager loading.
+                (i)Load all tenants when server startup             -   *
+                (ii)Load all tenants except foo.com & bar.com       -   *,!foo.com,!bar.com
+                (iii)Load only foo.com &  bar.com to be included    -   foo.com,bar.com
+    -->
+    <Tenant>
+        <LoadingPolicy>
+            <LazyLoading>
+                <IdleTime>30</IdleTime>
+            </LazyLoading>
+            <!-- <EagerLoading>
+                   <Include>*,!foo.com,!bar.com</Include>
+            </EagerLoading>-->
+        </LoadingPolicy>
+    </Tenant>
+
+    <!--
+     Caching related configurations
+    -->
+    <Cache>
+        <!-- Default cache timeout in minutes -->
+        <DefaultCacheTimeout>15</DefaultCacheTimeout>
+    </Cache>
+
+    <!--
+    Axis2 related configurations
+    -->
+    <Axis2Config>
+        <!--
+             Location of the Axis2 Services & Modules repository
+
+             This can be a directory in the local file system, or a URL.
+
+             e.g.
+             1. /home/wso2wsas/repository/ - An absolute path
+             2. repository - In this case, the path is relative to CARBON_HOME
+             3. file:///home/wso2wsas/repository/
+             4. http://wso2wsas/repository/
+        -->
+        <RepositoryLocation>${carbon.home}/repository/deployment/server/</RepositoryLocation>
+
+        <!--
+         Deployment update interval in seconds. This is the interval between repository listener
+         executions.
+        -->
+        <DeploymentUpdateInterval>15</DeploymentUpdateInterval>
+
+        <!--
+            Location of the main Axis2 configuration descriptor file, a.k.a. axis2.xml file
+
+            This can be a file on the local file system, or a URL
+
+            e.g.
+            1. /home/repository/axis2.xml - An absolute path
+            2. conf/axis2.xml - In this case, the path is relative to CARBON_HOME
+            3. file:///home/carbon/repository/axis2.xml
+            4. http://repository/conf/axis2.xml
+        -->
+        <ConfigurationFile>${carbon.home}/repository/conf/axis2/axis2.xml</ConfigurationFile>
+
+        <!--
+          ServiceGroupContextIdleTime, which will be set in ConfigurationContex
+          for multiple clients which are going to access the same ServiceGroupContext
+          Default Value is 30 Sec.
+        -->
+        <ServiceGroupContextIdleTime>30000</ServiceGroupContextIdleTime>
+
+        <!--
+          This repository location is used to crete the client side configuration
+          context used by the server when calling admin services.
+        -->
+        <ClientRepositoryLocation>${carbon.home}/repository/deployment/client/</ClientRepositoryLocation>
+        <!-- This axis2 xml is used in createing the configuration context by the FE server
+         calling to BE server -->
+        <clientAxis2XmlLocation>${carbon.home}/repository/conf/axis2/axis2_client.xml</clientAxis2XmlLocation>
+        <!-- If this parameter is set, the ?wsdl on an admin service will not give the admin service wsdl. -->
+        <HideAdminServiceWSDLs>true</HideAdminServiceWSDLs>
+
+        <!--WARNING-Use With Care! Uncommenting bellow parameter would expose all AdminServices in HTTP transport.
+        With HTTP transport your credentials and data routed in public channels are vulnerable for sniffing attacks.
+        Use bellow parameter ONLY if your communication channels are confirmed to be secured by other means -->
+        <!--HttpAdminServices>*</HttpAdminServices-->
+
+    </Axis2Config>
+
+    <!--
+       The default user roles which will be created when the server
+       is started up for the first time.
+    -->
+    <ServiceUserRoles>
+        <Role>
+            <Name>admin</Name>
+            <Description>Default Administrator Role</Description>
+        </Role>
+        <Role>
+            <Name>user</Name>
+            <Description>Default User Role</Description>
+        </Role>
+    </ServiceUserRoles>
+
+    <!--
+      Enable following config to allow Emails as usernames.
+    -->
+    <!--EnableEmailUserName>true</EnableEmailUserName-->
+
+    <!--
+      Security configurations
+    -->
+    <Security>
+        <!--
+            KeyStore which will be used for encrypting/decrypting passwords
+            and other sensitive information.
+        -->
+        <KeyStore>
+            <!-- Keystore file location-->
+            <Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location>
+            <!-- Keystore type (JKS/PKCS12 etc.)-->
+            <Type>JKS</Type>
+            <!-- Keystore password-->
+            <Password>wso2carbon</Password>
+            <!-- Private Key alias-->
+            <KeyAlias>wso2carbon</KeyAlias>
+            <!-- Private Key password-->
+            <KeyPassword>wso2carbon</KeyPassword>
+        </KeyStore>
+
+        <!--
+            System wide trust-store which is used to maintain the certificates of all
+            the trusted parties.
+        -->
+        <TrustStore>
+            <!-- trust-store file location -->
+            <Location>${carbon.home}/repository/resources/security/client-truststore.jks</Location>
+            <!-- trust-store type (JKS/PKCS12 etc.) -->
+            <Type>JKS</Type>
+            <!-- trust-store password -->
+            <Password>wso2carbon</Password>
+        </TrustStore>
+
+        <!--
+            The Authenticator configuration to be used at the JVM level. We extend the
+            java.net.Authenticator to make it possible to authenticate to given servers and
+            proxies.
+        -->
+        <NetworkAuthenticatorConfig>
+            <!--
+                Below is a sample configuration for a single authenticator. Please note that
+                all child elements are mandatory. Not having some child elements would lead to
+                exceptions at runtime.
+            -->
+            <!-- <Credential> -->
+            <!--
+                the pattern that would match a subset of URLs for which this authenticator
+                would be used
+            -->
+            <!-- <Pattern>regularExpression</Pattern> -->
+            <!--
+                the type of this authenticator. Allowed values are:
+                1. server
+                2. proxy
+            -->
+            <!-- <Type>proxy</Type> -->
+            <!-- the username used to log in to server/proxy -->
+            <!-- <Username>username</Username> -->
+            <!-- the password used to log in to server/proxy -->
+            <!-- <Password>password</Password> -->
+            <!-- </Credential> -->
+        </NetworkAuthenticatorConfig>
+
+        <!--
+         The Tomcat realm to be used for hosted Web applications. Allowed values are;
+         1. UserManager
+         2. Memory
+
+         If this is set to 'UserManager', the realm will pick users & roles from the system's
+         WSO2 User Manager. If it is set to 'memory', the realm will pick users & roles from
+         CARBON_HOME/repository/conf/tomcat/tomcat-users.xml
+        -->
+        <TomcatRealm>UserManager</TomcatRealm>
+
+        <!--Option to disable storing of tokens issued by STS-->
+        <DisableTokenStore>false</DisableTokenStore>
+
+        <STSCallBackHandlerName>org.wso2.carbon.identity.provider.AttributeCallbackHandler</STSCallBackHandlerName>
+
+        <!--
+         Security token store class name. If this is not set, default class will be
+         org.wso2.carbon.security.util.SecurityTokenStore
+        -->
+        <TokenStoreClassName>org.wso2.carbon.identity.sts.store.DBTokenStore</TokenStoreClassName>
+
+        <XSSPreventionConfig>
+            <Enabled>true</Enabled>
+            <Rule>allow</Rule>
+            <Patterns>
+                <!--Pattern></Pattern-->
+            </Patterns>
+        </XSSPreventionConfig>
+    </Security>
+    <HideMenuItemIds>
+        <HideMenuItemId>claim_mgt_menu</HideMenuItemId>
+        <HideMenuItemId>identity_mgt_emailtemplate_menu</HideMenuItemId>
+        <HideMenuItemId>identity_security_questions_menu</HideMenuItemId>
+    </HideMenuItemIds>
+
+    <!--
+       The temporary work directory
+    -->
+    <WorkDirectory>${carbon.home}/tmp/work</WorkDirectory>
+
+    <!--
+       House-keeping configuration
+    -->
+    <HouseKeeping>
+
+        <!--
+           true  - Start House-keeping thread on server startup
+           false - Do not start House-keeping thread on server startup.
+                   The user will run it manually as and when he wishes.
+        -->
+        <AutoStart>true</AutoStart>
+
+        <!--
+           The interval in *minutes*, between house-keeping runs
+        -->
+        <Interval>10</Interval>
+
+        <!--
+          The maximum time in *minutes*, temp files are allowed to live
+          in the system. Files/directories which were modified more than
+          "MaxTempFileLifetime" minutes ago will be removed by the
+          house-keeping task
+        -->
+        <MaxTempFileLifetime>30</MaxTempFileLifetime>
+    </HouseKeeping>
+
+    <!--
+       Configuration for handling different types of file upload & other file uploading related
+       config parameters.
+       To map all actions to a particular FileUploadExecutor, use
+       <Action>*</Action>
+    -->
+    <FileUploadConfig>
+        <!--
+           The total file upload size limit in MB
+        -->
+        <TotalFileSizeLimit>100</TotalFileSizeLimit>
+
+        <Mapping>
+            <Actions>
+                <Action>keystore</Action>
+                <Action>certificate</Action>
+                <Action>*</Action>
+            </Actions>
+            <Class>org.wso2.carbon.ui.transports.fileupload.AnyFileUploadExecutor</Class>
+        </Mapping>
+
+        <Mapping>
+            <Actions>
+                <Action>jarZip</Action>
+            </Actions>
+            <Class>org.wso2.carbon.ui.transports.fileupload.JarZipUploadExecutor</Class>
+        </Mapping>
+        <Mapping>
+            <Actions>
+                <Action>dbs</Action>
+            </Actions>
+            <Class>org.wso2.carbon.ui.transports.fileupload.DBSFileUploadExecutor</Class>
+        </Mapping>
+        <Mapping>
+            <Actions>
+                <Action>tools</Action>
+            </Actions>
+            <Class>org.wso2.carbon.ui.transports.fileupload.ToolsFileUploadExecutor</Class>
+        </Mapping>
+        <Mapping>
+            <Actions>
+                <Action>toolsAny</Action>
+            </Actions>
+            <Class>org.wso2.carbon.ui.transports.fileupload.ToolsAnyFileUploadExecutor</Class>
+        </Mapping>
+    </FileUploadConfig>
+
+    <!-- FileNameRegEx is used to validate the file input/upload/write-out names.
+    e.g.
+     <FileNameRegEx>^(?!(?:CON|PRN|AUX|NUL|COM[1-9]|LPT[1-9])(?:\.[^.])?$)[^&lt;&gt:"/\\|?*\x00-\x1F][^&lt;&gt:"/\\|?*\x00-\x1F\ .]$</FileNameRegEx>
+    -->
+    <!--<FileNameRegEx></FileNameRegEx>-->
+
+    <!--
+       Processors which process special HTTP GET requests such as ?wsdl, ?policy etc.
+
+       In order to plug in a processor to handle a special request, simply add an entry to this
+       section.
+
+       The value of the Item element is the first parameter in the query string(e.g. ?wsdl)
+       which needs special processing
+
+       The value of the Class element is a class which implements
+       org.wso2.carbon.transport.HttpGetRequestProcessor
+    -->
+    <HttpGetRequestProcessors>
+        <Processor>
+            <Item>info</Item>
+            <Class>org.wso2.carbon.core.transports.util.InfoProcessor</Class>
+        </Processor>
+        <Processor>
+            <Item>wsdl</Item>
+            <Class>org.wso2.carbon.core.transports.util.Wsdl11Processor</Class>
+        </Processor>
+        <Processor>
+            <Item>wsdl2</Item>
+            <Class>org.wso2.carbon.core.transports.util.Wsdl20Processor</Class>
+        </Processor>
+        <Processor>
+            <Item>xsd</Item>
+            <Class>org.wso2.carbon.core.transports.util.XsdProcessor</Class>
+        </Processor>
+    </HttpGetRequestProcessors>
+
+    <!-- Deployment Synchronizer Configuration. Enable value to true when running with "svn based" dep sync.
+	In master nodes you need to set both AutoCommit and AutoCheckout to true
+	and in  worker nodes set only AutoCheckout to true.
+    -->
+    <DeploymentSynchronizer>
+        <Enabled>false</Enabled>
+        <AutoCommit>false</AutoCommit>
+        <AutoCheckout>true</AutoCheckout>
+        <RepositoryType>svn</RepositoryType>
+        <SvnUrl>http://svnrepo.example.com/repos/</SvnUrl>
+        <SvnUser>username</SvnUser>
+        <SvnPassword>password</SvnPassword>
+        <SvnUrlAppendTenantId>true</SvnUrlAppendTenantId>
+    </DeploymentSynchronizer>
+
+    <!-- Deployment Synchronizer Configuration. Uncomment the following section when running with "registry based" dep sync.
+        In master nodes you need to set both AutoCommit and AutoCheckout to true
+        and in  worker nodes set only AutoCheckout to true.
+    -->
+    <!--<DeploymentSynchronizer>
+        <Enabled>true</Enabled>
+        <AutoCommit>false</AutoCommit>
+        <AutoCheckout>true</AutoCheckout>
+    </DeploymentSynchronizer>-->
+
+    <!-- Mediation persistence configurations. Only valid if mediation features are available i.e. ESB -->
+    <!--<MediationConfig>
+        <LoadFromRegistry>false</LoadFromRegistry>
+        <SaveToFile>false</SaveToFile>
+        <Persistence>enabled</Persistence>
+        <RegistryPersistence>enabled</RegistryPersistence>
+    </MediationConfig>-->
+
+    <!--
+    Server intializing code, specified as implementation classes of org.wso2.carbon.core.ServerInitializer.
+    This code will be run when the Carbon server is initialized
+    -->
+    <ServerInitializers>
+        <!--<Initializer></Initializer>-->
+    </ServerInitializers>
+
+    <!--
+    Indicates whether the Carbon Servlet is required by the system, and whether it should be
+    registered
+    -->
+    <RequireCarbonServlet>${require.carbon.servlet}</RequireCarbonServlet>
+
+    <!--
+    Carbon H2 OSGI Configuration
+    By default non of the servers start.
+        name="web" - Start the web server with the H2 Console
+        name="webPort" - The port (default: 8082)
+        name="webAllowOthers" - Allow other computers to connect
+        name="webSSL" - Use encrypted (HTTPS) connections
+        name="tcp" - Start the TCP server
+        name="tcpPort" - The port (default: 9092)
+        name="tcpAllowOthers" - Allow other computers to connect
+        name="tcpSSL" - Use encrypted (SSL) connections
+        name="pg" - Start the PG server
+        name="pgPort"  - The port (default: 5435)
+        name="pgAllowOthers"  - Allow other computers to connect
+        name="trace" - Print additional trace information; for all servers
+        name="baseDir" - The base directory for H2 databases; for all servers
+    -->
+    <!--H2DatabaseConfiguration>
+        <property name="web" />
+        <property name="webPort">8082</property>
+        <property name="webAllowOthers" />
+        <property name="webSSL" />
+        <property name="tcp" />
+        <property name="tcpPort">9092</property>
+        <property name="tcpAllowOthers" />
+        <property name="tcpSSL" />
+        <property name="pg" />
+        <property name="pgPort">5435</property>
+        <property name="pgAllowOthers" />
+        <property name="trace" />
+        <property name="baseDir">${carbon.home}</property>
+    </H2DatabaseConfiguration-->
+    <!--Disabling statistics reporter by default-->
+    <StatisticsReporterDisabled>true</StatisticsReporterDisabled>
+
+    <!-- Enable accessing Admin Console via HTTP -->
+    <!-- EnableHTTPAdminConsole>true</EnableHTTPAdminConsole -->
+
+    <!--
+       Default Feature Repository of WSO2 Carbon.
+    -->
+    <FeatureRepository>
+        <RepositoryName>default repository</RepositoryName>
+        <RepositoryURL>http://product-dist.wso2.com/p2/carbon/releases/wilkes/</RepositoryURL>
+    </FeatureRepository>
+
+    <!--
+	Configure API Management
+   -->
+    <APIManagement>
+
+        <!--Uses the embedded API Manager by default. If you want to use an external
+        API Manager instance to manage APIs, configure below  externalAPIManager-->
+
+        <Enabled>true</Enabled>
+
+        <!--Uncomment and configure API Gateway and
+        Publisher URLs to use external API Manager instance-->
+
+        <!--ExternalAPIManager>
+
+            <APIGatewayURL>http://localhost:8281</APIGatewayURL>
+            <APIPublisherURL>http://localhost:8281/publisher</APIPublisherURL>
+
+        </ExternalAPIManager-->
+
+        <LoadAPIContextsInServerStartup>true</LoadAPIContextsInServerStartup>
+    </APIManagement>
+</Server>
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/repository.conf/identity/identity.xml b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/repository.conf/identity/identity.xml
new file mode 100644
index 000000000000..58c05f68e7ee
--- /dev/null
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/repository.conf/identity/identity.xml
@@ -0,0 +1,996 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!--
+  ~ Copyright (c) 2023, WSO2 LLC. (http://www.wso2.org) All Rights Reserved.
+  ~
+  ~ WSO2 LLC. licenses this file to you under the Apache License,
+  ~ Version 2.0 (the "License"); you may not use this file except
+  ~ in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~ http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing,
+  ~ software distributed under the License is distributed on an
+  ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  ~ KIND, either express or implied.  See the License for the
+  ~ specific language governing permissions and limitations
+  ~ under the License.
+  -->
+
+<Server xmlns="http://wso2.org/projects/carbon/carbon.xml">
+
+    <JDBCPersistenceManager>
+        <DataSource>
+            <!-- Include a data source name (jndiConfigName) from the set of data
+                sources defined in master-datasources.xml -->
+            <Name>jdbc/WSO2IdentityDB</Name>
+        </DataSource>
+        <!-- If the identity database is created from another place and if it is
+            required to skip schema initialization during the server start up, set the
+            following property to "true". -->
+        <!-- <SkipDBSchemaCreation>false</SkipDBSchemaCreation> -->
+        <SessionDataPersist>
+            <Enable>true</Enable>
+            <Temporary>true</Temporary>
+            <PoolSize>0</PoolSize>
+            <SessionDataCleanUp>
+                <Enable>true</Enable>
+                <CleanUpTimeout>20160</CleanUpTimeout>
+                <CleanUpPeriod>1140</CleanUpPeriod>
+                <!--Instead of deleting all the records at once, we are deleting the records in chunks to prevent the -->
+                <!--possible deadlock and lock scenarios. The following property defines the chunk size.-->
+                <DeleteChunkSize>50000</DeleteChunkSize>
+            </SessionDataCleanUp>
+            <OperationDataCleanUp>
+                <Enable>true</Enable>
+            </OperationDataCleanUp>
+            <TempDataCleanup>
+                <!-- Enabling separated cleanup for temporary authentication context data -->
+                <Enable>true</Enable>
+                <!-- When PoolZize > 0, temporary data which have no usage after the authentication flow will be deleted immediately
+                 When PoolZise = 0, data will be deleted only by the scheduled cleanup task-->
+                <PoolSize>20</PoolSize>
+                <!-- All temporary authentication context data older than CleanUpTimeout value are considered as expired
+                and would be deleted during cleanup task -->
+                <CleanUpTimeout>40</CleanUpTimeout>
+            </TempDataCleanup>
+        </SessionDataPersist>
+    </JDBCPersistenceManager>
+
+    <!-- Time configurations are in minutes -->
+    <TimeConfig>
+        <SessionIdleTimeout>15</SessionIdleTimeout>
+        <RememberMeTimeout>20160</RememberMeTimeout>
+    </TimeConfig>
+
+    <!-- Security configurations -->
+    <Security>
+        <!-- The directory under which all other KeyStore files will be stored -->
+        <KeyStoresDir>${carbon.home}/conf/keystores</KeyStoresDir>
+        <KeyManagerType>SunX509</KeyManagerType>
+        <TrustManagerType>SunX509</TrustManagerType>
+    </Security>
+
+    <!--This configuration is to resolve the internal service URL for internal API calls.-->
+    <ServerHostName>localhost</ServerHostName>
+
+    <Identity>
+        <IssuerPolicy>SelfAndManaged</IssuerPolicy>
+        <TokenValidationPolicy>CertValidate</TokenValidationPolicy>
+        <BlackList></BlackList>
+        <WhiteList></WhiteList>
+        <System>
+            <KeyStore></KeyStore>
+            <StorePass></StorePass>
+        </System>
+    </Identity>
+
+    <OpenID>
+        <!--
+            Default values for OpenIDServerUrl and OpenIDUSerPattern are built in following format
+            https://<HostName>:<MgtTrpProxyPort except 443>/<ProxyContextPath>/<context>
+            If above format doesn't satisfy uncomment the following configs and explicitly configure the values
+         -->
+        <OpenIDServerUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/openidserver</OpenIDServerUrl>
+        <OpenIDUserPattern>${carbon.protocol}://${carbon.host}:${carbon.management.port}/openid</OpenIDUserPattern>
+        <OpenIDLoginUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/authenticationendpoint/openid_login.do</OpenIDLoginUrl>
+        <!-- If the users must be prompted for approval -->
+        <OpenIDSkipUserConsent>false</OpenIDSkipUserConsent>
+        <!-- Expiry time of the OpenID RememberMe token in minutes -->
+        <OpenIDRememberMeExpiry>7200</OpenIDRememberMeExpiry>
+        <!-- To enable or disable openid dumb mode -->
+        <DisableOpenIDDumbMode>false</DisableOpenIDDumbMode>
+        <!--
+               OpenID private association store is configurable from following configs.
+               It includes two new replication stores,
+                       i.   OpenIDServerAssociationStore (Default association store)
+                       ii.  PrivateAssociationCryptoStore
+                       iii. PrivateAssociationReplicationStore
+        -->
+
+        <!-- Specify full qualified class name of the class which going to use as private association store -->
+        <!--
+		<OpenIDPrivateAssociationStoreClass>org.wso2.carbon.identity.provider.openid.PrivateAssociationCryptoStore</OpenIDPrivateAssociationStoreClass>
+	-->
+
+        <!-- The expiration time (in minutes) for the OpenID association -->
+        <!--
+		<OpenIDAssociationExpiryTime>15</OpenIDAssociationExpiryTime>
+	-->
+
+        <!-- Configs specific to PrivateAssociationCryptoStore -->
+        <!-- Server secret. This value should be the same in all nodes in the cluster -->
+        <!--
+		<OpenIDPrivateAssociationServerKey>qewlj324lmasc</OpenIDPrivateAssociationServerKey>
+	-->
+
+        <!-- Configs specific to PrivateAssociationCryptoStore -->
+        <!-- This enable private association cleanup task which cleans expired private associations -->
+        <!--
+		<EnableOpenIDAssociationCleanupTask>true</EnableOpenIDAssociationCleanupTask>
+	-->
+        <!-- Time Period (in minutes) that cleanup task would run -->
+        <!--
+		<OpenIDAssociationCleanupPeriod>15</OpenIDAssociationCleanupPeriod>
+	-->
+    </OpenID>
+
+    <OAuth>
+        <!-- Specify the Token issuer class to be used.
+             Default: org.wso2.carbon.identity.oauth2.token.OauthTokenIssuerImpl.
+             Applicable values: org.wso2.carbon.identity.oauth2.token.JWTTokenIssuer
+        -->
+        <!--<IdentityOAuthTokenGenerator>org.wso2.carbon.identity.oauth2.token.JWTTokenIssuer</IdentityOAuthTokenGenerator>-->
+
+        <!-- True, if access token alias is stored in the database instead of access token.
+             Eg. token alias and token is same when default AccessTokenValueGenerator is used.
+             When JWTTokenIssuer is used, jti is used as the token alias
+             Default: true.
+             Applicable values: true,false
+        -->
+        <!--<PersistAccessTokenAlias>false</PersistAccessTokenAlias>-->
+
+        <!-- This configuration is used to specify the access token value generator.
+             Default: org.apache.oltu.oauth2.as.issuer.UUIDValueGenerator
+             Applicable values: org.apache.oltu.oauth2.as.issuer.UUIDValueGenerator,
+                                org.apache.oltu.oauth2.as.issuer.MD5Generator,
+                                org.wso2.carbon.identity.oauth.tokenvaluegenerator.SHA256Generator-->
+        <!--<AccessTokenValueGenerator>org.wso2.carbon.identity.oauth.tokenvaluegenerator.SHA256Generator</AccessTokenValueGenerator>-->
+
+        <!-- This configuration is used to specify whether the Service Provider tenant domain should be used when generating
+             access token. Otherwise user domain will be used. Currently this value is only supported by the JWTTokenIssuer.-->
+        <!--<UseSPTenantDomain>True</UseSPTenantDomain>-->
+
+        <!--
+            Default values for OAuth1RequestTokenUrl, OAuth1AccessTokenUrl, OAuth1AuthorizeUrl
+            OAuth2AuthzEPUrl, OAuth2TokenEPUrl and OAuth2UserInfoEPUrl are built in following format
+            https://<HostName>:<MgtTrpProxyPort except 443>/<ProxyContextPath>/<context>/<path>
+            If above format doesn't satisfy uncomment the following configs and explicitly configure the values
+         -->
+        <OAuth1RequestTokenUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth/request-token</OAuth1RequestTokenUrl>
+        <OAuth1AuthorizeUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth/authorize-url</OAuth1AuthorizeUrl>
+        <OAuth1AccessTokenUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth/access-token</OAuth1AccessTokenUrl>
+        <OAuth2AuthzEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/authorize</OAuth2AuthzEPUrl>
+        <OAuth2TokenEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/token</OAuth2TokenEPUrl>
+        <OAuth2RevokeEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/revoke</OAuth2RevokeEPUrl>
+        <OAuth2IntrospectEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/introspect</OAuth2IntrospectEPUrl>
+        <OAuth2UserInfoEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/userinfo</OAuth2UserInfoEPUrl>
+        <OIDCCheckSessionEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oidc/checksession</OIDCCheckSessionEPUrl>
+        <OIDCLogoutEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oidc/logout</OIDCLogoutEPUrl>
+        <OAuth2ConsentPage>${carbon.protocol}://${carbon.host}:${carbon.management.port}/authenticationendpoint/oauth2_authz.do</OAuth2ConsentPage>
+        <OAuth2ErrorPage>${carbon.protocol}://${carbon.host}:${carbon.management.port}/authenticationendpoint/oauth2_error.do</OAuth2ErrorPage>
+        <OIDCConsentPage>${carbon.protocol}://${carbon.host}:${carbon.management.port}/authenticationendpoint/oauth2_consent.do</OIDCConsentPage>
+        <OIDCLogoutConsentPage>${carbon.protocol}://${carbon.host}:${carbon.management.port}/authenticationendpoint/oauth2_logout_consent.do</OIDCLogoutConsentPage>
+        <OIDCLogoutPage>${carbon.protocol}://${carbon.host}:${carbon.management.port}/authenticationendpoint/oauth2_logout.do</OIDCLogoutPage>
+
+        <OIDCWebFingerEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/.well-known/webfinger</OIDCWebFingerEPUrl>
+
+        <!-- For tenants below urls will be modified as https://<hostname>:<port>/t/<tenant domain>/<path>-->
+        <OAuth2DCREPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/api/identity/oauth2/dcr/v1.1/register</OAuth2DCREPUrl>
+        <OAuth2JWKSPage>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/jwks</OAuth2JWKSPage>
+        <OIDCDiscoveryEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/oidcdiscovery</OIDCDiscoveryEPUrl>
+
+        <!-- Default validity period for Authorization Code in seconds -->
+        <AuthorizationCodeDefaultValidityPeriod>300</AuthorizationCodeDefaultValidityPeriod>
+        <!-- Default validity period for application access tokens in seconds -->
+        <AccessTokenDefaultValidityPeriod>3600</AccessTokenDefaultValidityPeriod>
+        <!-- Default validity period for user access tokens in seconds -->
+        <UserAccessTokenDefaultValidityPeriod>3600</UserAccessTokenDefaultValidityPeriod>
+        <!-- Validity period for refresh token -->
+        <RefreshTokenValidityPeriod>84600</RefreshTokenValidityPeriod>
+        <!-- Timestamp skew in seconds -->
+        <TimestampSkew>0</TimestampSkew>
+        <!-- Enable renewal of refresh token for refresh_token grant -->
+        <RenewRefreshTokenForRefreshGrant>true</RenewRefreshTokenForRefreshGrant>
+        <!-- Process the token before storing it in database, e.g. encrypting -->
+        <TokenPersistenceProcessor>org.wso2.carbon.identity.oauth.tokenprocessor.PlainTextPersistenceProcessor</TokenPersistenceProcessor>
+        <!-- This should be true if the oauth keys (consumer secret, access token, refresh token and authorization code) need to be hashed,
+             before storing them in the database. If the value is false, the oauth keys will be saved in a plain text format.
+             By default : false.
+             Supported versions: IS 5.6.0 onwards.
+        -->
+        <EnableClientSecretHash>false</EnableClientSecretHash>
+        <!-- If the user is a federated, user will not be able to access claims from local userstore even if the username matches -->
+        <MapFederatedUsersToLocal>false</MapFederatedUsersToLocal>
+        <!-- Supported Response Types -->
+        <SupportedResponseTypes>
+            <SupportedResponseType>
+                <ResponseTypeName>token</ResponseTypeName>
+                <ResponseTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.authz.handlers.AccessTokenResponseTypeHandler</ResponseTypeHandlerImplClass>
+            </SupportedResponseType>
+            <SupportedResponseType>
+                <ResponseTypeName>code</ResponseTypeName>
+                <ResponseTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.authz.handlers.CodeResponseTypeHandler</ResponseTypeHandlerImplClass>
+            </SupportedResponseType>
+            <SupportedResponseType>
+                <ResponseTypeName>id_token</ResponseTypeName>
+                <ResponseTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.authz.handlers.IDTokenResponseTypeHandler</ResponseTypeHandlerImplClass>
+            </SupportedResponseType>
+            <SupportedResponseType>
+                <ResponseTypeName>id_token token</ResponseTypeName>
+                <ResponseTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.authz.handlers.IDTokenTokenResponseTypeHandler</ResponseTypeHandlerImplClass>
+            </SupportedResponseType>
+        </SupportedResponseTypes>
+        <!-- Supported Grant Types -->
+        <SupportedGrantTypes>
+            <SupportedGrantType>
+                <GrantTypeName>authorization_code</GrantTypeName>
+                <GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationCodeGrantHandler</GrantTypeHandlerImplClass>
+            </SupportedGrantType>
+            <SupportedGrantType>
+                <GrantTypeName>password</GrantTypeName>
+                <GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.PasswordGrantHandler</GrantTypeHandlerImplClass>
+            </SupportedGrantType>
+            <SupportedGrantType>
+                <GrantTypeName>refresh_token</GrantTypeName>
+                <GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.RefreshGrantHandler</GrantTypeHandlerImplClass>
+            </SupportedGrantType>
+            <SupportedGrantType>
+                <GrantTypeName>client_credentials</GrantTypeName>
+                <GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.ClientCredentialsGrantHandler</GrantTypeHandlerImplClass>
+                <IsRefreshTokenAllowed>false</IsRefreshTokenAllowed>
+                <IdTokenAllowed>false</IdTokenAllowed>
+            </SupportedGrantType>
+            <SupportedGrantType>
+                <GrantTypeName>urn:ietf:params:oauth:grant-type:saml2-bearer</GrantTypeName>
+                <GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler</GrantTypeHandlerImplClass>
+            </SupportedGrantType>
+            <SupportedGrantType>
+                <GrantTypeName>iwa:ntlm</GrantTypeName>
+                <GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.iwa.ntlm.NTLMAuthenticationGrantHandler</GrantTypeHandlerImplClass>
+            </SupportedGrantType>
+            <SupportedGrantType>
+                <GrantTypeName>urn:ietf:params:oauth:grant-type:jwt-bearer</GrantTypeName>
+                <GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTBearerGrantHandler</GrantTypeHandlerImplClass>
+                <GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTGrantValidator</GrantTypeValidatorImplClass>
+            </SupportedGrantType>
+        </SupportedGrantTypes>
+
+        <!--
+            Defines the grant types that will filter user claims based on user consent in their responses such as
+            id_token or user info response.
+
+            Default grant types that filter user claims based on user consent are 'authorization_code' and 'implicit'.
+
+            Supported versions: IS 5.5.0 onwards.
+        -->
+        <UserConsentEnabledGrantTypes>
+            <UserConsentEnabledGrantType>
+                <GrantTypeName>authorization_code</GrantTypeName>
+            </UserConsentEnabledGrantType>
+            <UserConsentEnabledGrantType>
+                <GrantTypeName>implicit</GrantTypeName>
+            </UserConsentEnabledGrantType>
+        </UserConsentEnabledGrantTypes>
+
+        <OAuthCallbackHandlers>
+            <OAuthCallbackHandler Class="org.wso2.carbon.identity.oauth.callback.DefaultCallbackHandler"/>
+        </OAuthCallbackHandlers>
+        <TokenValidators>
+            <TokenValidator type="bearer" class="org.wso2.carbon.identity.oauth2.validators.DefaultOAuth2TokenValidator"/>
+            <TokenValidator type="jwt" class="org.wso2.carbon.identity.oauth2.validators.OAuth2JWTTokenValidator"/>
+        </TokenValidators>
+
+        <!-- Scope validators list. The validators registered here wil be executed during token validation. -->
+        <ScopeValidators>
+            <ScopeValidator class="org.wso2.carbon.identity.oauth2.validators.JDBCScopeValidator" />
+            <ScopeValidator class="org.wso2.carbon.identity.oauth2.validators.xacml.XACMLScopeValidator"/>
+        </ScopeValidators>
+
+        <!-- Scope handlers list. The handlers registered here will be executed at the scope validation phase while
+             issuing access tokens. -->
+        <ScopeHandlers>
+            <ScopeHandler class="org.wso2.carbon.identity.oauth2.validators.OIDCScopeHandler" />
+        </ScopeHandlers>
+
+        <!-- Assertions can be used to embedd parameters into access token. -->
+        <EnableAssertions>
+            <UserName>false</UserName>
+        </EnableAssertions>
+
+
+        <!-- This should be true if subject identifier in the token validation response needs to adhere to the
+        following SP configuration.
+
+        - Use tenant domain in local subject identifier.
+        - Use user store domain in local subject identifier.
+
+        if the value is false, subject identifier will be set as the fully qualified username.
+
+        Default value : false
+
+        Supported versions: IS 5.4.0 beta onwards
+        -->
+        <!--<BuildSubjectIdentifierFromSPConfig>true</BuildSubjectIdentifierFromSPConfig>-->
+
+        <!-- This should be set to true when using multiple user stores and keys
+            should saved into different tables according to the user store. By default
+            all the application keys are saved in to the same table. UserName Assertion
+            should be 'true' to use this. -->
+        <EnableAccessTokenPartitioning>false</EnableAccessTokenPartitioning>
+        <!-- user store domain names and mapping to new table name. eg: if you
+            provide 'A:foo.com', foo.com should be the user store domain name and 'A'
+            represent the relavant mapping of token store table, i.e. tokens will be
+            added to a table called IDN_OAUTH2_ACCESS_TOKEN_A. -->
+        <AccessTokenPartitioningDomains><!-- A:foo.com, B:bar.com --></AccessTokenPartitioningDomains>
+        <AuthorizationContextTokenGeneration>
+            <Enabled>false</Enabled>
+            <TokenGeneratorImplClass>org.wso2.carbon.identity.oauth2.authcontext.JWTTokenGenerator</TokenGeneratorImplClass>
+            <ClaimsRetrieverImplClass>org.wso2.carbon.identity.oauth2.authcontext.DefaultClaimsRetriever</ClaimsRetrieverImplClass>
+            <ConsumerDialectURI>http://wso2.org/claims</ConsumerDialectURI>
+            <SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm>
+            <AuthorizationContextTTL>15</AuthorizationContextTTL>
+        </AuthorizationContextTokenGeneration>
+
+        <SAML2Grant>
+            <!--SAML2TokenHandler></SAML2TokenHandler-->
+            <!-- UserType conifg decides whether the SAML assertion carrying user is local user or a federated user.
+            Only Local Users can access claims from local userstore. LEGACY users will have to have tenant domain appended username.
+            They will not be able to access claims from local userstore. To get claims by mapping users with exact same username from local
+            userstore (for non LOCAL scenarios) use mapFederatedUsersToLocal config -->
+            <!--<UserType>LOCAL</UserType>-->
+            <UserType>FEDERATED</UserType>
+            <!--UserType>LEGACY</UserType-->
+        </SAML2Grant>
+
+        <OpenIDConnect>
+            <IDTokenBuilder>org.wso2.carbon.identity.openidconnect.DefaultIDTokenBuilder</IDTokenBuilder>
+            <SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm>
+
+            <!-- Default asymmetric encryption algorithm that used to encrypt CEK. -->
+            <IDTokenEncryptionAlgorithm>RSA-OAEP</IDTokenEncryptionAlgorithm>
+            <!-- Default symmetric encryption algorithm that used to encrypt JWT claims set. -->
+            <IDTokenEncryptionMethod>A128GCM</IDTokenEncryptionMethod>
+
+            <!-- Supported versions: IS 5.5.0 onwards. -->
+            <SupportedIDTokenEncryptionAlgorithms>
+                <SupportedIDTokenEncryptionAlgorithm>RSA1_5</SupportedIDTokenEncryptionAlgorithm>
+                <SupportedIDTokenEncryptionAlgorithm>RSA-OAEP</SupportedIDTokenEncryptionAlgorithm>
+            </SupportedIDTokenEncryptionAlgorithms>
+            <SupportedIDTokenEncryptionMethods>
+                <SupportedIDTokenEncryptionMethod>A128GCM</SupportedIDTokenEncryptionMethod>
+                <SupportedIDTokenEncryptionMethod>A192GCM</SupportedIDTokenEncryptionMethod>
+                <SupportedIDTokenEncryptionMethod>A256GCM</SupportedIDTokenEncryptionMethod>
+                <SupportedIDTokenEncryptionMethod>A128CBC-HS256</SupportedIDTokenEncryptionMethod>
+                <SupportedIDTokenEncryptionMethod>A128CBC+HS256</SupportedIDTokenEncryptionMethod>
+            </SupportedIDTokenEncryptionMethods>
+
+            <EnableAudiences>true</EnableAudiences>
+            <!-- Comment out to add Audience values to the JWT token (id_token)  -->
+            <!--Audiences>
+                   <Audience>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/token</Audience>
+            </Audiences -->
+
+            <!--
+                Default value for IDTokenIssuerID, is OAuth2TokenEPUrl.
+                If that doesn't satisfy uncomment the following config and explicitly configure the value
+            -->
+            <IDTokenIssuerID>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/token</IDTokenIssuerID>
+            <IDTokenCustomClaimsCallBackHandler>org.wso2.carbon.identity.openidconnect.SAMLAssertionClaimsCallback</IDTokenCustomClaimsCallBackHandler>
+            <IDTokenExpiration>3600</IDTokenExpiration>
+            <UserInfoJWTSignatureAlgorithm>SHA256withRSA</UserInfoJWTSignatureAlgorithm>
+            <UserInfoEndpointClaimRetriever>org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoUserStoreClaimRetriever</UserInfoEndpointClaimRetriever>
+            <UserInfoEndpointRequestValidator>org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInforRequestDefaultValidator</UserInfoEndpointRequestValidator>
+            <UserInfoEndpointAccessTokenValidator>org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoISAccessTokenValidator</UserInfoEndpointAccessTokenValidator>
+            <UserInfoEndpointResponseBuilder>org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoJSONResponseBuilder</UserInfoEndpointResponseBuilder>
+            <SkipUserConsent>false</SkipUserConsent>
+            <!-- Sign the ID Token with Service Provider Tenant Private Key-->
+            <SignJWTWithSPKey>false</SignJWTWithSPKey>
+            <!--
+                Expiry period of the logout token used in OIDC Back Channel Logout in seconds.
+                Supported versions: IS 5.5.0 onwards
+            -->
+            <LogoutTokenExpiration>120</LogoutTokenExpiration>
+
+            <!--
+                OIDC Request Object builder implementation.
+                Supported versions: IS 5.4.0 onwards
+            -->
+            <RequestObjectBuilders>
+                <RequestObjectBuilder>
+                    <Type>request_param_value_builder</Type>
+                    <ClassName>org.wso2.carbon.identity.openidconnect.RequestParamRequestObjectBuilder</ClassName>
+                </RequestObjectBuilder>
+            </RequestObjectBuilders>
+
+            <!--
+                OIDC Request Object validator implementation.
+                Supported versions: IS 5.4.0 onwards
+            -->
+            <RequestObjectValidator>org.wso2.carbon.identity.openidconnect.RequestObjectValidatorImpl</RequestObjectValidator>
+        </OpenIDConnect>
+
+        <!-- Configs related to OAuth2 token persistence -->
+        <TokenPersistence>
+            <Enable>true</Enable>
+            <PoolSize>0</PoolSize>
+            <RetryCount>5</RetryCount>
+        </TokenPersistence>
+    </OAuth>
+
+    <MultifactorAuthentication>
+        <!--Enable>false</Enable-->
+        <XMPPSettings>
+            <XMPPConfig>
+                <XMPPProvider>gtalk</XMPPProvider>
+                <XMPPServer>talk.google.com</XMPPServer>
+                <XMPPPort>5222</XMPPPort>
+                <XMPPExt>gmail.com</XMPPExt>
+                <XMPPUserName>multifactor1@gmail.com</XMPPUserName>
+                <XMPPPassword>wso2carbon</XMPPPassword>
+            </XMPPConfig>
+        </XMPPSettings>
+    </MultifactorAuthentication>
+
+    <SSOService>
+        <EntityId>${carbon.host}</EntityId>
+        <!--
+            Default value for IdentityProviderURL is  built in following format
+            https://<HostName>:<MgtTrpProxyPort except 443>/<ProxyContextPath>/samlsso
+            If that doesn't satisfy uncomment the following config and explicitly configure the value
+        -->
+        <IdentityProviderURL>${carbon.protocol}://${carbon.host}:${carbon.management.port}/samlsso</IdentityProviderURL>
+        <DefaultLogoutEndpoint>${carbon.protocol}://${carbon.host}:${carbon.management.port}/authenticationendpoint/samlsso_logout.do</DefaultLogoutEndpoint>
+        <NotificationEndpoint>${carbon.protocol}://${carbon.host}:${carbon.management.port}/authenticationendpoint/samlsso_notification.do</NotificationEndpoint>
+        <SingleLogoutRetryCount>5</SingleLogoutRetryCount>
+        <SingleLogoutRetryInterval>60000</SingleLogoutRetryInterval>
+        <!-- in milli seconds -->
+        <TenantPartitioningEnabled>false</TenantPartitioningEnabled>
+        <AttributesClaimDialect>http://wso2.org/claims</AttributesClaimDialect>
+        <!--<SAMLSSOAssertionBuilder>org.wso2.carbon.identity.sso.saml.builders.assertion.ExtendedDefaultAssertionBuilder</SAMLSSOAssertionBuilder>-->
+        <SAMLSSOAssertionBuilder>org.wso2.carbon.identity.sso.saml.builders.assertion.DefaultSAMLAssertionBuilder</SAMLSSOAssertionBuilder>
+        <SAMLSSOEncrypter>org.wso2.carbon.identity.sso.saml.builders.encryption.DefaultSSOEncrypter</SAMLSSOEncrypter>
+        <SAMLSSOSigner>org.wso2.carbon.identity.sso.saml.builders.signature.DefaultSSOSigner</SAMLSSOSigner>
+        <SAML2HTTPRedirectSignatureValidator>org.wso2.carbon.identity.sso.saml.validators.SAML2HTTPRedirectDeflateSignatureValidator</SAML2HTTPRedirectSignatureValidator>
+        <!--SAMLSSOResponseBuilder>org.wso2.carbon.identity.sso.saml.builders.DefaultResponseBuilder</SAMLSSOResponseBuilder-->
+
+        <!-- SAML Token validity period in minutes -->
+        <SAMLResponseValidityPeriod>5</SAMLResponseValidityPeriod>
+        <UseAuthenticatedUserDomainCrypto>false</UseAuthenticatedUserDomainCrypto>
+        <SAMLDefaultSigningAlgorithmURI>http://www.w3.org/2000/09/xmldsig#rsa-sha1</SAMLDefaultSigningAlgorithmURI>
+        <SAMLDefaultDigestAlgorithmURI>http://www.w3.org/2000/09/xmldsig#sha1</SAMLDefaultDigestAlgorithmURI>
+        <SAMLDefaultAssertionEncryptionAlgorithmURI>http://www.w3.org/2001/04/xmlenc#aes256-cbc</SAMLDefaultAssertionEncryptionAlgorithmURI>
+        <SAMLDefaultKeyEncryptionAlgorithmURI>http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</SAMLDefaultKeyEncryptionAlgorithmURI>
+        <SLOHostNameVerificationEnabled>true</SLOHostNameVerificationEnabled>
+    </SSOService>
+
+    <Consent>
+        <!--Specify whether consent management should be enable during SSO.-->
+        <EnableSSOConsentManagement>true</EnableSSOConsentManagement>
+    </Consent>
+
+    <SecurityTokenService>
+        <!--
+            Default value for IdentityProviderURL is  built in following format
+            https://<HostName>:<MgtTrpProxyPort except 443>/<ProxyContextPath>/services/wso2carbon-sts
+            If that doesn't satisfy uncomment the following config and explicitly configure the value
+        -->
+        <IdentityProviderURL>${carbon.protocol}://${carbon.host}:${carbon.management.port}/services/wso2carbon-sts</IdentityProviderURL>
+    </SecurityTokenService>
+
+    <PassiveSTS>
+        <!--
+            Default value for IdentityProviderURL is  built in following format
+            https://<HostName>:<MgtTrpProxyPort except 443>/<ProxyContextPath>/passivests
+            If that doesn't satisfy uncomment the following config and explicitly configure the value
+        -->
+        <IdentityProviderURL>${carbon.protocol}://${carbon.host}:${carbon.management.port}/passivests</IdentityProviderURL>
+        <RetryURL>${carbon.protocol}://${carbon.host}:${carbon.management.port}/authenticationendpoint/retry.do</RetryURL>
+        <TokenStoreClassName>org.wso2.carbon.identity.sts.passive.utils.NoPersistenceTokenStore</TokenStoreClassName>
+        <SLOHostNameVerificationEnabled>true</SLOHostNameVerificationEnabled>
+    </PassiveSTS>
+
+    <EntitlementSettings>
+        <ThirftBasedEntitlementConfig>
+            <EnableThriftService>false</EnableThriftService>
+            <ReceivePort>${Ports.ThriftEntitlementReceivePort}</ReceivePort>
+            <ClientTimeout>10000</ClientTimeout>
+            <KeyStore>
+                <Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location>
+                <Password>wso2carbon</Password>
+            </KeyStore>
+            <!-- Enable this element to mention the host-name of your IS machine -->
+            <ThriftHostName>${carbon.host}</ThriftHostName>
+        </ThirftBasedEntitlementConfig>
+    </EntitlementSettings>
+
+    <SCIM>
+        <!--
+            Default value for UserEPUrl and GroupEPUrl are built in following format
+            https://<HostName>:<MgtTrpProxyPort except 443>/<ProxyContextPath>/<context>/<path>
+            If that doesn't satisfy uncomment the following config and explicitly configure the value
+        -->
+        <UserEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/wso2/scim/Users</UserEPUrl>
+        <GroupEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/wso2/scim/Groups</GroupEPUrl>
+        <SCIMAuthenticators>
+            <Authenticator class="org.wso2.carbon.identity.scim.provider.auth.BasicAuthHandler">
+                <Property name="Priority">5</Property>
+            </Authenticator>
+            <Authenticator class="org.wso2.carbon.identity.scim.provider.auth.OAuthHandler">
+                <Property name="Priority">10</Property>
+                <Property name="AuthorizationServer">local://services</Property>
+                <!--Property name="AuthorizationServer">${carbon.protocol}://${carbon.host}:${carbon.management.port}/services</Property>
+                <Property name="UserName">admin</Property>
+                <Property name="Password">admin</Property-->
+            </Authenticator>
+
+            <!-- Flag to indicate advanced complex multiValued attributes support enabled or not.
+            Default value : false
+            Supported versions: IS 5.5.0 beta onwards
+            -->
+            <!--<ComplexMultiValuedAttributeSupportEnabled>true</ComplexMultiValuedAttributeSupportEnabled>-->
+        </SCIMAuthenticators>
+    </SCIM>
+
+    <SCIM2>
+        <!--
+            Default value for UserEPUrl and GroupEPUrl are built in following format
+            https://<HostName>:<MgtTrpProxyPort except 443>/<ProxyContextPath>/<context>/<path>
+            If that doesn't satisfy uncomment the following config and explicitly configure the value
+        -->
+        <!--UserEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/scim2/Users</UserEPUrl-->
+        <!--GroupEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/scim2/Groups</GroupEPUrl-->
+    </SCIM2>
+
+    <!--Recovery>
+        <Notification>
+            <Password>
+                <Enable>false</Enable>
+            </Password>
+            <Username>
+                <Enable>false</Enable>
+            </Username>
+            <InternallyManage>true</InternallyManage>
+       </Notification>
+       <Question>
+            <Password>
+                <Enable>false</Enable>
+                <NotifyStart>false</NotifyStart>
+                <Separator>!</Separator>
+                <MinAnswers>2</MinAnswers>
+                <ReCaptcha>
+                    <Enable>true</Enable>
+                    <MaxFailedAttempts>2</MaxFailedAttempts>
+                </ReCaptcha>
+            </Password>
+        </Question>
+        <ExpiryTime>1440</ExpiryTime>
+        <NotifySuccess>false</NotifySuccess>
+        <AdminPasswordReset>
+            <Offline>false</Offline>
+            <OTP>false</OTP>
+            <RecoveryLink>false</RecoveryLink>
+        </AdminPasswordReset>
+    </Recovery>
+
+    <EmailVerification>
+        <Enable>false</Enable>
+	    <ExpiryTime>1440</ExpiryTime>
+        <LockOnCreation>true</LockOnCreation>
+        <Notification>
+            <InternallyManage>true</InternallyManage>
+        </Notification>
+        <AskPassword>
+	        <ExpiryTime>1440</ExpiryTime>
+	        <PasswordGenerator>org.wso2.carbon.user.mgt.common.DefaultPasswordGenerator</PasswordGenerator>
+        </AskPassword>
+    </EmailVerification>
+
+    <SelfRegistration>
+        <Enable>false</Enable>
+        <LockOnCreation>true</LockOnCreation>
+        <Notification>
+            <InternallyManage>true</InternallyManage>
+        </Notification>
+        <ReCaptcha>true</ReCaptcha>
+	<VerificationCode>
+	    <ExpiryTime>1440</ExpiryTime>
+	</VerificationCode>
+    </SelfRegistration-->
+
+    <EnableAskPasswordAdminUI>false</EnableAskPasswordAdminUI>
+
+    <EnableRecoveryEndpoint>true</EnableRecoveryEndpoint>
+    <EnableSelfSignUpEndpoint>true</EnableSelfSignUpEndpoint>
+
+    <AuthenticationPolicy>
+        <CheckAccountExist>true</CheckAccountExist>
+    </AuthenticationPolicy>
+
+    <EventListeners>
+        <EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener"
+                       name="org.wso2.carbon.user.mgt.workflow.userstore.UserStoreActionListener"
+                       orderId="10" enable="true"/>
+        <EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener"
+                       name="org.wso2.carbon.identity.mgt.IdentityMgtEventListener"
+                       orderId="50" enable="false"/>
+        <EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener"
+                       name="org.wso2.carbon.identity.scim.common.listener.SCIMUserOperationListener"
+                       orderId="90" enable="true"/>
+        <!-- Enable the following SCIM2 event listener and disable the above SCIM event listener if SCIM2 is used. -->
+        <EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener"
+                       name="org.wso2.carbon.identity.scim2.common.listener.SCIMUserOperationListener"
+                       orderId="93" enable="false"/>
+        <EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener"
+                       name="org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener"
+                       orderId="95" enable="true"/>
+        <EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.governance.listener.IdentityStoreEventListener"
+                       orderId="97" enable="true">
+            <Property name="Data.Store">org.wso2.carbon.identity.governance.store.JDBCIdentityDataStore</Property>
+        </EventListener>
+        <EventListener type="org.wso2.carbon.identity.core.handler.AbstractIdentityMessageHandler"
+                       name="org.wso2.carbon.identity.data.publisher.application.authentication.impl.DASLoginDataPublisherImpl"
+                       orderId="10" enable="false"/>
+        <EventListener type="org.wso2.carbon.identity.core.handler.AbstractIdentityMessageHandler"
+                       name="org.wso2.carbon.identity.data.publisher.application.authentication.impl.DASSessionDataPublisherImpl"
+                       orderId="11" enable="false"/>
+        <EventListener type="org.wso2.carbon.identity.core.handler.AbstractIdentityMessageHandler"
+                       name="org.wso2.carbon.identity.data.publisher.application.authentication.AuthnDataPublisherProxy"
+                       orderId="11" enable="true"/>
+
+        <!-- Enable this listener to call DeleteEventRecorders. -->
+        <EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener"
+                       name="org.wso2.carbon.user.mgt.listeners.UserDeletionEventListener"
+                       orderId="98" enable="false"/>
+        <EventListener type="org.wso2.carbon.identity.core.handler.AbstractIdentityHandler"
+                       name="org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ConsentMgtPostAuthnHandler"
+                       orderId="110" enable="true"/>
+
+        <!-- Audit Loggers -->
+
+        <!-- Old Audit Logger -->
+        <EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener"
+                       name="org.wso2.carbon.user.mgt.listeners.UserMgtAuditLogger"
+                       orderId="0" enable="false"/>
+
+        <!-- New Audit Loggers-->
+        <EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener"
+                       name="org.wso2.carbon.user.mgt.listeners.UserManagementAuditLogger"
+                       orderId="1" enable="true"/>
+        <EventListener type="org.wso2.carbon.user.core.listener.UserManagementErrorEventListener"
+                       name="org.wso2.carbon.user.mgt.listeners.UserMgtFailureAuditLogger"
+                       orderId="0" enable="true"/>
+    </EventListeners>
+
+    <!-- These recorders are used to write user delete information to specific sources. Default event recorder is CSV
+     file recorder. This recorder is disabled by default. Enable it by setting enable="true". To run these recorders,
+     EventListener "rg.wso2.carbon.user.mgt.listeners.UserDeletionEventListener" also should be enabled. Which is
+     also disabled by default. -->
+    <UserDeleteEventRecorders>
+        <UserDeleteEventRecorder name="org.wso2.carbon.user.mgt.recorder.DefaultUserDeletionEventRecorder" enable="false">
+            <!-- Un comment below line if you need to write entries to a separate .csv file. Otherwise this will be
+            written in to a log file using a separate appender. -->
+            <!--<Property name="path">${carbon.home}/repository/logs/delete-records.csv</Property>-->
+        </UserDeleteEventRecorder>
+    </UserDeleteEventRecorders>
+
+    <CacheConfig>
+        <!-- Identity cache configuration.
+             Timeouts are in seconds.
+             Capacity is the maximum cache size.
+             Unless specifically mentioned, you do not need to set the isDistributed flag.
+         -->
+        <CacheManager name="IdentityApplicationManagementCacheManager">
+            <Cache name="AppAuthFrameworkSessionContextCache"
+                   enable="true" timeout="300" capacity="5000" isDistributed="false"/>
+            <Cache name="AuthenticationContextCache" enable="true" timeout="300" capacity="5000" isDistributed="false"/>
+            <Cache name="AuthenticationRequestCache" enable="true" timeout="300" capacity="5000" isDistributed="false"/>
+            <Cache name="AuthenticationResultCache"  enable="true" timeout="300" capacity="5000" isDistributed="false"/>
+            <Cache name="AppInfoCache"               enable="true"  timeout="900" capacity="5000" isDistributed="false"/>
+            <Cache name="AuthorizationGrantCache"    enable="true" timeout="300" capacity="5000" isDistributed="false"/>
+            <Cache name="OAuthCache"                 enable="true" timeout="300" capacity="5000" isDistributed="false"/>
+            <Cache name="OAuthScopeCache"            enable="true"  timeout="300" capacity="5000" isDistributed="false"/>
+            <Cache name="OAuthSessionDataCache"      enable="true" timeout="300" capacity="5000" isDistributed="false"/>
+            <Cache name="SAMLSSOParticipantCache"    enable="true" timeout="300" capacity="5000" isDistributed="false"/>
+            <Cache name="SAMLSSOSessionIndexCache"   enable="true" timeout="300" capacity="5000" isDistributed="false"/>
+            <Cache name="SAMLSSOSessionDataCache"    enable="true" timeout="300" capacity="5000" isDistributed="false"/>
+            <Cache name="ServiceProviderCache"       enable="true"  timeout="900" capacity="5000" isDistributed="false"/>
+            <Cache name="ProvisioningConnectorCache" enable="true"  timeout="900" capacity="5000" isDistributed="false"/>
+            <Cache name="ProvisioningEntityCache"    enable="true" timeout="900" capacity="5000" isDistributed="false"/>
+            <Cache name="ServiceProviderProvisioningConnectorCache" enable="true"  timeout="900" capacity="5000" isDistributed="false"/>
+            <Cache name="IdPCacheByAuthProperty"     enable="true"  timeout="900" capacity="5000" isDistributed="false"/>
+            <Cache name="IdPCacheByHRI"              enable="true"  timeout="900" capacity="5000" isDistributed="false"/>
+            <Cache name="IdPCacheByName"             enable="true"  timeout="900" capacity="5000" isDistributed="false"/>
+        </CacheManager>
+    </CacheConfig>
+
+    <!--Cookies>
+        <Cookie name="commonAuthId" domain="localhost" httpOnly="true" secure="true" />
+    </Cookies-->
+
+
+    <ResourceAccessControl default-access="deny">
+        <Resource context="(.*)" secured="false" http-method="OPTIONS"/>
+        <Resource context="(.*)/api/identity/user/v1.0/validate-code(.*)" secured="true" http-method="all">
+            <Permissions>/permission/admin/manage/identity/identitymgt</Permissions>
+        </Resource>
+        <Resource context="(.*)/api/identity/user/v1.0/resend-code(.*)" secured="true" http-method="all"/>
+        <Resource context="(.*)/api/identity/user/v1.0/me(.*)" secured="true" http-method="POST"/>
+        <Resource context="(.*)/api/identity/user/v1.0/me(.*)" secured="true" http-method="GET"/>
+        <Resource context="(.*)/api/identity/user/v1.0/pi-info" secured="true" http-method="all">
+            <Permissions>/permission/admin/manage/identity/usermgt/view</Permissions>
+        </Resource>
+        <Resource context="(.*)/api/identity/user/v1.0/pi-info/(.*)" secured="true" http-method="all">
+            <Permissions>/permission/admin/manage/identity/usermgt/view</Permissions>
+        </Resource>
+
+        <Resource context="(.*)/api/identity/config-mgt/v1.0/search(.*)" secured="true" http-method="GET">
+            <Permissions>/permission/admin/manage/identity/configmgt/list</Permissions>
+        </Resource>
+
+        <Resource context="(.*)/api/identity/config-mgt/v1.0/resource-type" secured="true" http-method="POST">
+            <Permissions>/permission/admin/manage/identity/configmgt/add</Permissions>
+        </Resource>
+        <Resource context="(.*)/api/identity/config-mgt/v1.0/resource-type" secured="true" http-method="PUT">
+            <Permissions>/permission/admin/manage/identity/configmgt/update</Permissions>
+        </Resource>
+        <Resource context="(.*)/api/identity/config-mgt/v1.0/resource-type/(.*)" secured="true" http-method="GET"/>
+        <Resource context="(.*)/api/identity/config-mgt/v1.0/resource-type/(.*)" secured="true" http-method="DELETE">
+            <Permissions>/permission/admin/manage/identity/configmgt/delete</Permissions>
+        </Resource>
+
+        <Resource context="(.*)/api/identity/config-mgt/v1.0/resource/(.*)" secured="true" http-method="POST">
+            <Permissions>/permission/admin/manage/identity/configmgt/add</Permissions>
+        </Resource>
+        <Resource context="(.*)/api/identity/config-mgt/v1.0/resource/(.*)" secured="true" http-method="PUT">
+            <Permissions>/permission/admin/manage/identity/configmgt/update</Permissions>
+        </Resource>
+        <Resource context="(.*)/api/identity/config-mgt/v1.0/resource/(.*)/(.*)" secured="true" http-method="GET"/>
+        <Resource context="(.*)/api/identity/config-mgt/v1.0/resource/(.*)/(.*)" secured="true" http-method="DELETE">
+            <Permissions>/permission/admin/manage/identity/configmgt/delete</Permissions>
+        </Resource>
+
+        <Resource context="(.*)/api/identity/config-mgt/v1.0/resource/(.*)/(.*)" secured="true" http-method="POST">
+            <Permissions>/permission/admin/manage/identity/configmgt/add</Permissions>
+        </Resource>
+        <Resource context="(.*)/api/identity/config-mgt/v1.0/resource/(.*)/(.*)" secured="true" http-method="PUT">
+            <Permissions>/permission/admin/manage/identity/configmgt/update</Permissions>
+        </Resource>
+        <Resource context="(.*)/api/identity/config-mgt/v1.0/resource/(.*)/(.*)/(.*)" secured="true" http-method="GET"/>
+        <Resource context="(.*)/api/identity/config-mgt/v1.0/resource/(.*)/(.*)/(.*)" secured="true" http-method="DELETE">
+            <Permissions>/permission/admin/manage/identity/configmgt/delete</Permissions>
+        </Resource>
+
+        <Resource context="(.*)/api/identity/consent-mgt/v1.0/consents" secured="true" http-method="all"/>
+        <Resource context="(.*)/api/identity/consent-mgt/v1.0/consents/receipts/(.*)" secured="true" http-method="all"/>
+
+        <Resource context="(.*)/api/identity/consent-mgt/v1.0/consents/purposes(.*)" secured="true" http-method="POST">
+            <Permissions>/permission/admin/manage/identity/consentmgt/add</Permissions>
+        </Resource>
+        <Resource context="(.*)/api/identity/consent-mgt/v1.0/consents/purposes(.*)" secured="true" http-method="GET"/>
+        <Resource context="(.*)/api/identity/consent-mgt/v1.0/consents/purposes(.+)" secured="true" http-method="DELETE">
+            <Permissions>/permission/admin/manage/identity/consentmgt/delete</Permissions>
+        </Resource>
+
+        <Resource context="(.*)/api/identity/consent-mgt/v1.0/consents/pii-categories(.*)" secured="true" http-method="POST">
+            <Permissions>/permission/admin/manage/identity/consentmgt/add</Permissions>
+        </Resource>
+        <Resource context="(.*)/api/identity/consent-mgt/v1.0/consents/pii-categories(.*)" secured="true" http-method="GET"/>
+        <Resource context="(.*)/api/identity/consent-mgt/v1.0/consents/pii-categories(.+)" secured="true" http-method="DELETE">
+            <Permissions>/permission/admin/manage/identity/consentmgt/delete</Permissions>
+        </Resource>
+
+        <Resource context="(.*)/api/identity/consent-mgt/v1.0/consents/purpose-categories(.*)" secured="true" http-method="POST">
+            <Permissions>/permission/admin/manage/identity/consentmgt/add</Permissions>
+        </Resource>
+        <Resource context="(.*)/api/identity/consent-mgt/v1.0/consents/purpose-categories(.*)" secured="true" http-method="GET"/>
+        <Resource context="(.*)/api/identity/consent-mgt/v1.0/consents/purpose-categories(.+)" secured="true" http-method="DELETE">
+            <Permissions>/permission/admin/manage/identity/consentmgt/delete</Permissions>
+        </Resource>
+
+        <Resource context="(.*)/api/identity/recovery/(.*)" secured="true" http-method="all">
+            <Permissions>/permission/admin/manage/identity/identitymgt</Permissions>
+        </Resource>
+        <Resource context="(.*)/.well-known(.*)" secured="false" http-method="all"/>
+        <Resource context="(.*)/api/identity/oauth2/dcr/v1.1/register(.*)" secured="true" http-method="POST">
+            <Permissions>/permission/admin/manage/identity/applicationmgt/create</Permissions>
+        </Resource>
+        <Resource context="(.*)/api/identity/oauth2/dcr/v1.1/register(.*)" secured="true" http-method="DELETE">
+            <Permissions>/permission/admin/manage/identity/applicationmgt/delete</Permissions>
+        </Resource>
+        <Resource context="(.*)/api/identity/oauth2/dcr/v1.1/register(.*)" secured="true" http-method="PUT">
+            <Permissions>/permission/admin/manage/identity/applicationmgt/update</Permissions>
+        </Resource>
+        <Resource context="(.*)/api/identity/oauth2/dcr/v1.1/register(.*)" secured="true" http-method="GET">
+            <Permissions>/permission/admin/manage/identity/applicationmgt/view</Permissions>
+        </Resource>
+        <Resource context="(.*)/identity/register(.*)" secured="true" http-method="all">
+            <Permissions>/permission/admin/manage/identity/applicationmgt/delete</Permissions>
+        </Resource>
+        <Resource context="(.*)/identity/connect/register(.*)" secured="true" http-method="all">
+            <Permissions>/permission/admin/manage/identity/applicationmgt/create</Permissions>
+        </Resource>
+        <Resource context="(.*)/oauth2/introspect(.*)" secured="true" http-method="all">
+            <Permissions>/permission/admin/manage/identity/applicationmgt/view</Permissions>
+        </Resource>
+        <Resource context="(.*)/api/identity/entitlement/(.*)" secured="true" http-method="all">
+            <Permissions>/permission/admin/manage/identity/pep</Permissions>
+        </Resource>
+        <Resource context="(.*)/scim2/Users(.*)" secured="true" http-method="POST">
+            <Permissions>/permission/admin/manage/identity/usermgt/create</Permissions>
+        </Resource>
+        <Resource context="(.*)/scim2/Users" secured="true" http-method="GET">
+            <Permissions>/permission/admin/manage/identity/usermgt/list</Permissions>
+        </Resource>
+        <Resource context="(.*)/scim2/Groups(.*)" secured="true" http-method="POST">
+            <Permissions>/permission/admin/manage/identity/rolemgt/create</Permissions>
+        </Resource>
+        <Resource context="(.*)/scim2/Groups" secured="true" http-method="GET">
+            <Permissions>/permission/admin/manage/identity/rolemgt/view</Permissions>
+        </Resource>
+        <Resource context="(.*)/scim2/Users/(.*)" secured="true" http-method="GET">
+            <Permissions>/permission/admin/manage/identity/usermgt/view</Permissions>
+        </Resource>
+        <Resource context="(.*)/scim2/Users/(.*)" secured="true" http-method="PUT">
+            <Permissions>/permission/admin/manage/identity/usermgt/update</Permissions>
+        </Resource>
+        <Resource context="(.*)/scim2/Users/(.*)" secured="true" http-method="PATCH">
+            <Permissions>/permission/admin/manage/identity/usermgt/update</Permissions>
+        </Resource>
+        <Resource context="(.*)/scim2/Users/(.*)" secured="true" http-method="DELETE">
+            <Permissions>/permission/admin/manage/identity/usermgt/delete</Permissions>
+        </Resource>
+        <Resource context="(.*)/scim2/Groups/(.*)" secured="true" http-method="GET">
+            <Permissions>/permission/admin/manage/identity/rolemgt/view</Permissions>
+        </Resource>
+        <Resource context="(.*)/scim2/Groups/(.*)" secured="true" http-method="PUT">
+            <Permissions>/permission/admin/manage/identity/rolemgt/update</Permissions>
+        </Resource>
+        <Resource context="(.*)/scim2/Groups/(.*)" secured="true" http-method="PATCH">
+            <Permissions>/permission/admin/manage/identity/rolemgt/update</Permissions>
+        </Resource>
+        <Resource context="(.*)/scim2/Groups/(.*)" secured="true" http-method="DELETE">
+            <Permissions>/permission/admin/manage/identity/rolemgt/delete</Permissions>
+        </Resource>
+        <Resource context="(.*)/scim2/Me" secured="true"    http-method="GET">
+            <Permissions>/permission/admin/login</Permissions>
+        </Resource>
+        <Resource context="(.*)/scim2/Me" secured="true" http-method="DELETE">
+            <Permissions>/permission/admin/manage/identity/usermgt/delete</Permissions>
+        </Resource>
+        <Resource context="(.*)/scim2/Me" secured="true"    http-method="PUT">
+            <Permissions>/permission/admin/login</Permissions>
+        </Resource>
+        <Resource context="(.*)/scim2/Me" secured="true"   http-method="PATCH">
+            <Permissions>/permission/admin/login</Permissions>
+        </Resource>
+        <Resource context="(.*)/scim2/Me" secured="true" http-method="POST">
+            <Permissions>/permission/admin/manage/identity/usermgt/create</Permissions>
+        </Resource>
+        <Resource context="/scim2/ServiceProviderConfig" secured="false" http-method="all">
+            <Permissions></Permissions>
+        </Resource>
+        <Resource context="/scim2/ResourceTypes" secured="false" http-method="all">
+            <Permissions></Permissions>
+        </Resource>
+        <Resource context="/scim2/Bulk(.*)" secured="true"  http-method="all">
+            <Permissions>/permission/admin/manage/identity/usermgt</Permissions>
+        </Resource>
+        <Resource context="(.*)/api/identity/oauth2/dcr/(.*)" secured="true" http-method="all">
+            <Permissions>/permission/admin/manage/identity/applicationmgt</Permissions>
+        </Resource>
+
+        <Resource context="(.*)/api/identity/auth/v1.2/data(.*)" secured="true" http-method="all"/>
+        <Resource context="(.*)/api/identity/auth/v1.2/context(.*)" secured="true" http-method="all"/>
+
+        <Resource context="(.*)/api/identity/user/v1.0/update-username(.*)" secured="true" http-method="PUT">
+            <Permissions>/permission/admin/manage/identity/usermgt/update</Permissions>
+        </Resource>
+        <Resource context="(.*)/api/identity/user/v1.0/validate-username(.*))" secured="true" http-method="all"/>
+        <Resource context="(.*)/api/identity/oauth2/v1.0/(.*)" secured="true" http-method="all"/>
+
+        <Resource context="(.*)/api/users/v1/me/approval-tasks(.*)" secured="true" http-method="all">
+            <Permissions>/permission/admin/manage/humantask/viewtasks</Permissions>
+        </Resource>
+        <Resource context="(.*)/api/users/v1/me(.*)" secured="true" http-method="all">
+            <Permissions>/permission/admin/login</Permissions>
+        </Resource>
+        <Resource context="(.*)/api/users/v1/(.*)" secured="true" http-method="all">
+            <Permissions>/permission/admin/manage/identity/usermgt</Permissions>
+        </Resource>
+        <Resource context="(.*)/api/server/v1/(.*)" secured="true" http-method="all">
+            <Permissions>/permission/admin/manage/identity/</Permissions>
+        </Resource>
+
+        <Resource context="/carbon(.*)" secured="false" http-method="all"/>
+        <Resource context="/portal(.*)" secured="false" http-method="all"/>
+        <Resource context="/commonauth(.*)" secured="false" http-method="all"/>
+        <Resource context="/t/(.*)/carbon(.*)" secured="false" http-method="all"/>
+        <Resource context="/services(.*)" secured="false" http-method="all"/>
+        <Resource context="/t/(.*)/services(.*)" secured="false" http-method="all"/>
+        <Resource context="/samlsso(.*)" secured="false" http-method="all"/>
+        <Resource context="/openidserver(.*)" secured="false" http-method="all"/>
+        <Resource context="/passivests(.*)" secured="false" http-method="all"/>
+        <Resource context="/samlartresolve(.*)" secured="false" http-method="all"/>
+        <Resource context="/oauth/request-token(.*)" secured="false" http-method="all"/>
+        <Resource context="/oauth/authorize-url(.*)" secured="false" http-method="all"/>
+        <Resource context="/oauth/access-token(.*)" secured="false" http-method="all"/>
+        <Resource context="/oauth2/token(.*)" secured="false" http-method="all"/>
+        <Resource context="/oauth2/authorize(.*)" secured="false" http-method="all"/>
+        <Resource context="/oauth2/revoke(.*)" secured="false" http-method="all"/>
+        <Resource context="/oauth2/userinfo(.*)" secured="false" http-method="all"/>
+        <Resource context="/oauth2/jwks(.*)" secured="false" http-method="all"/>
+        <Resource context="/oidc/checksession(.*)" secured="false" http-method="all"/>
+        <Resource context="/oidc/logout(.*)" secured="false" http-method="all"/>
+        <Resource context="/oauth2/oidcdiscovery(.*)" secured="false" http-method="all"/>
+        <Resource context="/wso2/scim/Users(.*)" secured="false" http-method="all"/>
+        <Resource context="/wso2/scim/Groups(.*)" secured="false" http-method="all"/>
+        <Resource context="/authenticationendpoint(.*)" secured="false" http-method="all"/>
+        <Resource context="/accountrecoveryendpoint(.*)" secured="false" http-method="all"/>
+        <Resource context="/api/health-check/v1(.*)" secured="false" http-method="all"/>
+        <Resource context="/emailotpauthenticationendpoint(.*)" secured="false" http-method="all"/>
+        <Resource context="/mex(.*)" secured="false" http-method="all"/>
+        <Resource context="/mexut(.*)" secured="false" http-method="all"/>
+        <Resource context="/smsotpauthenticationendpoint(.*)" secured="false" http-method="all"/>
+        <Resource context="/totpauthenticationendpoint(.*)" secured="false" http-method="all"/>
+        <Resource context="/x509certificateauthenticationendpoint(.*)" secured="false" http-method="all"/>
+        <Resource context="/userandrolemgtservice(.*)" secured="false" http-method="all"/>
+    </ResourceAccessControl>
+
+    <ClientAppAuthentication>
+        <Application name="dashboard" hash="66cd9688a2ae068244ea01e70f0e230f5623b7fa4cdecb65070a09ec06452262"/>
+    </ClientAppAuthentication>
+
+    <TenantContextsToRewrite>
+        <WebApp>
+            <Context>/api/identity/user/v1.0/</Context>
+            <Context>/api/identity/consent-mgt/v1.0/</Context>
+            <Context>/api/identity/recovery/v0.9/</Context>
+            <Context>/oauth2/</Context>
+            <Context>/scim2/</Context>
+            <Context>/api/identity/entitlement/</Context>
+            <Context>/api/identity/oauth2/dcr/v1.1/</Context>
+        </WebApp>
+        <Servlet>
+            <Context>/identity/(.*)</Context>
+        </Servlet>
+    </TenantContextsToRewrite>
+
+    <!-- Server Synchronization Tolerance Configuration in seconds -->
+    <ClockSkew>300</ClockSkew>
+
+    <!-- JWT validator configurations -->
+    <JWTValidatorConfigs>
+        <Enable>true</Enable>
+        <JWKSEndpoint>
+            <HTTPConnectionTimeout>1000</HTTPConnectionTimeout>
+            <HTTPReadTimeout>1000</HTTPReadTimeout>
+            <HTTPSizeLimit>51200</HTTPSizeLimit>
+        </JWKSEndpoint>
+    </JWTValidatorConfigs>
+
+    <AdaptiveAuth>
+        <EventPublisher>
+            <receiverURL>http://localhost:8280/</receiverURL>
+        </EventPublisher>
+        <AsyncSequenceExecutorPoolSize>5</AsyncSequenceExecutorPoolSize>
+
+        <!--Timeouts in milliseconds-->
+        <!--<HTTPConnectionTimeout>5000</HTTPConnectionTimeout>-->
+        <!--<HTTPReadTimeout>5000</HTTPReadTimeout>-->
+        <!--<HTTPConnectionRequestTimeout>5000</HTTPConnectionRequestTimeout>-->
+        <!--<RefreshInterval>500</RefreshInterval>-->
+        <!--<PromptOnLongWait>false</PromptOnLongWait>-->
+    </AdaptiveAuth>
+
+</Server>
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/testng.xml b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/testng.xml
new file mode 100644
index 000000000000..c8ba227b3449
--- /dev/null
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/testng.xml
@@ -0,0 +1,28 @@
+<!--
+  ~ Copyright (c) 2023, WSO2 LLC. (http://www.wso2.org) All Rights Reserved.
+  ~
+  ~ WSO2 LLC. licenses this file to you under the Apache License,
+  ~ Version 2.0 (the "License"); you may not use this file except
+  ~ in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~ http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing,
+  ~ software distributed under the License is distributed on an
+  ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  ~ KIND, either express or implied.  See the License for the
+  ~ specific language governing permissions and limitations
+  ~ under the License.
+  -->
+
+<!DOCTYPE suite SYSTEM "http://testng.org/testng-1.0.dtd" >
+
+<suite name="org.wso2.carbon.identity.application.role.mgt.dao" object-factory="org.powermock.modules.testng.PowerMockObjectFactory">
+    <test name="api-resource-mgt-tests" preserve-order="true" parallel="false">
+        <classes>
+            <class name="org.wso2.carbon.identity.application.role.mgt.dao.impl.ApplicationRoleMgtDAOImplTest"/>
+            <class name="org.wso2.carbon.identity.application.role.mgt.ApplicationRoleManagerTest"/>
+        </classes>
+    </test>
+</suite>
\ No newline at end of file

From 70d31f91cd23ab7c63303f39b405a433bd86efc6 Mon Sep 17 00:00:00 2001
From: Thilina Shashimal Senarath <thilinasenarath97@gmail.com>
Date: Thu, 31 Aug 2023 16:24:22 +0530
Subject: [PATCH 11/21] change update return

---
 .../role/mgt/ApplicationRoleManager.java      |  2 +-
 .../role/mgt/ApplicationRoleManagerImpl.java  | 16 +--
 .../role/mgt/dao/ApplicationRoleMgtDAO.java   |  4 +-
 .../dao/impl/ApplicationRoleMgtDAOImpl.java   |  5 +-
 .../CacheBackedApplicationRoleMgtDAOImpl.java |  4 +-
 .../impl/ApplicationRoleMgtDAOImplTest.java   | 99 ++++++++++++++++---
 6 files changed, 104 insertions(+), 26 deletions(-)

diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java
index 1fd7f1605eaf..406e54d444f0 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java
@@ -45,7 +45,7 @@ public interface ApplicationRoleManager {
      * @param removedScopes List of scopes to be removed.
      * @throws ApplicationRoleManagementException Error occurred while updating the application role.
      */
-    void updateApplicationRole(String applicationId, String roleId, String newName, List<String> addedScopes,
+    ApplicationRole updateApplicationRole(String applicationId, String roleId, String newName, List<String> addedScopes,
                                List<String> removedScopes) throws ApplicationRoleManagementException;
 
     /**
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
index e2def326878e..564a0d91a43e 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
@@ -72,11 +72,13 @@ public void addApplicationRole(ApplicationRole applicationRole) throws Applicati
     }
 
     @Override
-    public void updateApplicationRole(String applicationId, String roleId, String newName, List<String> addedScopes,
-                                      List<String> removedScopes) throws ApplicationRoleManagementException {
+    public ApplicationRole updateApplicationRole(String applicationId, String roleId, String newName,
+                                                 List<String> addedScopes, List<String> removedScopes)
+            throws ApplicationRoleManagementException {
 
         // TODO: Check authorized scopes for the app and filter out added permissions
-        applicationRoleMgtDAO.updateApplicationRole(roleId, newName, addedScopes, removedScopes, getTenantDomain());
+        return applicationRoleMgtDAO.updateApplicationRole(roleId, newName, addedScopes, removedScopes,
+                getTenantDomain());
     }
 
     @Override
@@ -138,10 +140,10 @@ public ApplicationRole updateApplicationRoleAssignedGroups(String roleId, String
             removeCommonValues(addedGroups, removedGroups);
             return applicationRoleMgtDAO.updateApplicationRoleAssignedGroups(roleId, identityProvider,
                     addedGroups, removedGroups, getTenantDomain());
-        }   catch (IdentityProviderManagementException e) {
-        throw new ApplicationRoleManagementException("Error while retrieving idp",
-                "Error while retrieving idp for idpId: " + idpId, e);
-    }
+        }  catch (IdentityProviderManagementException e) {
+            throw new ApplicationRoleManagementException("Error while retrieving idp",
+                    "Error while retrieving idp for idpId: " + idpId, e);
+        }
     }
 
     @Override
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java
index f5d58bf46997..aa78112630f9 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java
@@ -38,8 +38,8 @@ ApplicationRole getApplicationRoleById(String roleId, String tenantDomain)
 
     List<ApplicationRole> getApplicationRoles(String applicationId) throws ApplicationRoleManagementServerException;
 
-    void updateApplicationRole(String roleId, String newName, List<String> addedScopes, List<String> removedScopes,
-                               String tenantDomain)
+    ApplicationRole updateApplicationRole(String roleId, String newName, List<String> addedScopes,
+                                          List<String> removedScopes, String tenantDomain)
             throws ApplicationRoleManagementServerException;
 
     void deleteApplicationRole(String roleId, String tenantDomain) throws ApplicationRoleManagementServerException;
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
index 9ae78b615100..c011efbb76de 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
@@ -138,7 +138,7 @@ public List<ApplicationRole> getApplicationRoles(String applicationId)
     }
 
     @Override
-    public void updateApplicationRole(String roleId, String newName, List<String> addedScopes,
+    public ApplicationRole updateApplicationRole(String roleId, String newName, List<String> addedScopes,
                                       List<String> removedScopes, String tenantDomain)
             throws ApplicationRoleManagementServerException {
 
@@ -156,6 +156,7 @@ public void updateApplicationRole(String roleId, String newName, List<String> ad
                 // TODO: Remove scopes
                 return null;
             });
+            return getApplicationRoleById(roleId, tenantDomain);
         } catch (TransactionException e) {
             throw handleServerException(ERROR_CODE_UPDATE_ROLE, e, roleId);
         }
@@ -219,7 +220,6 @@ public ApplicationRole updateApplicationRoleAssignedUsers(String roleId, List<St
 
         // Validate given userIds are exists.
         validateUserIds(addedUsers, tenantDomain);
-        validateUserIds(removedUsers, tenantDomain);
         NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
         try {
             namedJdbcTemplate.withTransaction(template -> {
@@ -282,7 +282,6 @@ public ApplicationRole updateApplicationRoleAssignedGroups(String roleId, Identi
             throws ApplicationRoleManagementException {
 
         validateGroupIds(identityProvider, addedGroups, tenantDomain);
-        validateGroupIds(identityProvider, removedGroups, tenantDomain);
         NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
         try {
             return namedJdbcTemplate.withTransaction(template -> {
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java
index fc1f63914a5a..4812851ecb70 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java
@@ -77,12 +77,12 @@ public List<ApplicationRole> getApplicationRoles(String applicationId)
     }
 
     @Override
-    public void updateApplicationRole(String roleId, String newName, List<String> addedScopes,
+    public ApplicationRole updateApplicationRole(String roleId, String newName, List<String> addedScopes,
                                       List<String> removedScopes, String tenantDomain)
             throws ApplicationRoleManagementServerException {
 
         clearFromCache(roleId, tenantDomain);
-        applicationRoleMgtDAO.updateApplicationRole(roleId, newName, addedScopes, removedScopes, tenantDomain);
+        return applicationRoleMgtDAO.updateApplicationRole(roleId, newName, addedScopes, removedScopes, tenantDomain);
     }
 
     @Override
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImplTest.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImplTest.java
index e6ed6fba43e2..41226bc1aed1 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImplTest.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImplTest.java
@@ -71,8 +71,19 @@ public void tearDown() throws Exception {
         closeH2Database();
     }
 
-    @Test
-    public void testAddApplicationRole() throws Exception {
+    @DataProvider
+    public Object[][] addApplicationRoleData() {
+        return new Object[][]{
+                {ROLE_ID, ROLE_NAME},
+                {"TEST_ROLE_ID-1", "TEST_ROLE_NAME-1"},
+                {"TEST_ROLE_ID-2", "TEST_ROLE_NAME-2"},
+                {"TEST_ROLE_ID-3", "TEST_ROLE_NAME-3"},
+
+        };
+    }
+
+    @Test(dataProvider = "addApplicationRoleData", priority = 2)
+    public void testAddApplicationRole(String roleId, String roleName) throws Exception {
 
         mockStatic(IdentityTenantUtil.class);
         when(IdentityTenantUtil.getTenantId(TENANT_DOMAIN)).thenReturn(TENANT_ID);
@@ -80,24 +91,84 @@ public void testAddApplicationRole() throws Exception {
         Mockito.when(IdentityDatabaseUtil.getDataSource()).thenReturn(dataSourceMap.get(DB_NAME));
         ApplicationRole applicationRole = new ApplicationRole();
         applicationRole.setApplicationId(String.valueOf(APP_ID));
-        applicationRole.setRoleId(ROLE_ID);
-        applicationRole.setRoleName(ROLE_NAME);
+        applicationRole.setRoleId(roleId);
+        applicationRole.setRoleName(roleName);
         ApplicationRole addedApplicationRole = daoImpl.addApplicationRole(applicationRole, TENANT_DOMAIN);
         Assert.assertNotNull(addedApplicationRole);
     }
 
+    @Test(priority = 2)
+    public void testGetApplicationRoles() throws Exception {
+
+        mockStatic(IdentityTenantUtil.class);
+        when(IdentityTenantUtil.getTenantId(TENANT_DOMAIN)).thenReturn(TENANT_ID);
+        mockStatic(IdentityDatabaseUtil.class);
+        Mockito.when(IdentityDatabaseUtil.getDataSource()).thenReturn(dataSourceMap.get(DB_NAME));
+        List<ApplicationRole> applicationRoles = daoImpl.getApplicationRoles(String.valueOf(APP_ID));
+        Assert.assertNotNull(applicationRoles);
+    }
+
+    @DataProvider
+    public Object[][] getApplicationRoleByIdData() {
+        return new Object[][]{
+                {ROLE_ID},
+                {"TEST_ROLE_ID-1"},
+                {"TEST_ROLE_ID-2"},
+                {"TEST_ROLE_ID-3"},
+
+        };
+    }
+    @Test(dataProvider = "getApplicationRoleByIdData", priority = 2)
+    public void testGetApplicationRoleById(String roleId) throws Exception {
+
+        mockStatic(IdentityTenantUtil.class);
+        when(IdentityTenantUtil.getTenantId(TENANT_DOMAIN)).thenReturn(TENANT_ID);
+        mockStatic(IdentityDatabaseUtil.class);
+        Mockito.when(IdentityDatabaseUtil.getDataSource()).thenReturn(dataSourceMap.get(DB_NAME));
+        ApplicationRole applicationRole = daoImpl.getApplicationRoleById(roleId, TENANT_DOMAIN);
+        Assert.assertNotNull(applicationRole);
+    }
+
+    @DataProvider
+    public Object[][] updateApplicationRoleData() {
+        return new Object[][]{
+                {"TEST_ROLE_ID-1", "TEST_ROLE_NEW_NAME-1"},
+                {"TEST_ROLE_ID-2", "TEST_ROLE_NEW_NAME-2"},
+                {"TEST_ROLE_ID-3", "TEST_ROLE_NEW_NAME-3"},
+
+        };
+    }
+    @Test(dataProvider = "updateApplicationRoleData", priority = 2)
+    public void testUpdateApplicationRole(String roleId, String newName) throws Exception {
+
+        mockStatic(IdentityTenantUtil.class);
+        when(IdentityTenantUtil.getTenantId(TENANT_DOMAIN)).thenReturn(TENANT_ID);
+        mockStatic(IdentityDatabaseUtil.class);
+        Mockito.when(IdentityDatabaseUtil.getDataSource()).thenReturn(dataSourceMap.get(DB_NAME));
+        ApplicationRole applicationRole = daoImpl.updateApplicationRole(roleId, newName, new ArrayList<>(),
+                new ArrayList<>(), TENANT_DOMAIN);
+        Assert.assertEquals(applicationRole.getRoleName(), newName);
+    }
+
     @DataProvider
     public Object[][] updateApplicationRoleAssignedUsersData() {
         return new Object[][]{
                 {new ArrayList<>(Arrays.asList("USER_1", "USER_2", "USER_3")),
-                        new ArrayList<>(Collections.emptyList()),
+                        new ArrayList<>(Collections.emptyList()), 3
+                },
+                {new ArrayList<>(Arrays.asList("USER_4", "USER_5", "USER_6")),
+                        new ArrayList<>(Arrays.asList("USER_1", "USER_2", "USER_3")), 3
+                },
+                {new ArrayList<>(Collections.emptyList()),
+                        new ArrayList<>(Arrays.asList("USER_4", "USER_5", "USER_6")), 0
                 },
 
         };
     }
 
     @Test(dataProvider = "updateApplicationRoleAssignedUsersData", priority = 2)
-    public void testUpdateApplicationRoleAssignedUsers(List<String> addedUsers, List<String> removedUsers)
+    public void testUpdateApplicationRoleAssignedUsers(List<String> addedUsers, List<String> removedUsers,
+                                                       int resultCount)
             throws Exception {
 
         mockStatic(ApplicationRoleMgtUtils.class);
@@ -107,21 +178,27 @@ public void testUpdateApplicationRoleAssignedUsers(List<String> addedUsers, List
         when(ApplicationRoleMgtUtils.isUserExists(anyString())).thenReturn(true);
         ApplicationRole role =
                 daoImpl.updateApplicationRoleAssignedUsers(ROLE_ID, addedUsers, removedUsers, TENANT_DOMAIN);
-        Assert.assertEquals(role.getAssignedUsers().size(), addedUsers.size());
+        Assert.assertEquals(role.getAssignedUsers().size(), resultCount);
     }
 
     @DataProvider
     public Object[][] updateApplicationRoleAssignedGroupsData() {
         return new Object[][]{
                 {new ArrayList<>(Arrays.asList("GROUP_1", "GROUP_2", "GROUP_3")),
-                        new ArrayList<>(Collections.emptyList()),
+                        new ArrayList<>(Collections.emptyList()), 3
+                },
+                {new ArrayList<>(Arrays.asList("GROUP_4", "GROUP_5", "GROUP_6")),
+                        new ArrayList<>(Arrays.asList("GROUP_1", "GROUP_2", "GROUP_3")), 3
+                },
+                {new ArrayList<>(Collections.emptyList()),
+                        new ArrayList<>(Arrays.asList("GROUP_4", "GROUP_5", "GROUP_6")), 0
                 },
-
         };
     }
 
     @Test(dataProvider = "updateApplicationRoleAssignedGroupsData", priority = 2)
-    public void testUpdateApplicationRoleAssignedGroups(List<String> addedGroups, List<String> removedGroups)
+    public void testUpdateApplicationRoleAssignedGroups(List<String> addedGroups, List<String> removedGroups,
+                                                        int resultCount)
             throws Exception {
 
         mockStatic(ApplicationRoleMgtUtils.class);
@@ -142,7 +219,7 @@ public void testUpdateApplicationRoleAssignedGroups(List<String> addedGroups, Li
         ApplicationRole role =
                 daoImpl.updateApplicationRoleAssignedGroups(ROLE_ID, identityProvider, addedGroups, removedGroups,
                         TENANT_DOMAIN);
-        Assert.assertEquals(role.getAssignedGroups().size(), addedGroups.size());
+        Assert.assertEquals(role.getAssignedGroups().size(), resultCount);
     }
 
     private void populateApplication() throws Exception {

From d640fff7cff8f85c0f7ff0d66d352de1ca98c5bb Mon Sep 17 00:00:00 2001
From: Thilina Shashimal Senarath <thilinasenarath97@gmail.com>
Date: Thu, 31 Aug 2023 16:55:47 +0530
Subject: [PATCH 12/21] add unit tests

---
 .../impl/ApplicationRoleMgtDAOImplTest.java   | 45 +++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImplTest.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImplTest.java
index 41226bc1aed1..7f764223f206 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImplTest.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImplTest.java
@@ -13,6 +13,7 @@
 import org.wso2.carbon.database.utils.jdbc.NamedJdbcTemplate;
 import org.wso2.carbon.identity.application.common.model.IdPGroup;
 import org.wso2.carbon.identity.application.common.model.IdentityProvider;
+import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementServerException;
 import org.wso2.carbon.identity.application.role.mgt.model.ApplicationRole;
 import org.wso2.carbon.identity.application.role.mgt.util.ApplicationRoleMgtUtils;
 import org.wso2.carbon.identity.core.persistence.JDBCPersistenceManager;
@@ -150,6 +151,50 @@ public void testUpdateApplicationRole(String roleId, String newName) throws Exce
         Assert.assertEquals(applicationRole.getRoleName(), newName);
     }
 
+    @DataProvider
+    public Object[][] checkRoleExistsData() {
+        return new Object[][]{
+                {"TEST_ROLE_ID-1", true},
+                {"TEST_ROLE_ID-2", true},
+                {"TEST_ROLE_ID-3", true},
+                {"FAKE_ROLE_ID-3", false},
+
+        };
+    }
+    @Test(dataProvider = "checkRoleExistsData", priority = 2)
+    public void testCheckRoleExists(String roleId, boolean isExists) throws Exception {
+
+        mockStatic(IdentityTenantUtil.class);
+        when(IdentityTenantUtil.getTenantId(TENANT_DOMAIN)).thenReturn(TENANT_ID);
+        mockStatic(IdentityDatabaseUtil.class);
+        Mockito.when(IdentityDatabaseUtil.getDataSource()).thenReturn(dataSourceMap.get(DB_NAME));
+        boolean isRoleExists = daoImpl.checkRoleExists(roleId, TENANT_DOMAIN);
+        Assert.assertEquals(isRoleExists, isExists);
+    }
+
+    @DataProvider
+    public Object[][] deleteApplicationRoleData() {
+        return new Object[][]{
+                {"TEST_ROLE_ID-1"},
+                {"TEST_ROLE_ID-2"},
+                {"TEST_ROLE_ID-3"},
+
+        };
+    }
+    @Test(dataProvider = "deleteApplicationRoleData", priority = 3)
+    public void testDeleteApplicationRole(String roleId) {
+
+        mockStatic(IdentityTenantUtil.class);
+        when(IdentityTenantUtil.getTenantId(TENANT_DOMAIN)).thenReturn(TENANT_ID);
+        mockStatic(IdentityDatabaseUtil.class);
+        Mockito.when(IdentityDatabaseUtil.getDataSource()).thenReturn(dataSourceMap.get(DB_NAME));
+        try {
+            daoImpl.deleteApplicationRole(roleId, TENANT_DOMAIN);
+        } catch (ApplicationRoleManagementServerException e) {
+            Assert.fail();
+        }
+    }
+
     @DataProvider
     public Object[][] updateApplicationRoleAssignedUsersData() {
         return new Object[][]{

From c0ad0dfc7d15e484a241a8055f81d2114934aaf9 Mon Sep 17 00:00:00 2001
From: Thilina Shashimal Senarath <thilinasenarath97@gmail.com>
Date: Thu, 31 Aug 2023 17:24:04 +0530
Subject: [PATCH 13/21] add method comments

---
 .../role/mgt/dao/ApplicationRoleMgtDAO.java   | 100 ++++++++++++++++++
 .../dao/impl/ApplicationRoleMgtDAOImpl.java   |   4 +-
 .../mgt/util/ApplicationRoleMgtUtils.java     |  27 +++++
 .../role/mgt/ApplicationRoleManagerTest.java  |   7 --
 .../src/test/resources/testng.xml             |   1 -
 5 files changed, 129 insertions(+), 10 deletions(-)
 delete mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerTest.java

diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java
index aa78112630f9..71eaa00bdeac 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java
@@ -30,43 +30,143 @@
  */
 public interface ApplicationRoleMgtDAO {
 
+    /**
+     * Add application role.
+     *
+     * @param applicationRole Application role.
+     * @param tenantDomain Tenant domain.
+     * @throws ApplicationRoleManagementServerException Error occurred while adding application role.
+     */
     ApplicationRole addApplicationRole(ApplicationRole applicationRole, String tenantDomain)
             throws ApplicationRoleManagementServerException;
 
+    /**
+     * Get application role by id.
+     *
+     * @param roleId Application roleId.
+     * @param tenantDomain Tenant domain.
+     * @throws ApplicationRoleManagementServerException Error occurred while retrieving application role.
+     */
     ApplicationRole getApplicationRoleById(String roleId, String tenantDomain)
             throws ApplicationRoleManagementServerException;
 
+    /**
+     * Get all application role by application id.
+     *
+     * @param applicationId Application roleId.
+     * @throws ApplicationRoleManagementServerException Error occurred while retrieving all application role by app id.
+     */
     List<ApplicationRole> getApplicationRoles(String applicationId) throws ApplicationRoleManagementServerException;
 
+    /**
+     * Update application role.
+     *
+     * @param roleId Application roleId.
+     * @param newName New Application role  name.
+     * @param addedScopes Scope to be added.
+     * @param removedScopes Scope to be removed.
+     * @param tenantDomain Tenant domain.
+     * @throws ApplicationRoleManagementServerException Error occurred while updating application role.
+     */
     ApplicationRole updateApplicationRole(String roleId, String newName, List<String> addedScopes,
                                           List<String> removedScopes, String tenantDomain)
             throws ApplicationRoleManagementServerException;
 
+    /**
+     * Delete application role.
+     *
+     * @param roleId Application roleId.
+     * @param tenantDomain Tenant domain.
+     * @throws ApplicationRoleManagementServerException Error occurred while deleting application role.
+     */
     void deleteApplicationRole(String roleId, String tenantDomain) throws ApplicationRoleManagementServerException;
 
+    /**
+     * Check application role exists by name.
+     *
+     * @param applicationId Application id.
+     * @param roleName Role name.
+     * @param tenantDomain Tenant domain.
+     * @throws ApplicationRoleManagementServerException Error occurred while checking application role exists by name.
+     */
     boolean isExistingRole(String applicationId, String roleName, String tenantDomain)
             throws ApplicationRoleManagementServerException;
 
+    /**
+     * Check application role exists by id.
+     *
+     * @param roleId Application role id.
+     * @param tenantDomain Tenant domain.
+     * @throws ApplicationRoleManagementServerException Error occurred while checking application role exists by id.
+     */
     boolean checkRoleExists(String roleId, String tenantDomain) throws ApplicationRoleManagementServerException;
 
+    /**
+     * Update application role assigned users.
+     *
+     * @param roleId Application roleId.
+     * @param addedUsers Assigned users to be added.
+     * @param removedUsers Assigned users to be removed.
+     * @param tenantDomain Tenant domain.
+     * @throws ApplicationRoleManagementException Error occurred while updating application role assigned users.
+     */
     ApplicationRole updateApplicationRoleAssignedUsers(String roleId, List<String> addedUsers,
                                                        List<String> removedUsers, String tenantDomain) throws
             ApplicationRoleManagementException;
 
+    /**
+     * Get application role assigned users.
+     *
+     * @param roleId Application roleId.
+     * @param tenantDomain Tenant domain.
+     * @throws ApplicationRoleManagementException Error occurred while getting application role assigned users.
+     */
     ApplicationRole getApplicationRoleAssignedUsers(String roleId, String tenantDomain)
             throws ApplicationRoleManagementException;
 
+    /**
+     * Update application role assigned groups.
+     *
+     * @param roleId Application roleId.
+     * @param identityProvider Identity provider.
+     * @param addedGroups Assigned groups to be added.
+     * @param removedGroups Assigned groups to be removed.
+     * @param tenantDomain Tenant domain.
+     * @throws ApplicationRoleManagementException Error occurred while updating application role assigned groups.
+     */
     ApplicationRole updateApplicationRoleAssignedGroups(String roleId, IdentityProvider identityProvider,
                                                         List<String> addedGroups, List<String> removedGroups,
                                                         String tenantDomain)
             throws ApplicationRoleManagementException;
 
+    /**
+     * Get application role assigned groups.
+     *
+     * @param roleId Application roleId.
+     * @param identityProvider Identity provider.
+     * @param tenantDomain Tenant domain.
+     * @throws ApplicationRoleManagementException Error occurred while getting application role assigned groups.
+     */
     ApplicationRole getApplicationRoleAssignedGroups(String roleId, IdentityProvider identityProvider,
                                                      String tenantDomain) throws ApplicationRoleManagementException;
 
+    /**
+     * Get application roles by userId.
+     *
+     * @param userId User Id.
+     * @param tenantDomain Tenant domain.
+     * @throws ApplicationRoleManagementException Error occurred while getting application roles by userId.
+     */
     List<ApplicationRole> getApplicationRolesByUserId(String userId, String tenantDomain)
             throws ApplicationRoleManagementException;
 
+    /**
+     * Get application roles by groupId.
+     *
+     * @param groupId Group Id.
+     * @param tenantDomain Tenant domain.
+     * @throws ApplicationRoleManagementException Error occurred while getting application roles by groupId.
+     */
     List<ApplicationRole> getApplicationRolesByGroupId(String groupId, String tenantDomain)
             throws ApplicationRoleManagementException;
 }
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
index c011efbb76de..47bf2cdce24e 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
@@ -269,7 +269,7 @@ public ApplicationRole getApplicationRoleAssignedUsers(String roleId, String ten
             }
             ApplicationRole applicationRole = new ApplicationRole();
             applicationRole.setAssignedUsers(users);
-            return  applicationRole;
+            return applicationRole;
         } catch (DataAccessException e) {
             throw handleServerException(ERROR_CODE_GET_ROLE_ASSIGNED_USERS, e, roleId);
         }
@@ -357,7 +357,7 @@ public ApplicationRole getApplicationRoleAssignedGroups(String roleId, IdentityP
             }
             ApplicationRole applicationRole = new ApplicationRole();
             applicationRole.setAssignedGroups(groups);
-            return  applicationRole;
+            return applicationRole;
         } catch (DataAccessException e) {
             throw handleServerException(ERROR_CODE_GET_ROLE_ASSIGNED_GROUPS, e, roleId);
         }
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/ApplicationRoleMgtUtils.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/ApplicationRoleMgtUtils.java
index f231e32b887c..005863c019dc 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/ApplicationRoleMgtUtils.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/ApplicationRoleMgtUtils.java
@@ -82,6 +82,12 @@ public static ApplicationRoleManagementClientException handleClientException(
         return new ApplicationRoleManagementClientException(error.getMessage(), description, error.getCode());
     }
 
+    /**
+     * Check group exists by id.
+     *
+     * @param id Group ID.
+     * @throws ApplicationRoleManagementException Error occurred while checking group exists.
+     */
     public static boolean isGroupExists(String id) throws ApplicationRoleManagementException {
 
         AbstractUserStoreManager userStoreManager;
@@ -94,6 +100,14 @@ public static boolean isGroupExists(String id) throws ApplicationRoleManagementE
                     + "to resolve group name for the groupID: " + id, e);
         }
     }
+
+    /**
+     * Get group name by id.
+     *
+     * @param id Group ID.
+     * @param tenantDomain Tenant domain.
+     * @throws ApplicationRoleManagementException Error occurred while getting group name by id.
+     */
     public static String getGroupNameByID(String id, String tenantDomain) throws ApplicationRoleManagementException {
 
         String groupName;
@@ -113,6 +127,12 @@ public static String getGroupNameByID(String id, String tenantDomain) throws App
         return groupName;
     }
 
+    /**
+     * Check user exists by id.
+     *
+     * @param id User ID.
+     * @throws ApplicationRoleManagementException Error occurred while checking user exists.
+     */
     public static boolean isUserExists(String id) throws ApplicationRoleManagementException {
 
         AbstractUserStoreManager userStoreManager;
@@ -126,6 +146,13 @@ public static boolean isUserExists(String id) throws ApplicationRoleManagementEx
         }
     }
 
+    /**
+     * Get username by id.
+     *
+     * @param id User ID.
+     * @param tenantDomain Tenant domain.
+     * @throws ApplicationRoleManagementException Error occurred while getting username by id.
+     */
     public static String getUserNameByID(String id, String tenantDomain) throws ApplicationRoleManagementException {
 
         String userName;
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerTest.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerTest.java
deleted file mode 100644
index 084365c5813a..000000000000
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerTest.java
+++ /dev/null
@@ -1,7 +0,0 @@
-package org.wso2.carbon.identity.application.role.mgt;
-
-import org.powermock.modules.testng.PowerMockTestCase;
-
-public class ApplicationRoleManagerTest extends PowerMockTestCase {
-
-}
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/testng.xml b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/testng.xml
index c8ba227b3449..c8b8370bffbd 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/testng.xml
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/testng.xml
@@ -22,7 +22,6 @@
     <test name="api-resource-mgt-tests" preserve-order="true" parallel="false">
         <classes>
             <class name="org.wso2.carbon.identity.application.role.mgt.dao.impl.ApplicationRoleMgtDAOImplTest"/>
-            <class name="org.wso2.carbon.identity.application.role.mgt.ApplicationRoleManagerTest"/>
         </classes>
     </test>
 </suite>
\ No newline at end of file

From 63fae606f655ac2ca2690e716a6c2e09ccd87fa4 Mon Sep 17 00:00:00 2001
From: Thilina Shashimal Senarath <thilinasenarath97@gmail.com>
Date: Mon, 4 Sep 2023 12:13:12 +0530
Subject: [PATCH 14/21] add manager tests

---
 .../pom.xml                                   |  77 +++++--
 .../role/mgt/ApplicationRoleManager.java      |   2 +-
 .../role/mgt/ApplicationRoleManagerImpl.java  |  24 ++-
 .../dao/impl/ApplicationRoleMgtDAOImpl.java   |  46 ++++-
 .../CacheBackedApplicationRoleMgtDAOImpl.java |  12 ++
 .../mgt/util/ApplicationRoleMgtUtils.java     |   6 +
 .../mgt/ApplicationRoleManagerImplTest.java   | 192 ++++++++++++++++++
 .../impl/ApplicationRoleMgtDAOImplTest.java   |  34 ----
 .../src/test/resources/dbscripts/h2.sql       |   6 +
 .../conf}/carbon.xml                          |  30 ++-
 .../conf}/identity/identity.xml               |   4 +-
 .../src/test/resources/testng.xml             |   1 +
 .../resources/identity.xml.j2                 |  16 ++
 13 files changed, 379 insertions(+), 71 deletions(-)
 create mode 100644 components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImplTest.java
 rename components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/{repository.conf => repository/conf}/carbon.xml (97%)
 rename components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/{repository.conf => repository/conf}/identity/identity.xml (99%)

diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/pom.xml b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/pom.xml
index 80bd924b84df..52784ca145ab 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/pom.xml
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/pom.xml
@@ -38,18 +38,6 @@
             <artifactId>org.apache.felix.scr.ds-annotations</artifactId>
             <scope>provided</scope>
         </dependency>
-        <dependency>
-            <groupId>org.wso2.eclipse.osgi</groupId>
-            <artifactId>org.eclipse.osgi.services</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.osgi</groupId>
-            <artifactId>org.eclipse.osgi</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>commons-logging</groupId>
-            <artifactId>commons-logging</artifactId>
-        </dependency>
         <dependency>
             <groupId>org.wso2.carbon.identity.framework</groupId>
             <artifactId>org.wso2.carbon.identity.core</artifactId>
@@ -135,6 +123,71 @@
                     </instructions>
                 </configuration>
             </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <version>${maven.surefire.plugin.version}</version>
+                <configuration>
+                    <argLine>
+                    --add-opens java.xml/jdk.xml.internal=ALL-UNNAMED
+                        --add-exports java.base/jdk.internal.loader=ALL-UNNAMED
+                    </argLine>
+                        <suiteXmlFiles>
+                            <suiteXmlFile>src/test/resources/testng.xml</suiteXmlFile>
+                        </suiteXmlFiles>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.jacoco</groupId>
+                <artifactId>jacoco-maven-plugin</artifactId>
+                <version>${jacoco.version}</version>
+                <executions>
+                    <execution>
+                        <id>default-prepare-agent</id>
+                        <goals>
+                            <goal>prepare-agent</goal>
+                        </goals>
+                    </execution>
+                    <execution>
+                        <id>default-prepare-agent-integration</id>
+                        <goals>
+                            <goal>prepare-agent-integration</goal>
+                        </goals>
+                    </execution>
+                    <execution>
+                        <id>default-report</id>
+                        <goals>
+                            <goal>report</goal>
+                        </goals>
+                    </execution>
+                    <execution>
+                        <id>default-report-integration</id>
+                        <goals>
+                            <goal>report-integration</goal>
+                        </goals>
+                    </execution>
+                    <execution>
+                        <id>default-check</id>
+                        <goals>
+                            <goal>check</goal>
+                        </goals>
+                        <configuration>
+                            <rules>
+                                <rule implementation="org.jacoco.maven.RuleConfiguration">
+                                    <element>BUNDLE</element>
+                                    <limits>
+                                        <limit implementation="org.jacoco.report.check.Limit">
+                                            <counter>COMPLEXITY</counter>
+                                            <value>COVEREDRATIO</value>
+                                            <minimum>0.90</minimum>
+                                        </limit>
+                                    </limits>
+                                </rule>
+                            </rules>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>findbugs-maven-plugin</artifactId>
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java
index 406e54d444f0..22f436a3f163 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java
@@ -34,7 +34,7 @@ public interface ApplicationRoleManager {
      * @param applicationRole Application role.
      * @throws ApplicationRoleManagementException Error occurred while adding application role.
      */
-    void addApplicationRole(ApplicationRole applicationRole) throws ApplicationRoleManagementException;
+    ApplicationRole addApplicationRole(ApplicationRole applicationRole) throws ApplicationRoleManagementException;
 
     /**
      * Update application role.
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
index 564a0d91a43e..d9d591cd63e9 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
@@ -58,7 +58,8 @@ public static ApplicationRoleManager getInstance() {
             new CacheBackedApplicationRoleMgtDAOImpl(new ApplicationRoleMgtDAOImpl());
 
     @Override
-    public void addApplicationRole(ApplicationRole applicationRole) throws ApplicationRoleManagementException {
+    public ApplicationRole addApplicationRole(ApplicationRole applicationRole)
+            throws ApplicationRoleManagementException {
 
         String tenantDomain = getTenantDomain();
         boolean existingRole =
@@ -68,7 +69,7 @@ public void addApplicationRole(ApplicationRole applicationRole) throws Applicati
             throw handleClientException(ERROR_CODE_DUPLICATE_ROLE, applicationRole.getRoleName(),
                     applicationRole.getApplicationId());
         }
-        applicationRoleMgtDAO.addApplicationRole(applicationRole, tenantDomain);
+        return applicationRoleMgtDAO.addApplicationRole(applicationRole, tenantDomain);
     }
 
     @Override
@@ -76,6 +77,7 @@ public ApplicationRole updateApplicationRole(String applicationId, String roleId
                                                  List<String> addedScopes, List<String> removedScopes)
             throws ApplicationRoleManagementException {
 
+        validateAppRoleId(roleId);
         // TODO: Check authorized scopes for the app and filter out added permissions
         return applicationRoleMgtDAO.updateApplicationRole(roleId, newName, addedScopes, removedScopes,
                 getTenantDomain());
@@ -84,6 +86,7 @@ public ApplicationRole updateApplicationRole(String applicationId, String roleId
     @Override
     public ApplicationRole getApplicationRoleById(String roleId) throws ApplicationRoleManagementException {
 
+        validateAppRoleId(roleId);
         return applicationRoleMgtDAO.getApplicationRoleById(roleId, getTenantDomain());
     }
 
@@ -96,6 +99,7 @@ public List<ApplicationRole> getApplicationRoles(String applicationId) throws Ap
     @Override
     public void deleteApplicationRole(String roleId) throws ApplicationRoleManagementException {
 
+        validateAppRoleId(roleId);
         applicationRoleMgtDAO.deleteApplicationRole(roleId, getTenantDomain());
     }
 
@@ -184,6 +188,12 @@ public List<ApplicationRole> getApplicationRolesByGroupId(String groupId, String
         return applicationRoleMgtDAO.getApplicationRolesByGroupId(groupId, tenantDomain);
     }
 
+    /**
+     * Validate application role id.
+     *
+     * @param roleId Role ID.
+     * @throws  ApplicationRoleManagementException Error occurred while validating roleId.
+     */
     private void validateAppRoleId(String roleId) throws ApplicationRoleManagementException {
 
         boolean isExists = applicationRoleMgtDAO.checkRoleExists(roleId, getTenantDomain());
@@ -193,11 +203,21 @@ private void validateAppRoleId(String roleId) throws ApplicationRoleManagementEx
         }
     }
 
+    /**
+     * Get tenant domain.
+     *
+     */
     private static String getTenantDomain() {
 
         return PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain();
     }
 
+    /**
+     * Remove common values in given two lists.
+     *
+     * @param list1 List 1.
+     * @param list2 List 2.
+     */
     private void removeCommonValues(List<String> list1, List<String> list2) {
         HashSet<String> set = new HashSet<>(list1);
 
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
index 47bf2cdce24e..edd741469c59 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
@@ -219,7 +219,7 @@ public ApplicationRole updateApplicationRoleAssignedUsers(String roleId, List<St
             throws ApplicationRoleManagementException {
 
         // Validate given userIds are exists.
-        validateUserIds(addedUsers, tenantDomain);
+        validateUserIds(addedUsers);
         NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
         try {
             namedJdbcTemplate.withTransaction(template -> {
@@ -281,7 +281,7 @@ public ApplicationRole updateApplicationRoleAssignedGroups(String roleId, Identi
                                                     String tenantDomain)
             throws ApplicationRoleManagementException {
 
-        validateGroupIds(identityProvider, addedGroups, tenantDomain);
+        validateGroupIds(identityProvider, addedGroups);
         NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
         try {
             return namedJdbcTemplate.withTransaction(template -> {
@@ -403,7 +403,14 @@ public List<ApplicationRole> getApplicationRolesByGroupId(String groupId, String
         }
     }
 
-    public void validateGroupIds(IdentityProvider identityProvider, List<String> groups, String tenantDomain)
+    /**
+     * Validate groups.
+     *
+     * @param identityProvider Identity Provider.
+     * @param groups Group IDs.
+     * @throws ApplicationRoleManagementException Error occurred while validating groups.
+     */
+    private void validateGroupIds(IdentityProvider identityProvider, List<String> groups)
             throws ApplicationRoleManagementException {
 
         if (LOCAL_IDP.equals(identityProvider.getIdentityProviderName())) {
@@ -427,7 +434,13 @@ public void validateGroupIds(IdentityProvider identityProvider, List<String> gro
         }
     }
 
-    public void validateUserIds(List<String> users, String tenantDomain)
+    /**
+     * Validate users.
+     *
+     * @param users User IDs.
+     * @throws ApplicationRoleManagementException Error occurred while validating users.
+     */
+    private void validateUserIds(List<String> users)
             throws ApplicationRoleManagementException {
 
         for (String userId : users) {
@@ -438,24 +451,49 @@ public void validateUserIds(List<String> users, String tenantDomain)
         }
     }
 
+    /**
+     * Get username by user id.
+     *
+     * @param userID User IDs.
+     * @param tenantDomain Tenant Domain.
+     * @throws ApplicationRoleManagementException Error occurred while getting username by id.
+     */
     private String getUserNamesByID(String userID, String tenantDomain)
             throws ApplicationRoleManagementException {
 
         return ApplicationRoleMgtUtils.getUserNameByID(userID, tenantDomain);
     }
 
+    /**
+     * Get group name by user id.
+     *
+     * @param groupID Group IDs.
+     * @param tenantDomain Tenant Domain.
+     * @throws ApplicationRoleManagementException Error occurred while getting group name by id.
+     */
     private String getGroupNamesByID(String groupID, String tenantDomain)
             throws ApplicationRoleManagementException {
 
         return ApplicationRoleMgtUtils.getGroupNameByID(groupID, tenantDomain);
     }
 
+    /**
+     * Check SQL Unique Key Constrain Violated.
+     *
+     * @param e Transaction Exception.
+     * @param constraint SQL constraint.
+     */
     private boolean checkUniqueKeyConstrainViolated(TransactionException e, String constraint) {
 
         String errorMessage = e.getCause().getCause().getMessage();
         return errorMessage.toLowerCase().contains(constraint.toLowerCase());
     }
 
+    /**
+     * Get tenant id by name.
+     *
+     * @param tenantDomain Tenant Domain.
+     */
     private int getTenantId(String tenantDomain) {
 
         int tenantID;
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java
index 4812851ecb70..3a1582f40968 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java
@@ -174,6 +174,12 @@ private ApplicationRole getApplicationRoleFromCache(String applicationRoleId, St
         return applicationRole;
     }
 
+    /**
+     * Add to cache.
+     *
+     * @param applicationRole Application role.
+     * @param tenantDomain Tenant domain.
+     */
     private void addToCache(ApplicationRole applicationRole, String tenantDomain) {
 
         if (LOG.isDebugEnabled()) {
@@ -186,6 +192,12 @@ private void addToCache(ApplicationRole applicationRole, String tenantDomain) {
         applicationRoleCache.addToCache(cacheKey, cacheEntry, tenantDomain);
     }
 
+    /**
+     * Clear from cache.
+     *
+     * @param applicationRoleId Application role id.
+     * @param tenantDomain Tenant domain.
+     */
     private void clearFromCache(String applicationRoleId, String tenantDomain) {
 
         if (LOG.isDebugEnabled()) {
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/ApplicationRoleMgtUtils.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/ApplicationRoleMgtUtils.java
index 005863c019dc..c023f2932312 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/ApplicationRoleMgtUtils.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/ApplicationRoleMgtUtils.java
@@ -172,6 +172,12 @@ public static String getUserNameByID(String id, String tenantDomain) throws Appl
         return userName;
     }
 
+    /**
+     * Get username by id.
+     *
+     * @param tenantId Tenant ID.
+     * @throws UserStoreException Error occurred while getting user store manager.
+     */
     private static AbstractUserStoreManager getUserStoreManager(int tenantId) throws UserStoreException {
 
         RealmService realmService = ApplicationRoleMgtServiceComponentHolder.getInstance().getRealmService();
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImplTest.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImplTest.java
new file mode 100644
index 000000000000..988801ee91b8
--- /dev/null
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImplTest.java
@@ -0,0 +1,192 @@
+package org.wso2.carbon.identity.application.role.mgt;
+
+import org.powermock.modules.testng.PowerMockTestCase;
+import org.testng.Assert;
+import org.testng.annotations.AfterClass;
+import org.testng.annotations.BeforeClass;
+import org.testng.annotations.DataProvider;
+import org.testng.annotations.Test;
+import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementException;
+import org.wso2.carbon.identity.application.role.mgt.model.ApplicationRole;
+import org.wso2.carbon.identity.common.testng.WithAxisConfiguration;
+import org.wso2.carbon.identity.common.testng.WithCarbonHome;
+import org.wso2.carbon.identity.common.testng.WithH2Database;
+import org.wso2.carbon.identity.common.testng.WithRealmService;
+import org.wso2.carbon.identity.common.testng.WithRegistry;
+
+import java.util.ArrayList;
+
+@WithAxisConfiguration
+@WithCarbonHome
+@WithRegistry
+@WithRealmService
+@WithH2Database(jndiName = "jdbc/WSO2IdentityDB", files = {"dbScripts/h2.sql"})
+public class ApplicationRoleManagerImplTest extends PowerMockTestCase {
+
+    private ApplicationRoleManager applicationRoleManager;
+
+    @BeforeClass
+    public void setUp() {
+
+        applicationRoleManager = ApplicationRoleManagerImpl.getInstance();
+    }
+
+    @AfterClass
+    public void tearDown() {
+
+    }
+
+    @DataProvider(name = "addApplicationRoleDataProvider")
+    public Object[][] addApplicationRoleData() {
+
+        ApplicationRole applicationRole1 = createApplicationRole("1");
+        ApplicationRole applicationRole2 = createApplicationRole("2");
+        return new Object[][]{
+                {applicationRole1},
+                {applicationRole2}
+        };
+    }
+
+    @Test(dataProvider = "addApplicationRoleDataProvider", priority = 1)
+    public void testAddApplicationRole(ApplicationRole applicationRole) throws ApplicationRoleManagementException {
+
+        ApplicationRole role =  applicationRoleManager.addApplicationRole(applicationRole);
+        Assert.assertNotNull(role);
+    }
+
+    @Test(priority = 1)
+    public void testAddApplicationRoleException() throws Exception {
+
+        ApplicationRole applicationRole = createApplicationRole("1");
+        applicationRoleManager.addApplicationRole(applicationRole);
+        ApplicationRoleManagementException exception = null;
+        try {
+            applicationRoleManager.addApplicationRole(applicationRole);
+        } catch (ApplicationRoleManagementException e) {
+            exception = e;
+        }
+        Assert.assertNotNull(exception);
+    }
+
+    @DataProvider(name = "getApplicationRoleByIdData")
+    public Object[][] getApplicationRoleByIdData() throws ApplicationRoleManagementException {
+
+        ApplicationRole applicationRole1 = createApplicationRole("1");
+        ApplicationRole applicationRole2 = createApplicationRole("2");
+        applicationRoleManager.addApplicationRole(applicationRole1);
+        applicationRoleManager.addApplicationRole(applicationRole2);
+        return new Object[][]{
+                {applicationRole1},
+                {applicationRole2}
+        };
+    }
+
+    @Test(dataProvider = "getApplicationRoleByIdData", priority = 2)
+    public void testGetApplicationRoleById(ApplicationRole applicationRole) throws Exception {
+
+        ApplicationRole role =  applicationRoleManager.getApplicationRoleById(applicationRole.getRoleId());
+        Assert.assertNotNull(role);
+    }
+
+    @Test(priority = 2)
+    public void testGetApplicationRoleByIdException() {
+
+
+        Exception exception = null;
+        try {
+            applicationRoleManager.getApplicationRoleById("fake-id");
+        } catch (Exception e) {
+            exception = e;
+        }
+        Assert.assertNotNull(exception);
+    }
+
+    @DataProvider(name = "updateApplicationRoleData")
+    public Object[][] updateApplicationRoleData() throws ApplicationRoleManagementException {
+
+        ApplicationRole applicationRole1 = createApplicationRole("1");
+        ApplicationRole applicationRole2 = createApplicationRole("2");
+        applicationRoleManager.addApplicationRole(applicationRole1);
+        applicationRoleManager.addApplicationRole(applicationRole2);
+        return new Object[][]{
+                {applicationRole1, "NEW_NAME-1"},
+                {applicationRole2, "NEW_NAME-2"}
+        };
+    }
+
+    @Test(dataProvider = "updateApplicationRoleData", priority = 2)
+    public void testUpdateApplicationRole(ApplicationRole applicationRole, String newName) throws Exception {
+
+        ApplicationRole role =  applicationRoleManager.updateApplicationRole(applicationRole.getApplicationId(),
+                applicationRole.getRoleId(), newName, new ArrayList<>(), new ArrayList<>());
+        Assert.assertNotNull(role);
+    }
+
+    @Test(priority = 2)
+    public void testUpdateApplicationRoleException() {
+
+
+        Exception exception = null;
+        try {
+            applicationRoleManager.updateApplicationRole("fake-app-id",
+                    "fake-roke-id", "newName", new ArrayList<>(), new ArrayList<>());
+        } catch (Exception e) {
+            exception = e;
+        }
+        Assert.assertNotNull(exception);
+    }
+
+    @DataProvider(name = "deleteApplicationRoleData")
+    public Object[][] deleteApplicationRoleData() throws ApplicationRoleManagementException {
+
+        ApplicationRole applicationRole1 = createApplicationRole("1");
+        ApplicationRole applicationRole2 = createApplicationRole("2");
+        applicationRoleManager.addApplicationRole(applicationRole1);
+        applicationRoleManager.addApplicationRole(applicationRole2);
+        return new Object[][]{
+                {applicationRole1},
+                {applicationRole2}
+        };
+    }
+
+    @Test(dataProvider = "deleteApplicationRoleData", priority = 2)
+    public void testDeleteApplicationRole(ApplicationRole applicationRole) throws Exception {
+
+        Exception exception = null;
+        try {
+            applicationRoleManager.deleteApplicationRole(applicationRole.getRoleId());
+        } catch (Exception e) {
+            exception = e;
+        }
+        Assert.assertNull(exception);
+    }
+
+    @Test(priority = 2)
+    public void testDeleteApplicationRoleException() {
+
+
+        Exception exception = null;
+        try {
+            applicationRoleManager.deleteApplicationRole("fake-id");
+        } catch (Exception e) {
+            exception = e;
+        }
+        Assert.assertNotNull(exception);
+    }
+
+    /**
+     * Create application role with the given postfix.
+     *
+     * @param postFix Postfix to be appended to each API resource and scope information.
+     * @return Application Role.
+     */
+    private static ApplicationRole createApplicationRole(String postFix) {
+
+        ApplicationRole applicationRole = new ApplicationRole();
+        applicationRole.setRoleId("testAppRoleId-" + postFix);
+        applicationRole.setRoleName("testAppRoleName-" + postFix);
+        applicationRole.setApplicationId("1");
+        applicationRole.setPermissions(new String[0]);
+        return applicationRole;
+    }
+}
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImplTest.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImplTest.java
index 7f764223f206..f7b0ff93aa7c 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImplTest.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImplTest.java
@@ -22,7 +22,6 @@
 
 import java.nio.file.Paths;
 import java.sql.Connection;
-import java.sql.SQLException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
@@ -44,14 +43,9 @@ public class ApplicationRoleMgtDAOImplTest extends PowerMockTestCase {
     private static final String TENANT_DOMAIN = "TEST_TENANT_DOMAIN";
     private static final int TENANT_ID = 2;
     private static final int APP_ID = 1;
-    private static final String APP_NAME = "TEST_APP_NAME";
-    private static final String USER_STORE = "TEST_USER_STORE";
-    private static final String USERNAME = "TEST_USERNAME";
-    private static final String AUTH_TYPE = "TEST_AUTH_TYPE";
     private static final String ROLE_ID = "TEST_ROLE_ID";
     private static final String ROLE_NAME = "TEST_ROLE_NAME";
     private static final int IDP_ID = 1;
-    private static final String IDP_NAME = "TEST_IDP_NAME";
 
     private static Map<String, BasicDataSource> dataSourceMap = new HashMap<>();
     private ApplicationRoleMgtDAOImpl daoImpl;
@@ -62,8 +56,6 @@ public void setUp() throws Exception {
 
         daoImpl = new ApplicationRoleMgtDAOImpl();
         initiateH2Database(getFilePath());
-        populateApplication();
-        populateIdp();
     }
 
     @AfterClass
@@ -267,32 +259,6 @@ public void testUpdateApplicationRoleAssignedGroups(List<String> addedGroups, Li
         Assert.assertEquals(role.getAssignedGroups().size(), resultCount);
     }
 
-    private void populateApplication() throws Exception {
-
-        String domainDataSQL = "INSERT INTO SP_APP (ID, TENANT_ID, APP_NAME, USER_STORE, USERNAME, AUTH_TYPE, UUID) " +
-                "VALUES " + "(" + APP_ID + "," + TENANT_ID + ",'" + APP_NAME + "','" + USER_STORE + "','" + USERNAME
-                + "','" + AUTH_TYPE + "','" + APP_ID + "')";
-
-        try {
-            connection.createStatement().executeUpdate(domainDataSQL);
-        } catch (SQLException e) {
-            String errorMessage = "Error while Adding test data for SP_APP table";
-            throw new Exception(errorMessage, e);
-        }
-    }
-
-    private void populateIdp() throws Exception {
-
-        String domainDataSQL = "INSERT INTO IDP (ID, TENANT_ID, NAME, UUID) " +
-                "VALUES " + "(" + IDP_ID + "," + TENANT_ID + ",'" + IDP_NAME + "','" + IDP_ID + "')";
-
-        try {
-            connection.createStatement().executeUpdate(domainDataSQL);
-        } catch (SQLException e) {
-            String errorMessage = "Error while Adding test data for IDP table";
-            throw new Exception(errorMessage, e);
-        }
-    }
 
     /**
      * Initiate H2 database.
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/dbscripts/h2.sql b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/dbscripts/h2.sql
index e8e1f919401b..54d8c6e9ac04 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/dbscripts/h2.sql
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/dbscripts/h2.sql
@@ -1400,3 +1400,9 @@ CREATE INDEX IDX_AUTH_PROP_AUTH_ID ON IDP_AUTHENTICATOR_PROPERTY (AUTHENTICATOR_
 -- IDN_CONFIG_FILE --
 CREATE INDEX IDX_CON_FILE_RES_ID ON IDN_CONFIG_FILE (RESOURCE_ID);
 
+-- POPULATE SP_APP FOR UNIT TESTS --
+INSERT INTO SP_APP (ID, TENANT_ID, APP_NAME, USER_STORE, USERNAME, AUTH_TYPE, UUID) VALUES (1, 2, 'TEST_APP_NAME',
+ 'TEST_USER_STORE', 'TEST_USERNAME', 'TEST_AUTH_TYPE', '1');
+
+-- POPULATE IDP FOR UNIT TESTS --
+ INSERT INTO IDP (ID, TENANT_ID, NAME, UUID) VALUES (1, 2, 'TEST_IDP_NAME', '1');
\ No newline at end of file
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/repository.conf/carbon.xml b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/repository/conf/carbon.xml
similarity index 97%
rename from components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/repository.conf/carbon.xml
rename to components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/repository/conf/carbon.xml
index b46fba1be7df..7374caf39e37 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/repository.conf/carbon.xml
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/repository/conf/carbon.xml
@@ -1,21 +1,19 @@
 <?xml version="1.0" encoding="ISO-8859-1"?>
 <!--
-  ~ Copyright (c) 2023, WSO2 LLC. (http://www.wso2.org) All Rights Reserved.
-  ~
-  ~ WSO2 LLC. licenses this file to you under the Apache License,
-  ~ Version 2.0 (the "License"); you may not use this file except
-  ~ in compliance with the License.
-  ~ You may obtain a copy of the License at
-  ~
-  ~ http://www.apache.org/licenses/LICENSE-2.0
-  ~
-  ~ Unless required by applicable law or agreed to in writing,
-  ~ software distributed under the License is distributed on an
-  ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-  ~ KIND, either express or implied.  See the License for the
-  ~ specific language governing permissions and limitations
-  ~ under the License.
-  -->
+ Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
 
 <!--
     This is the main server configuration file
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/repository.conf/identity/identity.xml b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/repository/conf/identity/identity.xml
similarity index 99%
rename from components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/repository.conf/identity/identity.xml
rename to components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/repository/conf/identity/identity.xml
index 58c05f68e7ee..279826c7f181 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/repository.conf/identity/identity.xml
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/repository/conf/identity/identity.xml
@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="ISO-8859-1"?>
 <!--
-  ~ Copyright (c) 2023, WSO2 LLC. (http://www.wso2.org) All Rights Reserved.
+  ~ Copyright (c) 2018, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
   ~
-  ~ WSO2 LLC. licenses this file to you under the Apache License,
+  ~ WSO2 Inc. licenses this file to you under the Apache License,
   ~ Version 2.0 (the "License"); you may not use this file except
   ~ in compliance with the License.
   ~ You may obtain a copy of the License at
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/testng.xml b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/testng.xml
index c8b8370bffbd..8ef01711f671 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/testng.xml
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/testng.xml
@@ -22,6 +22,7 @@
     <test name="api-resource-mgt-tests" preserve-order="true" parallel="false">
         <classes>
             <class name="org.wso2.carbon.identity.application.role.mgt.dao.impl.ApplicationRoleMgtDAOImplTest"/>
+            <class name="org.wso2.carbon.identity.application.role.mgt.ApplicationRoleManagerImplTest"/>
         </classes>
     </test>
 </suite>
\ No newline at end of file
diff --git a/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2 b/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2
index a7ebd6ea0687..f5fe693b8c0a 100644
--- a/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2
+++ b/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2
@@ -2624,6 +2624,22 @@
             <Permissions>/permission/admin/manage/identity/applicationmgt/view</Permissions>
             <Scopes>internal_application_mgt_view</Scopes>
         </Resource>
+        <Resource context="(.*)/api/server/v1/applications/(.*)/roles/(.*)/assigned-users" secured="true" http-method="GET">
+            <Permissions>/permission/admin/manage/identity/usermgt/view</Permissions>
+            <Scopes>internal_user_mgt_view</Scopes>
+        </Resource>
+        <Resource context="(.*)/api/server/v1/applications/(.*)/roles/(.*)/assigned-users" secured="true" http-method="POST">
+            <Permissions>/permission/admin/manage/identity/usermgt/update</Permissions>
+            <Scopes>internal_user_mgt_update</Scopes>
+        </Resource>
+        <Resource context="(.*)/api/server/v1/applications/(.*)/roles/(.*)/identity-providers/(.*)/assigned-groups" secured="true" http-method="GET">
+            <Permissions>/permission/admin/manage/identity/rolemgt/view</Permissions>
+            <Scopes>internal_role_mgt_view</Scopes>
+        </Resource>
+        <Resource context="(.*)/api/server/v1/applications/(.*)/roles/(.*)/identity-providers/(.*)/assigned-groups" secured="true" http-method="POST">
+            <Permissions>/permission/admin/manage/identity/rolemgt/update</Permissions>
+            <Scopes>internal_role_mgt_update</Scopes>
+        </Resource>
         <Resource context="(.*)/api/server/v1/identity-governance/preferences" secured="true" http-method="POST">
             <Permissions>none</Permissions>
             <Scopes>internal_login</Scopes>

From ae86c1fbddc14a9150d08c252311273aca225a23 Mon Sep 17 00:00:00 2001
From: Thilina Shashimal Senarath <thilinasenarath97@gmail.com>
Date: Tue, 5 Sep 2023 11:42:08 +0530
Subject: [PATCH 15/21] add permission assigning to app role

---
 .../role/mgt/ApplicationRoleManagerImpl.java  |  24 +-
 .../ApplicationRoleMgtConstants.java          |   2 +
 .../role/mgt/constants/SQLConstants.java      |  15 ++
 .../dao/impl/ApplicationRoleMgtDAOImpl.java   | 219 +++++++++++-------
 .../mgt/util/ApplicationRoleMgtUtils.java     |  14 ++
 .../mgt/ApplicationRoleManagerImplTest.java   |  17 +-
 .../impl/ApplicationRoleMgtDAOImplTest.java   |  39 ++--
 .../src/test/resources/dbscripts/h2.sql       |  50 +++-
 8 files changed, 265 insertions(+), 115 deletions(-)

diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
index d9d591cd63e9..017d5f9c5257 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
@@ -18,6 +18,7 @@
 
 package org.wso2.carbon.identity.application.role.mgt;
 
+import org.apache.commons.lang.StringUtils;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.identity.application.common.model.IdentityProvider;
 import org.wso2.carbon.identity.application.role.mgt.dao.ApplicationRoleMgtDAO;
@@ -26,14 +27,17 @@
 import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementException;
 import org.wso2.carbon.identity.application.role.mgt.internal.ApplicationRoleMgtServiceComponentHolder;
 import org.wso2.carbon.identity.application.role.mgt.model.ApplicationRole;
+import org.wso2.carbon.identity.application.role.mgt.util.ApplicationRoleMgtUtils;
 import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
 
+import java.util.Arrays;
 import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
 
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_DUPLICATE_ROLE;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_IDP_NOT_FOUND;
+import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_INVALID_ROLE_NAME;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_ROLE_NOT_FOUND;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.LOCAL_IDP;
 import static org.wso2.carbon.identity.application.role.mgt.util.ApplicationRoleMgtUtils.handleClientException;
@@ -62,6 +66,9 @@ public ApplicationRole addApplicationRole(ApplicationRole applicationRole)
             throws ApplicationRoleManagementException {
 
         String tenantDomain = getTenantDomain();
+        if (StringUtils.isBlank(applicationRole.getRoleName())) {
+            throw handleClientException(ERROR_CODE_INVALID_ROLE_NAME);
+        }
         boolean existingRole =
                 applicationRoleMgtDAO.isExistingRole(applicationRole.getApplicationId(), applicationRole.getRoleName(),
                         tenantDomain);
@@ -69,6 +76,8 @@ public ApplicationRole addApplicationRole(ApplicationRole applicationRole)
             throw handleClientException(ERROR_CODE_DUPLICATE_ROLE, applicationRole.getRoleName(),
                     applicationRole.getApplicationId());
         }
+        ApplicationRoleMgtUtils.validateAuthorizedScopes(applicationRole.getApplicationId(),
+                Arrays.asList(applicationRole.getPermissions()));
         return applicationRoleMgtDAO.addApplicationRole(applicationRole, tenantDomain);
     }
 
@@ -78,7 +87,20 @@ public ApplicationRole updateApplicationRole(String applicationId, String roleId
             throws ApplicationRoleManagementException {
 
         validateAppRoleId(roleId);
-        // TODO: Check authorized scopes for the app and filter out added permissions
+        if (newName != null) {
+            if (StringUtils.isBlank(newName)) {
+                throw handleClientException(ERROR_CODE_INVALID_ROLE_NAME);
+            }
+            boolean existingRole =
+                    applicationRoleMgtDAO.isExistingRole(applicationId, newName,
+                            getTenantDomain());
+            if (existingRole) {
+                throw handleClientException(ERROR_CODE_DUPLICATE_ROLE, newName,
+                        applicationId);
+            }
+        }
+        removeCommonValues(addedScopes, removedScopes);
+        ApplicationRoleMgtUtils.validateAuthorizedScopes(applicationId, addedScopes);
         return applicationRoleMgtDAO.updateApplicationRole(roleId, newName, addedScopes, removedScopes,
                 getTenantDomain());
     }
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java
index 0428f4a7253e..d5506df2521e 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java
@@ -74,6 +74,8 @@ public enum ErrorMessages {
                 "Group with id: %s doesn't exist"),
         ERROR_CODE_IDP_NOT_FOUND("60007", "IDP doesn't exist.",
                 "IDP with id: %s doesn't exist."),
+        ERROR_CODE_INVALID_ROLE_NAME("60008", "Invalid role name.",
+                "Invalid role name."),
         ;
 
         private final String code;
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java
index 994aaecfaa8b..106f31777bf0 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java
@@ -30,9 +30,23 @@ public class SQLConstants {
             SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";, :" +
             SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_APP_ID + ";);";
 
+    public static final String ADD_ROLE_SCOPE =  "INSERT INTO ROLE_SCOPE (ROLE_ID, SCOPE_NAME, TENANT_ID) " +
+            "VALUES (:" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + ";, :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_SCOPE_NAME + ";, :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";);";
+
+    public static final String DELETE_ROLE_SCOPE = "DELETE FROM ROLE_SCOPE WHERE ROLE_ID = :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + "; AND SCOPE_NAME = :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_SCOPE_NAME + "; AND TENANT_ID = :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";";
     public static final String GET_APPLICATION_ROLE_BY_ID = "SELECT ROLE_ID, ROLE_NAME, TENANT_ID, APP_ID " +
             "FROM APP_ROLE WHERE ROLE_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + ";";
 
+    public static final String GET_APPLICATION_ROLE_SCOPE = "SELECT SCOPE_NAME " +
+            "FROM ROLE_SCOPE WHERE ROLE_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID
+            + "; AND TENANT_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";";
+
     public static final String GET_APPLICATION_ROLES_OF_APPLICATION = "SELECT ROLE_ID, ROLE_NAME, TENANT_ID, APP_ID " +
             "FROM APP_ROLE WHERE APP_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_APP_ID + ";";
 
@@ -102,6 +116,7 @@ public static final class SQLPlaceholders {
 
         public static final String DB_SCHEMA_COLUMN_NAME_ROLE_ID = "ROLE_ID";
         public static final String DB_SCHEMA_COLUMN_NAME_ROLE_NAME = "ROLE_NAME";
+        public static final String DB_SCHEMA_COLUMN_NAME_SCOPE_NAME = "SCOPE_NAME";
         public static final String DB_SCHEMA_COLUMN_NAME_TENANT_ID = "TENANT_ID";
         public static final String DB_SCHEMA_COLUMN_NAME_APP_ID = "APP_ID";
         public static final String DB_SCHEMA_COLUMN_NAME_USER_ID = "USER_ID";
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
index edd741469c59..1d79056f5b0c 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
@@ -18,7 +18,6 @@
 
 package org.wso2.carbon.identity.application.role.mgt.dao.impl;
 
-import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.wso2.carbon.database.utils.jdbc.NamedJdbcTemplate;
@@ -65,6 +64,7 @@
 import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_IDP_ID;
 import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID;
 import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_NAME;
+import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_SCOPE_NAME;
 import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID;
 import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_USER_ID;
 import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.USER_ROLE_UNIQUE_CONSTRAINT;
@@ -84,13 +84,30 @@ public ApplicationRole addApplicationRole(ApplicationRole applicationRole, Strin
 
         NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
         try {
-            namedJdbcTemplate.withTransaction(template -> template.executeInsert(SQLConstants.ADD_APPLICATION_ROLE,
-                    namedPreparedStatement -> {
-                namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, applicationRole.getRoleId());
-                namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_APP_ID, applicationRole.getApplicationId());
-                namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_NAME, applicationRole.getRoleName());
-                namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
-            }, null, false));
+            namedJdbcTemplate.withTransaction(template -> {
+                // Insert app id, role id, role name.
+                template.executeInsert(SQLConstants.ADD_APPLICATION_ROLE, preparedStatement -> {
+                    preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, applicationRole.getRoleId());
+                    preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_APP_ID,
+                        applicationRole.getApplicationId());
+                    preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_NAME,
+                        applicationRole.getRoleName());
+                    preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
+                    }, null, false);
+                // Insert scopes.
+                if (applicationRole.getPermissions().length > 0) {
+                    template.executeBatchInsert(SQLConstants.ADD_ROLE_SCOPE,
+                        preparedStatement -> {
+                            for (String scope : applicationRole.getPermissions()) {
+                                preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, applicationRole.getRoleId());
+                                preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_SCOPE_NAME, scope);
+                                preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
+                                preparedStatement.addBatch();
+                            }
+                        }, applicationRole.getRoleId());
+                }
+                return null;
+            });
             return getApplicationRoleById(applicationRole.getRoleId(), tenantDomain);
         } catch (TransactionException e) {
             throw handleServerException(ERROR_CODE_INSERT_ROLE, e, applicationRole.getRoleName(),
@@ -104,15 +121,25 @@ public ApplicationRole getApplicationRoleById(String roleId, String tenantDomain
 
         NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
         try {
-            return namedJdbcTemplate.fetchSingleRecord(SQLConstants.GET_APPLICATION_ROLE_BY_ID,
-                    (resultSet, rowNumber) ->
-                            new ApplicationRole(resultSet.getString(DB_SCHEMA_COLUMN_NAME_ROLE_ID),
-                                    resultSet.getString(DB_SCHEMA_COLUMN_NAME_ROLE_NAME),
-                                    resultSet.getString(DB_SCHEMA_COLUMN_NAME_APP_ID)),
-                    namedPreparedStatement -> {
-                        namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
-                        namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
+            ApplicationRole applicationRole =
+                    namedJdbcTemplate.fetchSingleRecord(SQLConstants.GET_APPLICATION_ROLE_BY_ID,
+                        (resultSet, rowNumber) ->
+                                new ApplicationRole(resultSet.getString(DB_SCHEMA_COLUMN_NAME_ROLE_ID),
+                                        resultSet.getString(DB_SCHEMA_COLUMN_NAME_ROLE_NAME),
+                                        resultSet.getString(DB_SCHEMA_COLUMN_NAME_APP_ID)),
+                        preparedStatement -> {
+                            preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
+                            preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
+                    });
+            List<String> scopes;
+            scopes = namedJdbcTemplate.executeQuery(SQLConstants.GET_APPLICATION_ROLE_SCOPE,
+                    (resultSet, rowNumber) -> resultSet.getString(DB_SCHEMA_COLUMN_NAME_SCOPE_NAME),
+                    preparedStatement -> {
+                        preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
+                        preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
                     });
+            applicationRole.setPermissions(scopes.toArray(new String[0]));
+            return  applicationRole;
         } catch (DataAccessException e) {
             throw handleServerException(ERROR_CODE_GET_ROLE_BY_ID, e, roleId);
         }
@@ -129,8 +156,8 @@ public List<ApplicationRole> getApplicationRoles(String applicationId)
                             new ApplicationRole(resultSet.getString(DB_SCHEMA_COLUMN_NAME_ROLE_ID),
                                     resultSet.getString(DB_SCHEMA_COLUMN_NAME_ROLE_NAME),
                                     resultSet.getString(DB_SCHEMA_COLUMN_NAME_APP_ID)),
-                    namedPreparedStatement -> {
-                        namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_APP_ID, applicationId);
+                    preparedStatement -> {
+                        preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_APP_ID, applicationId);
                     });
         } catch (DataAccessException e) {
             throw handleServerException(ERROR_CODE_GET_ROLES_BY_APPLICATION, e, applicationId);
@@ -145,15 +172,37 @@ public ApplicationRole updateApplicationRole(String roleId, String newName, List
         NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
         try {
             namedJdbcTemplate.withTransaction(template -> {
-                if (StringUtils.isNotBlank(newName)) {
-                    template.executeUpdate(SQLConstants.UPDATE_APPLICATION_ROLE_BY_ID, namedPreparedStatement -> {
-                        namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_NAME, newName);
-                        namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
-                        namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
+                // Update role name.
+                if (newName != null) {
+                    template.executeUpdate(SQLConstants.UPDATE_APPLICATION_ROLE_BY_ID, preparedStatement -> {
+                        preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_NAME, newName);
+                        preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
+                        preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
                     });
                 }
-                // TODO: Add scopes
-                // TODO: Remove scopes
+                // Add scopes.
+                if (addedScopes.size() > 0) {
+                    template.executeBatchInsert(SQLConstants.ADD_ROLE_SCOPE,
+                        preparedStatement -> {
+                            for (String scope : addedScopes) {
+                                preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
+                                preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_SCOPE_NAME, scope);
+                                preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
+                                preparedStatement.addBatch();
+                            }
+                        }, roleId);
+                }
+                // Remove scopes.
+                if (removedScopes.size() > 0) {
+                    for (String scope: removedScopes) {
+                        template.executeUpdate(SQLConstants.DELETE_ROLE_SCOPE,
+                            preparedStatement -> {
+                                preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
+                                preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_SCOPE_NAME, scope);
+                                preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
+                            });
+                    }
+                }
                 return null;
             });
             return getApplicationRoleById(roleId, tenantDomain);
@@ -169,10 +218,10 @@ public void deleteApplicationRole(String roleId, String tenantDomain)
         NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
         try {
             namedJdbcTemplate.executeUpdate(SQLConstants.DELETE_APPLICATION_ROLE_BY_ID,
-                    namedPreparedStatement -> {
-                        namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
-                        namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
-                    });
+                preparedStatement -> {
+                    preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
+                    preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
+                });
         } catch (DataAccessException e) {
             throw handleServerException(ERROR_CODE_DELETE_ROLE, e, roleId);
         }
@@ -187,10 +236,10 @@ public boolean isExistingRole(String applicationId, String roleName, String tena
         try {
             return namedJdbcTemplate.fetchSingleRecord(SQLConstants.IS_APPLICATION_ROLE_EXISTS,
                     (resultSet, rowNumber) -> resultSet.getInt(1) > 0,
-                    namedPreparedStatement -> {
-                        namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_NAME, roleName);
-                        namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_APP_ID, applicationId);
-                        namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
+                    preparedStatement -> {
+                        preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_NAME, roleName);
+                        preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_APP_ID, applicationId);
+                        preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
                     });
         } catch (DataAccessException e) {
             throw handleServerException(ERROR_CODE_CHECKING_ROLE_EXISTENCE, e, roleName, applicationId);
@@ -204,9 +253,9 @@ public boolean checkRoleExists(String roleId, String tenantDomain) throws Applic
         try {
             return namedJdbcTemplate.fetchSingleRecord(SQLConstants.IS_APPLICATION_ROLE_EXISTS_BY_ID,
                     (resultSet, rowNumber) -> resultSet.getInt(1) > 0,
-                    namedPreparedStatement -> {
-                        namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
-                        namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
+                    preparedStatement -> {
+                        preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
+                        preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
                     });
         } catch (DataAccessException e) {
             throw handleServerException(ERROR_CODE_CHECKING_ROLE_EXISTENCE_BY_ID, e, roleId);
@@ -223,22 +272,28 @@ public ApplicationRole updateApplicationRoleAssignedUsers(String roleId, List<St
         NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
         try {
             namedJdbcTemplate.withTransaction(template -> {
-                namedJdbcTemplate.executeBatchInsert(SQLConstants.ADD_APPLICATION_ROLE_USER, (preparedStatement -> {
-                    for (String userId : addedUsers) {
-                        preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
-                        preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_USER_ID, userId);
-                        preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
-                        preparedStatement.addBatch();
+                // Add users.
+                if (addedUsers.size() > 0) {
+                    template.executeBatchInsert(SQLConstants.ADD_APPLICATION_ROLE_USER, (preparedStatement -> {
+                        for (String userId : addedUsers) {
+                            preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
+                            preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_USER_ID, userId);
+                            preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
+                            preparedStatement.addBatch();
+                        }
+                    }), roleId);
+                }
+                // Remove users.
+                if (removedUsers.size() > 0) {
+                    for (String userId: removedUsers) {
+                        template.executeUpdate(SQLConstants.DELETE_ASSIGNED_USER_APPLICATION_ROLE,
+                                preparedStatement -> {
+                                    preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
+                                    preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_USER_ID, userId);
+                                    preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID,
+                                            getTenantId(tenantDomain));
+                                });
                     }
-                }), roleId);
-                for (String userId: removedUsers) {
-                    namedJdbcTemplate.executeUpdate(SQLConstants.DELETE_ASSIGNED_USER_APPLICATION_ROLE,
-                            namedPreparedStatement -> {
-                                namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
-                                namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_USER_ID, userId);
-                                namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID,
-                                        getTenantId(tenantDomain));
-                            });
                 }
                 return null;
             });
@@ -260,9 +315,9 @@ public ApplicationRole getApplicationRoleAssignedUsers(String roleId, String ten
             List<User> users;
             users = namedJdbcTemplate.executeQuery(SQLConstants.GET_ASSIGNED_USERS_OF_APPLICATION_ROLE,
                     (resultSet, rowNumber) -> new User(resultSet.getString(DB_SCHEMA_COLUMN_NAME_USER_ID)),
-                    namedPreparedStatement -> {
-                        namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
-                        namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
+                    preparedStatement -> {
+                        preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
+                        preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
                     });
             for (User user : users) {
                 user.setUserName(getUserNamesByID(user.getId(), tenantDomain));
@@ -284,34 +339,36 @@ public ApplicationRole updateApplicationRoleAssignedGroups(String roleId, Identi
         validateGroupIds(identityProvider, addedGroups);
         NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
         try {
-            return namedJdbcTemplate.withTransaction(template -> {
+            namedJdbcTemplate.withTransaction(template -> {
+                // Add groups.
                 if (addedGroups.size() > 0) {
-                    namedJdbcTemplate.executeBatchInsert(SQLConstants.ADD_APPLICATION_ROLE_GROUP,
-                            (preparedStatement -> {
-                                for (String groupId : addedGroups) {
-                                    preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
-                                    preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_GROUP_ID, groupId);
-                                    preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_IDP_ID,
-                                            identityProvider.getResourceId());
-                                    preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID,
-                                            getTenantId(tenantDomain));
-                                    preparedStatement.addBatch();
+                    template.executeBatchInsert(SQLConstants.ADD_APPLICATION_ROLE_GROUP, (preparedStatement -> {
+                        for (String groupId : addedGroups) {
+                            preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
+                            preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_GROUP_ID, groupId);
+                            preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_IDP_ID,
+                                    identityProvider.getResourceId());
+                            preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID,
+                                    getTenantId(tenantDomain));
+                            preparedStatement.addBatch();
                         }
                     }), roleId);
                 }
+                // Remove groups.
                 if (removedGroups.size() > 0) {
                     for (String groupId: removedGroups) {
-                        namedJdbcTemplate.executeUpdate(SQLConstants.DELETE_ASSIGNED_GROUP_APPLICATION_ROLE,
-                                namedPreparedStatement -> {
-                                    namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
-                                    namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_GROUP_ID, groupId);
-                                    namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID,
+                        template.executeUpdate(SQLConstants.DELETE_ASSIGNED_GROUP_APPLICATION_ROLE,
+                                preparedStatement -> {
+                                    preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
+                                    preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_GROUP_ID, groupId);
+                                    preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID,
                                             getTenantId(tenantDomain));
                                 });
                     }
                 }
-                return getApplicationRoleAssignedGroups(roleId, identityProvider, tenantDomain);
+                return null;
             });
+            return getApplicationRoleAssignedGroups(roleId, identityProvider, tenantDomain);
         } catch (TransactionException e) {
             if (checkUniqueKeyConstrainViolated(e, GROUP_ROLE_UNIQUE_CONSTRAINT)) {
                 throw ApplicationRoleMgtUtils.handleClientException(ERROR_CODE_GROUP_ALREADY_ASSIGNED, roleId);
@@ -331,11 +388,11 @@ public ApplicationRole getApplicationRoleAssignedGroups(String roleId, IdentityP
             groups = namedJdbcTemplate.executeQuery(SQLConstants.GET_ASSIGNED_GROUPS_OF_APPLICATION_ROLE,
                     (resultSet, rowNumber) -> new Group(resultSet.getString(DB_SCHEMA_COLUMN_NAME_GROUP_ID),
                             resultSet.getString(DB_SCHEMA_COLUMN_NAME_IDP_ID)),
-                    namedPreparedStatement -> {
-                        namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
-                        namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_IDP_ID,
+                    preparedStatement -> {
+                        preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
+                        preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_IDP_ID,
                                 identityProvider.getResourceId());
-                        namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
+                        preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
                     });
             if (LOCAL_IDP.equals(identityProvider.getIdentityProviderName())) {
                 for (Group group : groups) {
@@ -374,9 +431,9 @@ public List<ApplicationRole> getApplicationRolesByUserId(String userId, String t
                             new ApplicationRole(resultSet.getString(DB_SCHEMA_COLUMN_NAME_ROLE_ID),
                                     resultSet.getString(DB_SCHEMA_COLUMN_NAME_ROLE_NAME),
                                     resultSet.getString(DB_SCHEMA_COLUMN_NAME_APP_ID)),
-                    namedPreparedStatement -> {
-                        namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_USER_ID, userId);
-                        namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
+                    preparedStatement -> {
+                        preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_USER_ID, userId);
+                        preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
                     });
         } catch (DataAccessException e) {
             throw handleServerException(ERROR_CODE_GET_ROLES_BY_USER_ID, e, userId);
@@ -394,9 +451,9 @@ public List<ApplicationRole> getApplicationRolesByGroupId(String groupId, String
                             new ApplicationRole(resultSet.getString(DB_SCHEMA_COLUMN_NAME_ROLE_ID),
                                     resultSet.getString(DB_SCHEMA_COLUMN_NAME_ROLE_NAME),
                                     resultSet.getString(DB_SCHEMA_COLUMN_NAME_APP_ID)),
-                    namedPreparedStatement -> {
-                        namedPreparedStatement.setString(DB_SCHEMA_COLUMN_NAME_GROUP_ID, groupId);
-                        namedPreparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
+                    preparedStatement -> {
+                        preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_GROUP_ID, groupId);
+                        preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
                     });
         } catch (DataAccessException e) {
             throw handleServerException(ERROR_CODE_GET_ROLES_BY_GROUP_ID, e, groupId);
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/ApplicationRoleMgtUtils.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/ApplicationRoleMgtUtils.java
index c023f2932312..936032f30ee6 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/ApplicationRoleMgtUtils.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/ApplicationRoleMgtUtils.java
@@ -32,6 +32,8 @@
 import org.wso2.carbon.user.core.common.AbstractUserStoreManager;
 import org.wso2.carbon.user.core.service.RealmService;
 
+import java.util.List;
+
 /**
  * Application role management util.
  */
@@ -82,6 +84,18 @@ public static ApplicationRoleManagementClientException handleClientException(
         return new ApplicationRoleManagementClientException(error.getMessage(), description, error.getCode());
     }
 
+    /**
+     * Check scopes are authorized to the application.
+     *
+     * @param appId Application ID.
+     * @throws ApplicationRoleManagementException Error occurred while checking group exists.
+     */
+    public static void validateAuthorizedScopes(String appId, List<String> scopes)
+            throws ApplicationRoleManagementException {
+
+        // TODO : validate scopes
+    }
+
     /**
      * Check group exists by id.
      *
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImplTest.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImplTest.java
index 988801ee91b8..fe306f541e9b 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImplTest.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImplTest.java
@@ -15,6 +15,8 @@
 import org.wso2.carbon.identity.common.testng.WithRegistry;
 
 import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
 
 @WithAxisConfiguration
 @WithCarbonHome
@@ -109,16 +111,21 @@ public Object[][] updateApplicationRoleData() throws ApplicationRoleManagementEx
         applicationRoleManager.addApplicationRole(applicationRole1);
         applicationRoleManager.addApplicationRole(applicationRole2);
         return new Object[][]{
-                {applicationRole1, "NEW_NAME-1"},
-                {applicationRole2, "NEW_NAME-2"}
+                {applicationRole1, "NEW_NAME-1",
+                        new ArrayList<>(Arrays.asList("TEST_SCOPE_4", "TEST_SCOPE_5", "TEST_SCOPE_6")),
+                        new ArrayList<>(Arrays.asList("TEST_SCOPE_1", "TEST_SCOPE_2", "TEST_SCOPE_3"))},
+                {applicationRole2, "NEW_NAME-2",
+                        new ArrayList<>(Arrays.asList("TEST_SCOPE_4", "TEST_SCOPE_5", "TEST_SCOPE_6")),
+                        new ArrayList<>(Arrays.asList("TEST_SCOPE_1", "TEST_SCOPE_2", "TEST_SCOPE_3"))}
         };
     }
 
     @Test(dataProvider = "updateApplicationRoleData", priority = 2)
-    public void testUpdateApplicationRole(ApplicationRole applicationRole, String newName) throws Exception {
+    public void testUpdateApplicationRole(ApplicationRole applicationRole, String newName, List<String> addedScopes,
+                                          List<String> removedScopes) throws Exception {
 
         ApplicationRole role =  applicationRoleManager.updateApplicationRole(applicationRole.getApplicationId(),
-                applicationRole.getRoleId(), newName, new ArrayList<>(), new ArrayList<>());
+                applicationRole.getRoleId(), newName, addedScopes, removedScopes);
         Assert.assertNotNull(role);
     }
 
@@ -186,7 +193,7 @@ private static ApplicationRole createApplicationRole(String postFix) {
         applicationRole.setRoleId("testAppRoleId-" + postFix);
         applicationRole.setRoleName("testAppRoleName-" + postFix);
         applicationRole.setApplicationId("1");
-        applicationRole.setPermissions(new String[0]);
+        applicationRole.setPermissions(new String[]{"TEST_SCOPE_1", "TEST_SCOPE_2", "TEST_SCOPE_3"});
         return applicationRole;
     }
 }
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImplTest.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImplTest.java
index f7b0ff93aa7c..8f01a97cb29b 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImplTest.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImplTest.java
@@ -41,7 +41,7 @@ public class ApplicationRoleMgtDAOImplTest extends PowerMockTestCase {
 
     private static final String DB_NAME = "application_role_mgt_dao_db";
     private static final String TENANT_DOMAIN = "TEST_TENANT_DOMAIN";
-    private static final int TENANT_ID = 2;
+    private static final int TENANT_ID = -1234;
     private static final int APP_ID = 1;
     private static final String ROLE_ID = "TEST_ROLE_ID";
     private static final String ROLE_NAME = "TEST_ROLE_NAME";
@@ -67,16 +67,14 @@ public void tearDown() throws Exception {
     @DataProvider
     public Object[][] addApplicationRoleData() {
         return new Object[][]{
-                {ROLE_ID, ROLE_NAME},
-                {"TEST_ROLE_ID-1", "TEST_ROLE_NAME-1"},
-                {"TEST_ROLE_ID-2", "TEST_ROLE_NAME-2"},
-                {"TEST_ROLE_ID-3", "TEST_ROLE_NAME-3"},
-
+                {ROLE_ID, ROLE_NAME, new String[]{"TEST_SCOPE_1", "TEST_SCOPE_2", "TEST_SCOPE_3"}},
+                {"TEST_ROLE_ID-1", "TEST_ROLE_NAME-1",
+                        new String[]{"TEST_SCOPE_1", "TEST_SCOPE_2", "TEST_SCOPE_3"}},
         };
     }
 
     @Test(dataProvider = "addApplicationRoleData", priority = 2)
-    public void testAddApplicationRole(String roleId, String roleName) throws Exception {
+    public void testAddApplicationRole(String roleId, String roleName, String[] permissions) throws Exception {
 
         mockStatic(IdentityTenantUtil.class);
         when(IdentityTenantUtil.getTenantId(TENANT_DOMAIN)).thenReturn(TENANT_ID);
@@ -86,6 +84,7 @@ public void testAddApplicationRole(String roleId, String roleName) throws Except
         applicationRole.setApplicationId(String.valueOf(APP_ID));
         applicationRole.setRoleId(roleId);
         applicationRole.setRoleName(roleName);
+        applicationRole.setPermissions(permissions);
         ApplicationRole addedApplicationRole = daoImpl.addApplicationRole(applicationRole, TENANT_DOMAIN);
         Assert.assertNotNull(addedApplicationRole);
     }
@@ -106,8 +105,6 @@ public Object[][] getApplicationRoleByIdData() {
         return new Object[][]{
                 {ROLE_ID},
                 {"TEST_ROLE_ID-1"},
-                {"TEST_ROLE_ID-2"},
-                {"TEST_ROLE_ID-3"},
 
         };
     }
@@ -125,21 +122,21 @@ public void testGetApplicationRoleById(String roleId) throws Exception {
     @DataProvider
     public Object[][] updateApplicationRoleData() {
         return new Object[][]{
-                {"TEST_ROLE_ID-1", "TEST_ROLE_NEW_NAME-1"},
-                {"TEST_ROLE_ID-2", "TEST_ROLE_NEW_NAME-2"},
-                {"TEST_ROLE_ID-3", "TEST_ROLE_NEW_NAME-3"},
-
+                {"TEST_ROLE_ID-1", "TEST_ROLE_NEW_NAME-1",
+                        new ArrayList<>(Arrays.asList("TEST_SCOPE_4", "TEST_SCOPE_5", "TEST_SCOPE_6")),
+                        new ArrayList<>(Arrays.asList("TEST_SCOPE_1", "TEST_SCOPE_2", "TEST_SCOPE_3"))},
         };
     }
     @Test(dataProvider = "updateApplicationRoleData", priority = 2)
-    public void testUpdateApplicationRole(String roleId, String newName) throws Exception {
+    public void testUpdateApplicationRole(String roleId, String newName, List<String> addedScopes,
+                                          List<String> removedScopes) throws Exception {
 
         mockStatic(IdentityTenantUtil.class);
         when(IdentityTenantUtil.getTenantId(TENANT_DOMAIN)).thenReturn(TENANT_ID);
         mockStatic(IdentityDatabaseUtil.class);
         Mockito.when(IdentityDatabaseUtil.getDataSource()).thenReturn(dataSourceMap.get(DB_NAME));
-        ApplicationRole applicationRole = daoImpl.updateApplicationRole(roleId, newName, new ArrayList<>(),
-                new ArrayList<>(), TENANT_DOMAIN);
+        ApplicationRole applicationRole = daoImpl.updateApplicationRole(roleId, newName, addedScopes, removedScopes,
+                TENANT_DOMAIN);
         Assert.assertEquals(applicationRole.getRoleName(), newName);
     }
 
@@ -147,8 +144,6 @@ public void testUpdateApplicationRole(String roleId, String newName) throws Exce
     public Object[][] checkRoleExistsData() {
         return new Object[][]{
                 {"TEST_ROLE_ID-1", true},
-                {"TEST_ROLE_ID-2", true},
-                {"TEST_ROLE_ID-3", true},
                 {"FAKE_ROLE_ID-3", false},
 
         };
@@ -168,8 +163,6 @@ public void testCheckRoleExists(String roleId, boolean isExists) throws Exceptio
     public Object[][] deleteApplicationRoleData() {
         return new Object[][]{
                 {"TEST_ROLE_ID-1"},
-                {"TEST_ROLE_ID-2"},
-                {"TEST_ROLE_ID-3"},
 
         };
     }
@@ -224,12 +217,6 @@ public Object[][] updateApplicationRoleAssignedGroupsData() {
                 {new ArrayList<>(Arrays.asList("GROUP_1", "GROUP_2", "GROUP_3")),
                         new ArrayList<>(Collections.emptyList()), 3
                 },
-                {new ArrayList<>(Arrays.asList("GROUP_4", "GROUP_5", "GROUP_6")),
-                        new ArrayList<>(Arrays.asList("GROUP_1", "GROUP_2", "GROUP_3")), 3
-                },
-                {new ArrayList<>(Collections.emptyList()),
-                        new ArrayList<>(Arrays.asList("GROUP_4", "GROUP_5", "GROUP_6")), 0
-                },
         };
     }
 
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/dbscripts/h2.sql b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/dbscripts/h2.sql
index 54d8c6e9ac04..27d3e0d3dc7e 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/dbscripts/h2.sql
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/dbscripts/h2.sql
@@ -1298,6 +1298,40 @@ CREATE TABLE IF NOT EXISTS USER_ROLE (
 	CONSTRAINT USER_ROLE_UNIQUE UNIQUE (ROLE_ID, TENANT_ID, USER_ID)
 );
 
+CREATE TABLE IF NOT EXISTS API_RESOURCE (
+    ID VARCHAR(255) NOT NULL PRIMARY KEY,
+    CURSOR_KEY INTEGER NOT NULL AUTO_INCREMENT,
+    NAME VARCHAR(255) NOT NULL,
+    IDENTIFIER VARCHAR(255) NOT NULL,
+    TENANT_ID INT NOT NULL,
+    DESCRIPTION VARCHAR(255),
+    TYPE VARCHAR(255) NOT NULL,
+    REQUIRES_AUTHORIZATION BOOLEAN NOT NULL,
+    CONSTRAINT IDENTIFIER_UNIQUE UNIQUE (TENANT_ID, IDENTIFIER)
+);
+
+CREATE TABLE IF NOT EXISTS SCOPE (
+    ID VARCHAR(255) NOT NULL PRIMARY KEY,
+    CURSOR_KEY INTEGER NOT NULL AUTO_INCREMENT,
+    API_ID VARCHAR(255) NOT NULL,
+    NAME VARCHAR(255) NOT NULL,
+    DISPLAY_NAME VARCHAR(255) NOT NULL,
+    TENANT_ID INT NOT NULL,
+    DESCRIPTION VARCHAR(300),
+    FOREIGN KEY (API_ID) REFERENCES API_RESOURCE(ID) ON DELETE CASCADE,
+    CONSTRAINT SCOPE_UNIQUE UNIQUE (TENANT_ID, NAME)
+);
+
+
+CREATE TABLE IF NOT EXISTS ROLE_SCOPE (
+   ROLE_ID varchar(255) NOT NULL,
+   SCOPE_NAME varchar(255) NOT NULL,
+   TENANT_ID INT NOT NULL,
+   UNIQUE (ROLE_ID, SCOPE_NAME),
+   FOREIGN KEY (ROLE_ID) REFERENCES APP_ROLE(ROLE_ID) ON DELETE CASCADE,
+   FOREIGN KEY (SCOPE_NAME, TENANT_ID) REFERENCES SCOPE(NAME, TENANT_ID) ON DELETE CASCADE
+);
+
 -- --------------------------- INDEX CREATION -----------------------------
 -- IDN_OAUTH2_ACCESS_TOKEN --
 CREATE INDEX IDX_TC ON IDN_OAUTH2_ACCESS_TOKEN(TIME_CREATED);
@@ -1401,8 +1435,20 @@ CREATE INDEX IDX_AUTH_PROP_AUTH_ID ON IDP_AUTHENTICATOR_PROPERTY (AUTHENTICATOR_
 CREATE INDEX IDX_CON_FILE_RES_ID ON IDN_CONFIG_FILE (RESOURCE_ID);
 
 -- POPULATE SP_APP FOR UNIT TESTS --
-INSERT INTO SP_APP (ID, TENANT_ID, APP_NAME, USER_STORE, USERNAME, AUTH_TYPE, UUID) VALUES (1, 2, 'TEST_APP_NAME',
+INSERT INTO SP_APP (ID, TENANT_ID, APP_NAME, USER_STORE, USERNAME, AUTH_TYPE, UUID) VALUES (1, -1234, 'TEST_APP_NAME',
  'TEST_USER_STORE', 'TEST_USERNAME', 'TEST_AUTH_TYPE', '1');
 
 -- POPULATE IDP FOR UNIT TESTS --
- INSERT INTO IDP (ID, TENANT_ID, NAME, UUID) VALUES (1, 2, 'TEST_IDP_NAME', '1');
\ No newline at end of file
+ INSERT INTO IDP (ID, TENANT_ID, NAME, UUID) VALUES (1, -1234, 'TEST_IDP_NAME', '1');
+
+ -- POPULATE API RESOURCE UNIT TESTS --
+ INSERT INTO API_RESOURCE (ID,NAME,IDENTIFIER,TENANT_ID,DESCRIPTION,TYPE,REQUIRES_AUTHORIZATION) VALUES
+ 	 ('1','TEST_API_RESOURCE','TEST_API_RESOURCE',-1234,'TEST_API_RESOURCE','RBAC',true);
+
+ INSERT INTO SCOPE (ID,API_ID,NAME,DISPLAY_NAME,TENANT_ID,DESCRIPTION) VALUES
+ 	 ('1','1','TEST_SCOPE_1','TEST_SCOPE_1',-1234,'TEST_SCOPE_1'),
+ 	 ('2','1','TEST_SCOPE_2','TEST_SCOPE_2',-1234,'TEST_SCOPE_2'),
+     ('3','1','TEST_SCOPE_3','TEST_SCOPE_3',-1234,'TEST_SCOPE_3'),
+     ('4','1','TEST_SCOPE_4','TEST_SCOPE_4',-1234,'TEST_SCOPE_4'),
+     ('5','1','TEST_SCOPE_5','TEST_SCOPE_5',-1234,'TEST_SCOPE_5'),
+ 	 ('6','1','TEST_SCOPE_6','TEST_SCOPE_6',-1234,'TEST_SCOPE_6');

From f691dca4870f7644591336c27b60eec224c4ed60 Mon Sep 17 00:00:00 2001
From: Thilina Shashimal Senarath <thilinasenarath97@gmail.com>
Date: Tue, 5 Sep 2023 22:07:18 +0530
Subject: [PATCH 16/21] fix idp endpoint changes

---
 .../role/mgt/ApplicationRoleManager.java      |   3 +-
 .../role/mgt/ApplicationRoleManagerImpl.java  | 131 ++++++++----------
 .../role/mgt/constants/SQLConstants.java      |   7 +-
 .../role/mgt/dao/ApplicationRoleMgtDAO.java   |  24 ++--
 .../dao/impl/ApplicationRoleMgtDAOImpl.java   | 128 +++++------------
 .../CacheBackedApplicationRoleMgtDAOImpl.java |  23 +--
 .../ApplicationRoleMgtServiceComponent.java   |   5 +-
 ...licationRoleMgtServiceComponentHolder.java |   3 -
 .../mgt/util/ApplicationRoleMgtUtils.java     | 130 +++++++++++++++++
 .../impl/ApplicationRoleMgtDAOImplTest.java   |  19 +--
 .../src/test/resources/dbscripts/h2.sql       |   6 +-
 11 files changed, 271 insertions(+), 208 deletions(-)

diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java
index 22f436a3f163..2cb07e0b7318 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java
@@ -20,6 +20,7 @@
 
 import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementException;
 import org.wso2.carbon.identity.application.role.mgt.model.ApplicationRole;
+import org.wso2.carbon.identity.application.role.mgt.model.Group;
 
 import java.util.List;
 
@@ -103,7 +104,7 @@ ApplicationRole updateApplicationRoleAssignedUsers(String roleId, List<String> a
      * @param removedGroups List of group IDs to be unassigned.
      * @throws ApplicationRoleManagementException Error occurred while updating the application role.
      */
-    ApplicationRole updateApplicationRoleAssignedGroups(String roleId, String idpId, List<String> addedGroups,
+    ApplicationRole updateApplicationRoleAssignedGroups(String roleId, List<Group> addedGroups,
                                              List<String> removedGroups) throws ApplicationRoleManagementException;
 
     /**
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
index 017d5f9c5257..5e71de059014 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
@@ -19,24 +19,22 @@
 package org.wso2.carbon.identity.application.role.mgt;
 
 import org.apache.commons.lang.StringUtils;
-import org.wso2.carbon.context.PrivilegedCarbonContext;
+import org.wso2.carbon.identity.application.common.model.IdPGroup;
 import org.wso2.carbon.identity.application.common.model.IdentityProvider;
 import org.wso2.carbon.identity.application.role.mgt.dao.ApplicationRoleMgtDAO;
 import org.wso2.carbon.identity.application.role.mgt.dao.impl.ApplicationRoleMgtDAOImpl;
 import org.wso2.carbon.identity.application.role.mgt.dao.impl.CacheBackedApplicationRoleMgtDAOImpl;
 import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementException;
-import org.wso2.carbon.identity.application.role.mgt.internal.ApplicationRoleMgtServiceComponentHolder;
 import org.wso2.carbon.identity.application.role.mgt.model.ApplicationRole;
+import org.wso2.carbon.identity.application.role.mgt.model.Group;
 import org.wso2.carbon.identity.application.role.mgt.util.ApplicationRoleMgtUtils;
-import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
 
 import java.util.Arrays;
-import java.util.HashSet;
-import java.util.Iterator;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_DUPLICATE_ROLE;
-import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_IDP_NOT_FOUND;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_INVALID_ROLE_NAME;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_ROLE_NOT_FOUND;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.LOCAL_IDP;
@@ -65,7 +63,7 @@ public static ApplicationRoleManager getInstance() {
     public ApplicationRole addApplicationRole(ApplicationRole applicationRole)
             throws ApplicationRoleManagementException {
 
-        String tenantDomain = getTenantDomain();
+        String tenantDomain = ApplicationRoleMgtUtils.getTenantDomain();
         if (StringUtils.isBlank(applicationRole.getRoleName())) {
             throw handleClientException(ERROR_CODE_INVALID_ROLE_NAME);
         }
@@ -76,6 +74,7 @@ public ApplicationRole addApplicationRole(ApplicationRole applicationRole)
             throw handleClientException(ERROR_CODE_DUPLICATE_ROLE, applicationRole.getRoleName(),
                     applicationRole.getApplicationId());
         }
+        // Validate scopes are authorized to given application.
         ApplicationRoleMgtUtils.validateAuthorizedScopes(applicationRole.getApplicationId(),
                 Arrays.asList(applicationRole.getPermissions()));
         return applicationRoleMgtDAO.addApplicationRole(applicationRole, tenantDomain);
@@ -86,30 +85,33 @@ public ApplicationRole updateApplicationRole(String applicationId, String roleId
                                                  List<String> addedScopes, List<String> removedScopes)
             throws ApplicationRoleManagementException {
 
+        String tenantDomain = ApplicationRoleMgtUtils.getTenantDomain();
         validateAppRoleId(roleId);
         if (newName != null) {
+            // Check whether new role name is valid.
             if (StringUtils.isBlank(newName)) {
                 throw handleClientException(ERROR_CODE_INVALID_ROLE_NAME);
             }
+            // Check whether new role name is already exists.
             boolean existingRole =
-                    applicationRoleMgtDAO.isExistingRole(applicationId, newName,
-                            getTenantDomain());
+                    applicationRoleMgtDAO.isExistingRole(applicationId, newName, tenantDomain);
             if (existingRole) {
                 throw handleClientException(ERROR_CODE_DUPLICATE_ROLE, newName,
                         applicationId);
             }
         }
-        removeCommonValues(addedScopes, removedScopes);
+        // Remove common scopes in both added and removed scopes.
+        ApplicationRoleMgtUtils.removeCommonValues(addedScopes, removedScopes);
+        // Validate scopes are authorized to given application.
         ApplicationRoleMgtUtils.validateAuthorizedScopes(applicationId, addedScopes);
-        return applicationRoleMgtDAO.updateApplicationRole(roleId, newName, addedScopes, removedScopes,
-                getTenantDomain());
+        return applicationRoleMgtDAO.updateApplicationRole(roleId, newName, addedScopes, removedScopes, tenantDomain);
     }
 
     @Override
     public ApplicationRole getApplicationRoleById(String roleId) throws ApplicationRoleManagementException {
 
         validateAppRoleId(roleId);
-        return applicationRoleMgtDAO.getApplicationRoleById(roleId, getTenantDomain());
+        return applicationRoleMgtDAO.getApplicationRoleById(roleId, ApplicationRoleMgtUtils.getTenantDomain());
     }
 
     @Override
@@ -122,7 +124,7 @@ public List<ApplicationRole> getApplicationRoles(String applicationId) throws Ap
     public void deleteApplicationRole(String roleId) throws ApplicationRoleManagementException {
 
         validateAppRoleId(roleId);
-        applicationRoleMgtDAO.deleteApplicationRole(roleId, getTenantDomain());
+        applicationRoleMgtDAO.deleteApplicationRole(roleId, ApplicationRoleMgtUtils.getTenantDomain());
     }
 
     @Override
@@ -131,9 +133,9 @@ public ApplicationRole updateApplicationRoleAssignedUsers(String roleId, List<St
             throws ApplicationRoleManagementException {
 
         validateAppRoleId(roleId);
-        removeCommonValues(addedUsers, removedUsers);
+        ApplicationRoleMgtUtils.removeCommonValues(addedUsers, removedUsers);
         return applicationRoleMgtDAO.updateApplicationRoleAssignedUsers(roleId, addedUsers, removedUsers,
-                getTenantDomain());
+                ApplicationRoleMgtUtils.getTenantDomain());
     }
 
     @Override
@@ -141,59 +143,45 @@ public ApplicationRole getApplicationRoleAssignedUsers(String roleId)
             throws ApplicationRoleManagementException {
 
         validateAppRoleId(roleId);
-        return applicationRoleMgtDAO.getApplicationRoleAssignedUsers(roleId, getTenantDomain());
+        return applicationRoleMgtDAO.getApplicationRoleAssignedUsers(roleId, ApplicationRoleMgtUtils.getTenantDomain());
     }
 
     @Override
-    public ApplicationRole updateApplicationRoleAssignedGroups(String roleId, String idpId, List<String> addedGroups,
+    public ApplicationRole updateApplicationRoleAssignedGroups(String roleId, List<Group> addedGroups,
                                                     List<String> removedGroups)
             throws ApplicationRoleManagementException {
 
+        String tenantDomain = ApplicationRoleMgtUtils.getTenantDomain();
         validateAppRoleId(roleId);
-        try {
-            IdentityProvider identityProvider;
-            if (LOCAL_IDP.equals(idpId)) {
-
-                identityProvider = ApplicationRoleMgtServiceComponentHolder.getInstance()
-                        .getIdentityProviderManager().getResidentIdP(getTenantDomain());
-            } else {
-                identityProvider = ApplicationRoleMgtServiceComponentHolder.getInstance()
-                        .getIdentityProviderManager().getIdPByResourceId(idpId, getTenantDomain(), true);
-            }
-            if (identityProvider == null) {
-                throw handleClientException(ERROR_CODE_IDP_NOT_FOUND, idpId);
-            }
-            removeCommonValues(addedGroups, removedGroups);
-            return applicationRoleMgtDAO.updateApplicationRoleAssignedGroups(roleId, identityProvider,
-                    addedGroups, removedGroups, getTenantDomain());
-        }  catch (IdentityProviderManagementException e) {
-            throw new ApplicationRoleManagementException("Error while retrieving idp",
-                    "Error while retrieving idp for idpId: " + idpId, e);
-        }
+        ApplicationRoleMgtUtils.removeCommonGroupValues(addedGroups, removedGroups);
+        ApplicationRoleMgtUtils.validateGroupIds(addedGroups);
+        ApplicationRole applicationRole = applicationRoleMgtDAO.updateApplicationRoleAssignedGroups(roleId, addedGroups,
+                removedGroups, tenantDomain);
+        resolveAssignedGroupsOfRole(applicationRole.getAssignedGroups(), tenantDomain);
+        return  applicationRole;
     }
 
     @Override
     public ApplicationRole getApplicationRoleAssignedGroups(String roleId, String idpId)
             throws ApplicationRoleManagementException {
 
+        String tenantDomain = ApplicationRoleMgtUtils.getTenantDomain();
         validateAppRoleId(roleId);
-        try {
-            IdentityProvider identityProvider;
+        ApplicationRole applicationRole;
+        if (StringUtils.isNotBlank(idpId)) {
             if (LOCAL_IDP.equalsIgnoreCase(idpId)) {
-                identityProvider = ApplicationRoleMgtServiceComponentHolder.getInstance()
-                        .getIdentityProviderManager().getResidentIdP(getTenantDomain());
+                IdentityProvider identityProvider = ApplicationRoleMgtUtils.getResidentIdp();
+                applicationRole = applicationRoleMgtDAO.getApplicationRoleAssignedGroups(roleId,
+                        identityProvider.getResourceId(), tenantDomain);
             } else {
-                identityProvider = ApplicationRoleMgtServiceComponentHolder.getInstance()
-                        .getIdentityProviderManager().getIdPByResourceId(idpId, getTenantDomain(), true);
-            }
-            if (identityProvider == null) {
-                throw handleClientException(ERROR_CODE_IDP_NOT_FOUND, idpId);
+                applicationRole = applicationRoleMgtDAO.getApplicationRoleAssignedGroups(roleId, idpId, tenantDomain);
             }
-            return applicationRoleMgtDAO.getApplicationRoleAssignedGroups(roleId, identityProvider, getTenantDomain());
-        } catch (IdentityProviderManagementException e) {
-            throw new ApplicationRoleManagementException("Error while retrieving idp", "Error while retrieving idp " +
-                    "for idpId: " + idpId, e);
+
+        } else {
+            applicationRole = applicationRoleMgtDAO.getApplicationRoleAssignedGroups(roleId, tenantDomain);
         }
+        resolveAssignedGroupsOfRole(applicationRole.getAssignedGroups(), tenantDomain);
+        return applicationRole;
     }
 
     @Override
@@ -218,7 +206,7 @@ public List<ApplicationRole> getApplicationRolesByGroupId(String groupId, String
      */
     private void validateAppRoleId(String roleId) throws ApplicationRoleManagementException {
 
-        boolean isExists = applicationRoleMgtDAO.checkRoleExists(roleId, getTenantDomain());
+        boolean isExists = applicationRoleMgtDAO.checkRoleExists(roleId, ApplicationRoleMgtUtils.getTenantDomain());
 
         if (!isExists) {
             throw handleClientException(ERROR_CODE_ROLE_NOT_FOUND, roleId);
@@ -226,29 +214,30 @@ private void validateAppRoleId(String roleId) throws ApplicationRoleManagementEx
     }
 
     /**
-     * Get tenant domain.
+     * Resolve assigned groups of a role.
      *
+     * @param assignedGroups Role ID.
+     * @throws  ApplicationRoleManagementException Error occurred while validating roleId.
      */
-    private static String getTenantDomain() {
+    private void resolveAssignedGroupsOfRole(List<Group> assignedGroups, String tenantDomain)
+            throws ApplicationRoleManagementException {
 
-        return PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain();
-    }
+        for (Group group : assignedGroups) {
 
-    /**
-     * Remove common values in given two lists.
-     *
-     * @param list1 List 1.
-     * @param list2 List 2.
-     */
-    private void removeCommonValues(List<String> list1, List<String> list2) {
-        HashSet<String> set = new HashSet<>(list1);
-
-        Iterator<String> iterator = list2.iterator();
-        while (iterator.hasNext()) {
-            String value = iterator.next();
-            if (set.contains(value)) {
-                iterator.remove();
-                list1.remove(value);
+            IdentityProvider identityProvider = ApplicationRoleMgtUtils.getIdpById(group.getIdpId());
+            if (LOCAL_IDP.equalsIgnoreCase(identityProvider.getIdentityProviderName())) {
+                    group.setGroupName(ApplicationRoleMgtUtils.getGroupNameByID(group.getGroupId(), tenantDomain));
+                    group.setIdpName(identityProvider.getIdentityProviderName());
+            } else {
+                IdPGroup[] idpGroups = identityProvider.getIdPGroupConfig();
+                Map<String, String> idToNameMap = new HashMap<>();
+                for (IdPGroup idpGroup : idpGroups) {
+                    idToNameMap.put(idpGroup.getIdpGroupId(), idpGroup.getIdpGroupName());
+                }
+                if (idToNameMap.containsKey(group.getGroupId())) {
+                    group.setGroupName(idToNameMap.get(group.getGroupId()));
+                    group.setIdpName(identityProvider.getIdentityProviderName());
+                }
             }
         }
     }
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java
index 106f31777bf0..46b4dacc4251 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java
@@ -63,6 +63,7 @@ public class SQLConstants {
             SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + "; AND TENANT_ID = :" +
             SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";";
 
+    // Application role assigned users queries.
     public static final String ADD_APPLICATION_ROLE_USER =  "INSERT INTO USER_ROLE (ROLE_ID, USER_ID, TENANT_ID) " +
             "VALUES (:" +
             SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + ";, :" +
@@ -78,6 +79,7 @@ public class SQLConstants {
             "FROM USER_ROLE WHERE ROLE_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID +
             "; AND TENANT_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";";
 
+    // Application role assigned groups queries.
     public static final String ADD_APPLICATION_ROLE_GROUP =  "INSERT INTO GROUP_ROLE (ROLE_ID, GROUP_ID, IDP_ID," +
             " TENANT_ID) VALUES (:" +
             SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + ";, :" +
@@ -92,9 +94,12 @@ public class SQLConstants {
 
     public static final String GET_ASSIGNED_GROUPS_OF_APPLICATION_ROLE = "SELECT GROUP_ID, IDP_ID " +
             "FROM GROUP_ROLE WHERE ROLE_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID +
-            "; AND IDP_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_IDP_ID +
             "; AND TENANT_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";";
 
+    public static final String GET_ASSIGNED_GROUPS_OF_APPLICATION_ROLE_IDP_FILTER = "SELECT GROUP_ID, IDP_ID " +
+            "FROM GROUP_ROLE WHERE ROLE_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID +
+            "; AND IDP_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_IDP_ID +
+            "; AND TENANT_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";";
     public static final String GET_APPLICATION_ROLES_BY_USER_ID = "SELECT ar.ROLE_ID, ar.ROLE_NAME, ar.TENANT_ID, " +
             "ar.APP_ID FROM APP_ROLE as ar INNER JOIN USER_ROLE as ur ON ar.ROLE_ID = ur.ROLE_ID WHERE ur.USER_ID = :"
             + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_USER_ID + "; AND ar.TENANT_ID = :" +
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java
index 71eaa00bdeac..6e50b0c79278 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java
@@ -18,10 +18,10 @@
 
 package org.wso2.carbon.identity.application.role.mgt.dao;
 
-import org.wso2.carbon.identity.application.common.model.IdentityProvider;
 import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementException;
 import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementServerException;
 import org.wso2.carbon.identity.application.role.mgt.model.ApplicationRole;
+import org.wso2.carbon.identity.application.role.mgt.model.Group;
 
 import java.util.List;
 
@@ -128,27 +128,35 @@ ApplicationRole getApplicationRoleAssignedUsers(String roleId, String tenantDoma
      * Update application role assigned groups.
      *
      * @param roleId Application roleId.
-     * @param identityProvider Identity provider.
      * @param addedGroups Assigned groups to be added.
      * @param removedGroups Assigned groups to be removed.
      * @param tenantDomain Tenant domain.
      * @throws ApplicationRoleManagementException Error occurred while updating application role assigned groups.
      */
-    ApplicationRole updateApplicationRoleAssignedGroups(String roleId, IdentityProvider identityProvider,
-                                                        List<String> addedGroups, List<String> removedGroups,
-                                                        String tenantDomain)
+    ApplicationRole updateApplicationRoleAssignedGroups(String roleId, List<Group> addedGroups,
+                                                        List<String> removedGroups, String tenantDomain)
             throws ApplicationRoleManagementException;
 
     /**
      * Get application role assigned groups.
      *
      * @param roleId Application roleId.
-     * @param identityProvider Identity provider.
      * @param tenantDomain Tenant domain.
      * @throws ApplicationRoleManagementException Error occurred while getting application role assigned groups.
      */
-    ApplicationRole getApplicationRoleAssignedGroups(String roleId, IdentityProvider identityProvider,
-                                                     String tenantDomain) throws ApplicationRoleManagementException;
+    ApplicationRole getApplicationRoleAssignedGroups(String roleId, String tenantDomain)
+            throws ApplicationRoleManagementException;
+
+    /**
+     * Get application role assigned groups.
+     *
+     * @param roleId Application roleId.
+     * @param idpId IDP id.
+     * @param tenantDomain Tenant domain.
+     * @throws ApplicationRoleManagementException Error occurred while getting application role assigned groups.
+     */
+    ApplicationRole getApplicationRoleAssignedGroups(String roleId, String idpId, String tenantDomain)
+            throws ApplicationRoleManagementException;
 
     /**
      * Get application roles by userId.
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
index 1d79056f5b0c..599871f24a1b 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
@@ -18,13 +18,9 @@
 
 package org.wso2.carbon.identity.application.role.mgt.dao.impl;
 
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
 import org.wso2.carbon.database.utils.jdbc.NamedJdbcTemplate;
 import org.wso2.carbon.database.utils.jdbc.exceptions.DataAccessException;
 import org.wso2.carbon.database.utils.jdbc.exceptions.TransactionException;
-import org.wso2.carbon.identity.application.common.model.IdPGroup;
-import org.wso2.carbon.identity.application.common.model.IdentityProvider;
 import org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants;
 import org.wso2.carbon.identity.application.role.mgt.dao.ApplicationRoleMgtDAO;
 import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementException;
@@ -36,9 +32,7 @@
 import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
 import org.wso2.carbon.utils.multitenancy.MultitenantConstants;
 
-import java.util.HashMap;
 import java.util.List;
-import java.util.Map;
 
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_CHECKING_ROLE_EXISTENCE;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_CHECKING_ROLE_EXISTENCE_BY_ID;
@@ -50,14 +44,12 @@
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_GET_ROLE_ASSIGNED_USERS;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_GET_ROLE_BY_ID;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_GROUP_ALREADY_ASSIGNED;
-import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_GROUP_NOT_FOUND;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_INSERT_ROLE;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_UPDATE_ROLE;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_UPDATE_ROLE_ASSIGNED_GROUPS;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_UPDATE_ROLE_ASSIGNED_USERS;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_USER_ALREADY_ASSIGNED;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_USER_NOT_FOUND;
-import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.LOCAL_IDP;
 import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.GROUP_ROLE_UNIQUE_CONSTRAINT;
 import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_APP_ID;
 import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_GROUP_ID;
@@ -76,8 +68,6 @@
  */
 public class ApplicationRoleMgtDAOImpl implements ApplicationRoleMgtDAO {
 
-    private static final Log LOG = LogFactory.getLog(ApplicationRoleMgtDAOImpl.class);
-
     @Override
     public ApplicationRole addApplicationRole(ApplicationRole applicationRole, String tenantDomain)
             throws ApplicationRoleManagementServerException {
@@ -320,7 +310,7 @@ public ApplicationRole getApplicationRoleAssignedUsers(String roleId, String ten
                         preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
                     });
             for (User user : users) {
-                user.setUserName(getUserNamesByID(user.getId(), tenantDomain));
+                user.setUserName(ApplicationRoleMgtUtils.getUserNameByID(user.getId(), tenantDomain));
             }
             ApplicationRole applicationRole = new ApplicationRole();
             applicationRole.setAssignedUsers(users);
@@ -331,23 +321,22 @@ public ApplicationRole getApplicationRoleAssignedUsers(String roleId, String ten
     }
 
     @Override
-    public ApplicationRole updateApplicationRoleAssignedGroups(String roleId, IdentityProvider identityProvider,
-                                                    List<String> addedGroups, List<String> removedGroups,
+    public ApplicationRole updateApplicationRoleAssignedGroups(String roleId, List<Group> addedGroups,
+                                                               List<String> removedGroups,
                                                     String tenantDomain)
             throws ApplicationRoleManagementException {
 
-        validateGroupIds(identityProvider, addedGroups);
         NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
         try {
             namedJdbcTemplate.withTransaction(template -> {
                 // Add groups.
                 if (addedGroups.size() > 0) {
                     template.executeBatchInsert(SQLConstants.ADD_APPLICATION_ROLE_GROUP, (preparedStatement -> {
-                        for (String groupId : addedGroups) {
+                        for (Group group : addedGroups) {
                             preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
-                            preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_GROUP_ID, groupId);
+                            preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_GROUP_ID, group.getGroupId());
                             preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_IDP_ID,
-                                    identityProvider.getResourceId());
+                                    group.getIdpId());
                             preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID,
                                     getTenantId(tenantDomain));
                             preparedStatement.addBatch();
@@ -368,7 +357,7 @@ public ApplicationRole updateApplicationRoleAssignedGroups(String roleId, Identi
                 }
                 return null;
             });
-            return getApplicationRoleAssignedGroups(roleId, identityProvider, tenantDomain);
+            return getApplicationRoleAssignedGroups(roleId, tenantDomain);
         } catch (TransactionException e) {
             if (checkUniqueKeyConstrainViolated(e, GROUP_ROLE_UNIQUE_CONSTRAINT)) {
                 throw ApplicationRoleMgtUtils.handleClientException(ERROR_CODE_GROUP_ALREADY_ASSIGNED, roleId);
@@ -378,8 +367,7 @@ public ApplicationRole updateApplicationRoleAssignedGroups(String roleId, Identi
     }
 
     @Override
-    public ApplicationRole getApplicationRoleAssignedGroups(String roleId, IdentityProvider identityProvider,
-                                                            String tenantDomain) throws
+    public ApplicationRole getApplicationRoleAssignedGroups(String roleId, String tenantDomain) throws
             ApplicationRoleManagementException {
 
         NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
@@ -390,28 +378,31 @@ public ApplicationRole getApplicationRoleAssignedGroups(String roleId, IdentityP
                             resultSet.getString(DB_SCHEMA_COLUMN_NAME_IDP_ID)),
                     preparedStatement -> {
                         preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
-                        preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_IDP_ID,
-                                identityProvider.getResourceId());
                         preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
                     });
-            if (LOCAL_IDP.equals(identityProvider.getIdentityProviderName())) {
-                for (Group group : groups) {
-                    group.setGroupName(getGroupNamesByID(group.getGroupId(), tenantDomain));
-                    group.setIdpName(identityProvider.getIdentityProviderName());
-                }
-            } else {
-                IdPGroup[] idpGroups = identityProvider.getIdPGroupConfig();
-                Map<String, String> idToNameMap = new HashMap<>();
-                for (IdPGroup idpGroup : idpGroups) {
-                    idToNameMap.put(idpGroup.getIdpGroupId(), idpGroup.getIdpGroupName());
-                }
-                for (Group group : groups) {
-                    if (idToNameMap.containsKey(group.getGroupId())) {
-                        group.setGroupName(idToNameMap.get(group.getGroupId()));
-                        group.setIdpName(identityProvider.getIdentityProviderName());
-                    }
-                }
-            }
+            ApplicationRole applicationRole = new ApplicationRole();
+            applicationRole.setAssignedGroups(groups);
+            return applicationRole;
+        } catch (DataAccessException e) {
+            throw handleServerException(ERROR_CODE_GET_ROLE_ASSIGNED_GROUPS, e, roleId);
+        }
+    }
+
+    @Override
+    public ApplicationRole getApplicationRoleAssignedGroups(String roleId, String idpId, String tenantDomain)
+            throws ApplicationRoleManagementException {
+
+        NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
+        try {
+            List<Group> groups;
+            groups = namedJdbcTemplate.executeQuery(SQLConstants.GET_ASSIGNED_GROUPS_OF_APPLICATION_ROLE_IDP_FILTER,
+                    (resultSet, rowNumber) -> new Group(resultSet.getString(DB_SCHEMA_COLUMN_NAME_GROUP_ID),
+                            resultSet.getString(DB_SCHEMA_COLUMN_NAME_IDP_ID)),
+                    preparedStatement -> {
+                        preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleId);
+                        preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_IDP_ID, idpId);
+                        preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
+                    });
             ApplicationRole applicationRole = new ApplicationRole();
             applicationRole.setAssignedGroups(groups);
             return applicationRole;
@@ -460,37 +451,6 @@ public List<ApplicationRole> getApplicationRolesByGroupId(String groupId, String
         }
     }
 
-    /**
-     * Validate groups.
-     *
-     * @param identityProvider Identity Provider.
-     * @param groups Group IDs.
-     * @throws ApplicationRoleManagementException Error occurred while validating groups.
-     */
-    private void validateGroupIds(IdentityProvider identityProvider, List<String> groups)
-            throws ApplicationRoleManagementException {
-
-        if (LOCAL_IDP.equals(identityProvider.getIdentityProviderName())) {
-            for (String groupId : groups) {
-                boolean isExists = ApplicationRoleMgtUtils.isGroupExists(groupId);
-                if (!isExists) {
-                    throw ApplicationRoleMgtUtils.handleClientException(ERROR_CODE_GROUP_NOT_FOUND, groupId);
-                }
-            }
-        } else {
-            IdPGroup[] idpGroups = identityProvider.getIdPGroupConfig();
-            Map<String, String> idToNameMap = new HashMap<>();
-            for (IdPGroup idpGroup : idpGroups) {
-                idToNameMap.put(idpGroup.getIdpGroupId(), idpGroup.getIdpGroupName());
-            }
-            for (String groupId : groups) {
-                if (!idToNameMap.containsKey(groupId)) {
-                    throw ApplicationRoleMgtUtils.handleClientException(ERROR_CODE_GROUP_NOT_FOUND, groupId);
-                }
-            }
-        }
-    }
-
     /**
      * Validate users.
      *
@@ -508,32 +468,6 @@ private void validateUserIds(List<String> users)
         }
     }
 
-    /**
-     * Get username by user id.
-     *
-     * @param userID User IDs.
-     * @param tenantDomain Tenant Domain.
-     * @throws ApplicationRoleManagementException Error occurred while getting username by id.
-     */
-    private String getUserNamesByID(String userID, String tenantDomain)
-            throws ApplicationRoleManagementException {
-
-        return ApplicationRoleMgtUtils.getUserNameByID(userID, tenantDomain);
-    }
-
-    /**
-     * Get group name by user id.
-     *
-     * @param groupID Group IDs.
-     * @param tenantDomain Tenant Domain.
-     * @throws ApplicationRoleManagementException Error occurred while getting group name by id.
-     */
-    private String getGroupNamesByID(String groupID, String tenantDomain)
-            throws ApplicationRoleManagementException {
-
-        return ApplicationRoleMgtUtils.getGroupNameByID(groupID, tenantDomain);
-    }
-
     /**
      * Check SQL Unique Key Constrain Violated.
      *
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java
index 3a1582f40968..6e7c0dcce8bc 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java
@@ -21,7 +21,6 @@
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.wso2.carbon.identity.application.common.model.IdentityProvider;
 import org.wso2.carbon.identity.application.role.mgt.cache.ApplicationRoleCache;
 import org.wso2.carbon.identity.application.role.mgt.cache.ApplicationRoleCacheEntry;
 import org.wso2.carbon.identity.application.role.mgt.cache.ApplicationRoleCacheKey;
@@ -29,6 +28,7 @@
 import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementException;
 import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementServerException;
 import org.wso2.carbon.identity.application.role.mgt.model.ApplicationRole;
+import org.wso2.carbon.identity.application.role.mgt.model.Group;
 
 import java.util.List;
 
@@ -97,7 +97,6 @@ public void deleteApplicationRole(String roleId, String tenantDomain)
     public boolean isExistingRole(String applicationId, String roleName, String tenantDomain)
             throws ApplicationRoleManagementServerException {
 
-        // TODO: introduce a cache key with app id and role name.
         return applicationRoleMgtDAO.isExistingRole(applicationId, roleName, tenantDomain);
     }
 
@@ -130,21 +129,27 @@ public ApplicationRole getApplicationRoleAssignedUsers(String roleId, String ten
     }
 
     @Override
-    public ApplicationRole updateApplicationRoleAssignedGroups(String roleId, IdentityProvider identityProvider,
-                                                    List<String> addedGroups, List<String> removedGroups,
-                                                    String tenantDomain)
+    public ApplicationRole updateApplicationRoleAssignedGroups(String roleId, List<Group> addedGroups,
+                                                               List<String> removedGroups,
+                                                               String tenantDomain)
             throws ApplicationRoleManagementException {
 
-        return applicationRoleMgtDAO.updateApplicationRoleAssignedGroups(roleId, identityProvider, addedGroups,
+        return applicationRoleMgtDAO.updateApplicationRoleAssignedGroups(roleId, addedGroups,
                 removedGroups, tenantDomain);
     }
 
     @Override
-    public ApplicationRole getApplicationRoleAssignedGroups(String roleId, IdentityProvider identityProvider,
-                                                            String tenantDomain)
+    public ApplicationRole getApplicationRoleAssignedGroups(String roleId, String tenantDomain)
             throws ApplicationRoleManagementException {
 
-        return applicationRoleMgtDAO.getApplicationRoleAssignedGroups(roleId, identityProvider, tenantDomain);
+        return applicationRoleMgtDAO.getApplicationRoleAssignedGroups(roleId, tenantDomain);
+    }
+
+    @Override
+    public ApplicationRole getApplicationRoleAssignedGroups(String roleId, String idpId, String tenantDomain)
+            throws ApplicationRoleManagementException {
+
+        return applicationRoleMgtDAO.getApplicationRoleAssignedGroups(roleId, idpId, tenantDomain);
     }
 
     @Override
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/internal/ApplicationRoleMgtServiceComponent.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/internal/ApplicationRoleMgtServiceComponent.java
index 4cd54523e31d..baea1a323b82 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/internal/ApplicationRoleMgtServiceComponent.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/internal/ApplicationRoleMgtServiceComponent.java
@@ -50,6 +50,7 @@ protected void activate(ComponentContext ctxt) {
         try {
             BundleContext bundleCtx = ctxt.getBundleContext();
             bundleCtx.registerService(ApplicationRoleManager.class, ApplicationRoleManagerImpl.getInstance(), null);
+            LOG.debug("application role management bundle is activated");
         } catch (Throwable e) {
             LOG.error("Error while initializing application role management component.", e);
         }
@@ -61,9 +62,7 @@ protected void deactivate(ComponentContext ctxt) {
         try {
             BundleContext bundleCtx = ctxt.getBundleContext();
             bundleCtx.ungetService(bundleCtx.getServiceReference(ApplicationRoleManager.class));
-            if (LOG.isDebugEnabled()) {
-                LOG.debug("application role management bundle is deactivated");
-            }
+            LOG.debug("application role management bundle is deactivated");
         } catch (Throwable e) {
             LOG.error("Error while deactivating application role management component.", e);
         }
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/internal/ApplicationRoleMgtServiceComponentHolder.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/internal/ApplicationRoleMgtServiceComponentHolder.java
index f92f7f1aec0e..0345dc958156 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/internal/ApplicationRoleMgtServiceComponentHolder.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/internal/ApplicationRoleMgtServiceComponentHolder.java
@@ -18,8 +18,6 @@
 
 package org.wso2.carbon.identity.application.role.mgt.internal;
 
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
 import org.wso2.carbon.idp.mgt.IdpManager;
 import org.wso2.carbon.user.core.service.RealmService;
 
@@ -32,7 +30,6 @@ public class ApplicationRoleMgtServiceComponentHolder {
             new ApplicationRoleMgtServiceComponentHolder();
     private RealmService realmService;
     private IdpManager identityProviderManager;
-    private static final Log LOG = LogFactory.getLog(ApplicationRoleMgtServiceComponentHolder.class);
 
     public static ApplicationRoleMgtServiceComponentHolder getInstance() {
 
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/ApplicationRoleMgtUtils.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/ApplicationRoleMgtUtils.java
index 936032f30ee6..a3490b63140e 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/ApplicationRoleMgtUtils.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/ApplicationRoleMgtUtils.java
@@ -21,18 +21,30 @@
 import org.apache.commons.lang.ArrayUtils;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.database.utils.jdbc.NamedJdbcTemplate;
+import org.wso2.carbon.identity.application.common.model.IdPGroup;
+import org.wso2.carbon.identity.application.common.model.IdentityProvider;
 import org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants;
 import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementClientException;
 import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementException;
 import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementServerException;
 import org.wso2.carbon.identity.application.role.mgt.internal.ApplicationRoleMgtServiceComponentHolder;
+import org.wso2.carbon.identity.application.role.mgt.model.Group;
 import org.wso2.carbon.identity.core.util.IdentityDatabaseUtil;
+import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
 import org.wso2.carbon.user.api.UserRealm;
 import org.wso2.carbon.user.api.UserStoreException;
 import org.wso2.carbon.user.core.common.AbstractUserStoreManager;
 import org.wso2.carbon.user.core.service.RealmService;
 
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Iterator;
 import java.util.List;
+import java.util.Map;
+
+import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_GROUP_NOT_FOUND;
+import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_IDP_NOT_FOUND;
+import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.LOCAL_IDP;
 
 /**
  * Application role management util.
@@ -199,4 +211,122 @@ private static AbstractUserStoreManager getUserStoreManager(int tenantId) throws
 
         return (AbstractUserStoreManager) tenantUserRealm.getUserStoreManager();
     }
+
+    /**
+     * Remove common values in given two lists.
+     *
+     * @param list1 List 1.
+     * @param list2 List 2.
+     */
+    public static void removeCommonValues(List<String> list1, List<String> list2) {
+        HashSet<String> set = new HashSet<>(list1);
+
+        Iterator<String> iterator = list2.iterator();
+        while (iterator.hasNext()) {
+            String value = iterator.next();
+            if (set.contains(value)) {
+                iterator.remove();
+                list1.remove(value);
+            }
+        }
+    }
+
+    /**
+     * Remove common values in given two lists.
+     *
+     * @param list1 List 1.
+     * @param list2 List 2.
+     */
+    public static void removeCommonGroupValues(List<Group> list1, List<String> list2) {
+        HashSet<String> set = new HashSet<>(list2);
+
+        Iterator<Group> iterator = list1.iterator();
+        while (iterator.hasNext()) {
+            Group value = iterator.next();
+            if (set.contains(value.getGroupId())) {
+                iterator.remove();
+                list2.remove(value.getGroupId());
+            }
+        }
+    }
+
+    /**
+     * Validate groups.
+     *
+     * @param groups Groups.
+     * @throws ApplicationRoleManagementException Error occurred while validating groups.
+     */
+    public static void validateGroupIds(List<Group> groups)
+            throws ApplicationRoleManagementException {
+
+        for (Group group : groups) {
+
+            IdentityProvider identityProvider;
+            if (LOCAL_IDP.equalsIgnoreCase(group.getIdpId()) || group.getIdpId() == null) {
+
+                identityProvider = getResidentIdp();
+                boolean isExists = ApplicationRoleMgtUtils.isGroupExists(group.getGroupId());
+                if (!isExists) {
+                    throw ApplicationRoleMgtUtils.handleClientException(ERROR_CODE_GROUP_NOT_FOUND,
+                            group.getGroupId());
+                }
+            } else {
+                identityProvider = getIdpById(group.getIdpId());
+                IdPGroup[] idpGroups = identityProvider.getIdPGroupConfig();
+                Map<String, String> idToNameMap = new HashMap<>();
+                for (IdPGroup idpGroup : idpGroups) {
+                    idToNameMap.put(idpGroup.getIdpGroupId(), idpGroup.getIdpGroupName());
+                }
+                if (!idToNameMap.containsKey(group.getGroupId())) {
+                    throw ApplicationRoleMgtUtils.handleClientException(ERROR_CODE_GROUP_NOT_FOUND,
+                            group.getGroupId());
+                }
+            }
+            if (identityProvider == null) {
+                throw handleClientException(ERROR_CODE_IDP_NOT_FOUND, group.getGroupId());
+            }
+            group.setIdpId(identityProvider.getResourceId());
+        }
+    }
+
+    /**
+     * Get resident idp.
+     *
+     * @throws ApplicationRoleManagementException Error occurred while validating groups.
+     */
+    public static IdentityProvider getResidentIdp() throws ApplicationRoleManagementException {
+
+        IdentityProvider identityProvider;
+        try {
+            identityProvider = ApplicationRoleMgtServiceComponentHolder.getInstance()
+                    .getIdentityProviderManager().getResidentIdP(getTenantDomain());
+        } catch (IdentityProviderManagementException e) {
+            throw new ApplicationRoleManagementException("Error while retrieving idp", "Error while retrieving " +
+                    "resident idp.", e);
+        }
+        return identityProvider;
+    }
+
+    /**
+     * Get idp by id.
+     *
+     * @throws ApplicationRoleManagementException Error occurred while validating groups.
+     */
+    public static IdentityProvider getIdpById(String idpId) throws ApplicationRoleManagementException {
+
+        IdentityProvider identityProvider;
+        try {
+            identityProvider = ApplicationRoleMgtServiceComponentHolder.getInstance()
+                    .getIdentityProviderManager().getIdPByResourceId(idpId, getTenantDomain(), true);
+        } catch (IdentityProviderManagementException e) {
+            throw new ApplicationRoleManagementException("Error while retrieving idp", "Error while retrieving idp "
+                    + "for idpId: " + idpId, e);
+        }
+        return identityProvider;
+    }
+
+    public static String getTenantDomain() {
+
+        return PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain();
+    }
 }
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImplTest.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImplTest.java
index 8f01a97cb29b..72dbab8de9d3 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImplTest.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImplTest.java
@@ -11,10 +11,10 @@
 import org.testng.annotations.DataProvider;
 import org.testng.annotations.Test;
 import org.wso2.carbon.database.utils.jdbc.NamedJdbcTemplate;
-import org.wso2.carbon.identity.application.common.model.IdPGroup;
 import org.wso2.carbon.identity.application.common.model.IdentityProvider;
 import org.wso2.carbon.identity.application.role.mgt.exceptions.ApplicationRoleManagementServerException;
 import org.wso2.carbon.identity.application.role.mgt.model.ApplicationRole;
+import org.wso2.carbon.identity.application.role.mgt.model.Group;
 import org.wso2.carbon.identity.application.role.mgt.util.ApplicationRoleMgtUtils;
 import org.wso2.carbon.identity.core.persistence.JDBCPersistenceManager;
 import org.wso2.carbon.identity.core.util.IdentityDatabaseUtil;
@@ -213,15 +213,18 @@ public void testUpdateApplicationRoleAssignedUsers(List<String> addedUsers, List
 
     @DataProvider
     public Object[][] updateApplicationRoleAssignedGroupsData() {
+        Group group1 = new Group("GROUP_1", "1");
+        Group group2 = new Group("GROUP_2", "1");
+        Group group3 = new Group("GROUP_3", "1");
         return new Object[][]{
-                {new ArrayList<>(Arrays.asList("GROUP_1", "GROUP_2", "GROUP_3")),
+                {new ArrayList<>(Arrays.asList(group1, group2, group3)),
                         new ArrayList<>(Collections.emptyList()), 3
                 },
         };
     }
 
     @Test(dataProvider = "updateApplicationRoleAssignedGroupsData", priority = 2)
-    public void testUpdateApplicationRoleAssignedGroups(List<String> addedGroups, List<String> removedGroups,
+    public void testUpdateApplicationRoleAssignedGroups(List<Group> addedGroups, List<String> removedGroups,
                                                         int resultCount)
             throws Exception {
 
@@ -232,16 +235,8 @@ public void testUpdateApplicationRoleAssignedGroups(List<String> addedGroups, Li
         when(ApplicationRoleMgtUtils.isGroupExists(anyString())).thenReturn(true);
         IdentityProvider identityProvider = new IdentityProvider();
         identityProvider.setResourceId(String.valueOf(IDP_ID));
-        List<IdPGroup> idPGroups = new ArrayList<>();
-        for (String group: addedGroups) {
-            IdPGroup idPGroup = new IdPGroup();
-            idPGroup.setIdpGroupId(group);
-            idPGroup.setIdpGroupName(group);
-            idPGroups.add(idPGroup);
-        }
-        identityProvider.setIdPGroupConfig(idPGroups.toArray(new IdPGroup[0]));
         ApplicationRole role =
-                daoImpl.updateApplicationRoleAssignedGroups(ROLE_ID, identityProvider, addedGroups, removedGroups,
+                daoImpl.updateApplicationRoleAssignedGroups(ROLE_ID, addedGroups, removedGroups,
                         TENANT_DOMAIN);
         Assert.assertEquals(role.getAssignedGroups().size(), resultCount);
     }
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/dbscripts/h2.sql b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/dbscripts/h2.sql
index 27d3e0d3dc7e..4484e5bb0051 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/dbscripts/h2.sql
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/dbscripts/h2.sql
@@ -1266,7 +1266,7 @@ CREATE TABLE IF NOT EXISTS APP_ROLE (
     ROLE_NAME varchar(255) NOT NULL,
     TENANT_ID INTEGER NOT NULL,
     APP_ID varchar(36) NOT NULL,
-    CURSOR_KEY SERIAL,
+    CURSOR_KEY INTEGER NOT NULL AUTO_INCREMENT,
     UNIQUE (ROLE_NAME, TENANT_ID, APP_ID),
     FOREIGN KEY (APP_ID) REFERENCES SP_APP(UUID) ON DELETE CASCADE
 );
@@ -1283,7 +1283,7 @@ CREATE TABLE IF NOT EXISTS GROUP_ROLE (
 	IDP_ID varchar(255) NOT NULL,
 	TENANT_ID varchar(255) NOT NULL,
 	GROUP_ID varchar(255) NOT NULL,
-	CURSOR_KEY SERIAL,
+    CURSOR_KEY INTEGER NOT NULL AUTO_INCREMENT,
 	FOREIGN KEY (ROLE_ID) REFERENCES APP_ROLE(ROLE_ID) ON DELETE CASCADE,
 	FOREIGN KEY (IDP_ID) REFERENCES IDP(UUID) ON DELETE CASCADE,
 	CONSTRAINT GROUP_ROLE_UNIQUE UNIQUE (ROLE_ID, IDP_ID, GROUP_ID)
@@ -1293,7 +1293,7 @@ CREATE TABLE IF NOT EXISTS USER_ROLE (
 	ROLE_ID varchar(255) NOT NULL,
 	TENANT_ID varchar(255) NOT NULL,
 	USER_ID varchar(255) NOT NULL,
-	CURSOR_KEY SERIAL,
+    CURSOR_KEY INTEGER NOT NULL AUTO_INCREMENT,
 	FOREIGN KEY (ROLE_ID) REFERENCES APP_ROLE(ROLE_ID) ON DELETE CASCADE,
 	CONSTRAINT USER_ROLE_UNIQUE UNIQUE (ROLE_ID, TENANT_ID, USER_ID)
 );

From 966bc0d13b15aa3e4299aced8058f616e8f25bb2 Mon Sep 17 00:00:00 2001
From: Thilina Shashimal Senarath <thilinasenarath97@gmail.com>
Date: Wed, 6 Sep 2023 13:00:35 +0530
Subject: [PATCH 17/21] fix db schema curser keys

---
 .../resources/dbscripts/h2.sql                | 40 +++++++++++++++++--
 .../resources/identity.xml.j2                 |  4 +-
 2 files changed, 39 insertions(+), 5 deletions(-)

diff --git a/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/h2.sql b/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/h2.sql
index 6c876edf3df1..dd512dccf67f 100644
--- a/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/h2.sql
+++ b/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/h2.sql
@@ -1266,7 +1266,7 @@ CREATE TABLE IF NOT EXISTS APP_ROLE (
     ROLE_NAME varchar(255) NOT NULL,
     TENANT_ID INTEGER NOT NULL,
     APP_ID varchar(36) NOT NULL,
-    CURSOR_KEY SERIAL,
+    CURSOR_KEY INTEGER NOT NULL AUTO_INCREMENT,
     UNIQUE (ROLE_NAME, TENANT_ID, APP_ID),
     FOREIGN KEY (APP_ID) REFERENCES SP_APP(UUID) ON DELETE CASCADE
 );
@@ -1283,7 +1283,7 @@ CREATE TABLE IF NOT EXISTS GROUP_ROLE (
 	IDP_ID varchar(255) NOT NULL,
 	TENANT_ID varchar(255) NOT NULL,
 	GROUP_ID varchar(255) NOT NULL,
-	CURSOR_KEY SERIAL,
+    CURSOR_KEY INTEGER NOT NULL AUTO_INCREMENT,
 	FOREIGN KEY (ROLE_ID) REFERENCES APP_ROLE(ROLE_ID) ON DELETE CASCADE,
 	FOREIGN KEY (IDP_ID) REFERENCES IDP(UUID) ON DELETE CASCADE,
 	CONSTRAINT GROUP_ROLE_UNIQUE UNIQUE (ROLE_ID, IDP_ID, GROUP_ID)
@@ -1293,11 +1293,45 @@ CREATE TABLE IF NOT EXISTS USER_ROLE (
 	ROLE_ID varchar(255) NOT NULL,
 	TENANT_ID varchar(255) NOT NULL,
 	USER_ID varchar(255) NOT NULL,
-	CURSOR_KEY SERIAL,
+    CURSOR_KEY INTEGER NOT NULL AUTO_INCREMENT,
 	FOREIGN KEY (ROLE_ID) REFERENCES APP_ROLE(ROLE_ID) ON DELETE CASCADE,
 	CONSTRAINT USER_ROLE_UNIQUE UNIQUE (ROLE_ID, TENANT_ID, USER_ID)
 );
 
+CREATE TABLE IF NOT EXISTS API_RESOURCE (
+    ID VARCHAR(255) NOT NULL PRIMARY KEY,
+    CURSOR_KEY INTEGER NOT NULL AUTO_INCREMENT,
+    NAME VARCHAR(255) NOT NULL,
+    IDENTIFIER VARCHAR(255) NOT NULL,
+    TENANT_ID INT NOT NULL,
+    DESCRIPTION VARCHAR(255),
+    TYPE VARCHAR(255) NOT NULL,
+    REQUIRES_AUTHORIZATION BOOLEAN NOT NULL,
+    CONSTRAINT IDENTIFIER_UNIQUE UNIQUE (TENANT_ID, IDENTIFIER)
+);
+
+CREATE TABLE IF NOT EXISTS SCOPE (
+    ID VARCHAR(255) NOT NULL PRIMARY KEY,
+    CURSOR_KEY INTEGER NOT NULL AUTO_INCREMENT,
+    API_ID VARCHAR(255) NOT NULL,
+    NAME VARCHAR(255) NOT NULL,
+    DISPLAY_NAME VARCHAR(255) NOT NULL,
+    TENANT_ID INT NOT NULL,
+    DESCRIPTION VARCHAR(300),
+    FOREIGN KEY (API_ID) REFERENCES API_RESOURCE(ID) ON DELETE CASCADE,
+    CONSTRAINT SCOPE_UNIQUE UNIQUE (TENANT_ID, NAME)
+);
+
+
+CREATE TABLE IF NOT EXISTS ROLE_SCOPE (
+   ROLE_ID varchar(255) NOT NULL,
+   SCOPE_NAME varchar(255) NOT NULL,
+   TENANT_ID INT NOT NULL,
+   UNIQUE (ROLE_ID, SCOPE_NAME),
+   FOREIGN KEY (ROLE_ID) REFERENCES APP_ROLE(ROLE_ID) ON DELETE CASCADE,
+   FOREIGN KEY (SCOPE_NAME, TENANT_ID) REFERENCES SCOPE(NAME, TENANT_ID) ON DELETE CASCADE
+);
+
 -- --------------------------- INDEX CREATION -----------------------------
 -- IDN_OAUTH2_ACCESS_TOKEN --
 CREATE INDEX IDX_TC ON IDN_OAUTH2_ACCESS_TOKEN(TIME_CREATED);
diff --git a/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2 b/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2
index f5fe693b8c0a..c539e0dd2050 100644
--- a/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2
+++ b/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2
@@ -2632,11 +2632,11 @@
             <Permissions>/permission/admin/manage/identity/usermgt/update</Permissions>
             <Scopes>internal_user_mgt_update</Scopes>
         </Resource>
-        <Resource context="(.*)/api/server/v1/applications/(.*)/roles/(.*)/identity-providers/(.*)/assigned-groups" secured="true" http-method="GET">
+        <Resource context="(.*)/api/server/v1/applications/(.*)/roles/(.*)/assigned-groups" secured="true" http-method="GET">
             <Permissions>/permission/admin/manage/identity/rolemgt/view</Permissions>
             <Scopes>internal_role_mgt_view</Scopes>
         </Resource>
-        <Resource context="(.*)/api/server/v1/applications/(.*)/roles/(.*)/identity-providers/(.*)/assigned-groups" secured="true" http-method="POST">
+        <Resource context="(.*)/api/server/v1/applications/(.*)/roles/(.*)/assigned-groups" secured="true" http-method="POST">
             <Permissions>/permission/admin/manage/identity/rolemgt/update</Permissions>
             <Scopes>internal_role_mgt_update</Scopes>
         </Resource>

From 04ba73151e00355abd20929a49c589d4a2b05749 Mon Sep 17 00:00:00 2001
From: Thilina Shashimal Senarath <thilinasenarath97@gmail.com>
Date: Wed, 6 Sep 2023 13:19:23 +0530
Subject: [PATCH 18/21] fix groupname check null

---
 .../role/mgt/util/ApplicationRoleMgtUtils.java           | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/ApplicationRoleMgtUtils.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/ApplicationRoleMgtUtils.java
index a3490b63140e..3183f6e1a662 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/ApplicationRoleMgtUtils.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/ApplicationRoleMgtUtils.java
@@ -19,6 +19,7 @@
 package org.wso2.carbon.identity.application.role.mgt.util;
 
 import org.apache.commons.lang.ArrayUtils;
+import org.apache.commons.lang.StringUtils;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.database.utils.jdbc.NamedJdbcTemplate;
 import org.wso2.carbon.identity.application.common.model.IdPGroup;
@@ -146,9 +147,9 @@ public static String getGroupNameByID(String id, String tenantDomain) throws App
                     + "to resolve group name for the groupID", "Error occurred while retrieving the userstore manager "
                     + "to resolve group name for the groupID: " + id, e);
         }
-        if (groupName == null) {
+        if (StringUtils.isBlank(groupName)) {
             String errorMessage = "A group doesn't exist with id: " + id + " in the tenantDomain: " + tenantDomain;
-            throw new ApplicationRoleManagementClientException(errorMessage, errorMessage, "");
+            throw new ApplicationRoleManagementServerException(errorMessage);
         }
         return groupName;
     }
@@ -191,9 +192,9 @@ public static String getUserNameByID(String id, String tenantDomain) throws Appl
                     + "to resolve username for the groupID", "Error occurred while retrieving the userstore manager "
                     + "to resolve username for the groupID: " + id, e);
         }
-        if (userName == null) {
+        if (StringUtils.isBlank(userName)) {
             String errorMessage = "A user doesn't exist with id: " + id + " in the tenantDomain: " + tenantDomain;
-            throw new ApplicationRoleManagementClientException(errorMessage, errorMessage, "");
+            throw new ApplicationRoleManagementServerException(errorMessage);
         }
         return userName;
     }

From 82461038839784532a8107ab2be76083986c9325 Mon Sep 17 00:00:00 2001
From: Thilina Shashimal Senarath <thilinasenarath97@gmail.com>
Date: Thu, 7 Sep 2023 12:14:10 +0530
Subject: [PATCH 19/21] add support for rbac

---
 .../role/mgt/ApplicationRoleManager.java      |  43 ++++++
 .../role/mgt/ApplicationRoleManagerImpl.java  |  34 ++++-
 .../ApplicationRoleMgtConstants.java          |   5 +
 .../role/mgt/constants/SQLConstants.java      |  19 ++-
 .../role/mgt/dao/ApplicationRoleMgtDAO.java   |  50 ++++++-
 .../dao/impl/ApplicationRoleMgtDAOImpl.java   | 132 +++++++++++++++++-
 .../CacheBackedApplicationRoleMgtDAOImpl.java |  32 ++++-
 .../src/test/resources/dbscripts/h2.sql       |   3 +-
 .../resources/dbscripts/h2.sql                |   2 +-
 9 files changed, 303 insertions(+), 17 deletions(-)

diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java
index 2cb07e0b7318..d37cdaf0ff2e 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManager.java
@@ -126,6 +126,17 @@ ApplicationRole getApplicationRoleAssignedGroups(String roleId, String idpId)
     List<ApplicationRole> getApplicationRolesByUserId(String userId, String tenantDomain)
             throws ApplicationRoleManagementException;
 
+    /**
+     * Get the list of application roles of a user.
+     *
+     * @param userId user ID.
+     * @param appId app ID.
+     * @param tenantDomain tenant domain.
+     * @throws ApplicationRoleManagementException Error occurred while updating the application role.
+     */
+    List<ApplicationRole> getApplicationRolesByUserId(String userId, String appId, String tenantDomain)
+            throws ApplicationRoleManagementException;
+
     /**
      * Get the list of application roles of a group.
      *
@@ -136,5 +147,37 @@ List<ApplicationRole> getApplicationRolesByUserId(String userId, String tenantDo
     List<ApplicationRole> getApplicationRolesByGroupId(String groupId, String tenantDomain)
             throws ApplicationRoleManagementException;
 
+    /**
+     * Get the list of application roles of a group.
+     *
+     * @param groupId group ID.
+     * @param appId app ID.
+     * @param tenantDomain tenant domain.
+     * @throws ApplicationRoleManagementException Error occurred while updating the application role.
+     */
+    List<ApplicationRole> getApplicationRolesByGroupId(String groupId, String appId, String tenantDomain)
+            throws ApplicationRoleManagementException;
+
+    /**
+     * Get the list of application roles of list of groups.
+     *
+     * @param groupIds group IDs.
+     * @param appId app ID.
+     * @param tenantDomain tenant domain.
+     * @throws ApplicationRoleManagementException Error occurred while updating the application role.
+     */
+    List<ApplicationRole> getApplicationRolesByGroupIds(List<String> groupIds, String appId, String tenantDomain)
+            throws ApplicationRoleManagementException;
+
+    /**
+     * Get the list of scopes of list of roles.
+     *
+     * @param roleIds role IDs.
+     * @param tenantDomain tenant domain.
+     * @throws ApplicationRoleManagementException Error occurred while updating the application role.
+     */
+    List<String> getScopesByRoleIds(List<String> roleIds, String tenantDomain)
+            throws ApplicationRoleManagementException;
+
 
 }
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
index 5e71de059014..bd3fbfced1e3 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
@@ -100,8 +100,10 @@ public ApplicationRole updateApplicationRole(String applicationId, String roleId
                         applicationId);
             }
         }
-        // Remove common scopes in both added and removed scopes.
-        ApplicationRoleMgtUtils.removeCommonValues(addedScopes, removedScopes);
+        if (addedScopes != null && removedScopes != null) {
+            // Remove common scopes in both added and removed scopes.
+            ApplicationRoleMgtUtils.removeCommonValues(addedScopes, removedScopes);
+        }
         // Validate scopes are authorized to given application.
         ApplicationRoleMgtUtils.validateAuthorizedScopes(applicationId, addedScopes);
         return applicationRoleMgtDAO.updateApplicationRole(roleId, newName, addedScopes, removedScopes, tenantDomain);
@@ -191,6 +193,13 @@ public List<ApplicationRole> getApplicationRolesByUserId(String userId, String t
         return applicationRoleMgtDAO.getApplicationRolesByUserId(userId, tenantDomain);
     }
 
+    @Override
+    public List<ApplicationRole> getApplicationRolesByUserId(String userId, String appId, String tenantDomain)
+            throws ApplicationRoleManagementException {
+
+        return applicationRoleMgtDAO.getApplicationRolesByUserId(userId, appId, tenantDomain);
+    }
+
     @Override
     public List<ApplicationRole> getApplicationRolesByGroupId(String groupId, String tenantDomain)
             throws ApplicationRoleManagementException {
@@ -198,6 +207,27 @@ public List<ApplicationRole> getApplicationRolesByGroupId(String groupId, String
         return applicationRoleMgtDAO.getApplicationRolesByGroupId(groupId, tenantDomain);
     }
 
+    @Override
+    public List<ApplicationRole> getApplicationRolesByGroupId(String groupId, String appId, String tenantDomain)
+            throws ApplicationRoleManagementException {
+
+        return applicationRoleMgtDAO.getApplicationRolesByGroupId(groupId, appId, tenantDomain);
+    }
+
+    @Override
+    public List<ApplicationRole> getApplicationRolesByGroupIds(List<String> groupIds, String appId, String tenantDomain)
+            throws ApplicationRoleManagementException {
+
+        return applicationRoleMgtDAO.getApplicationRolesByGroupIds(groupIds, appId, tenantDomain);
+    }
+
+    @Override
+    public List<String> getScopesByRoleIds(List<String> roleIds, String tenantDomain)
+            throws ApplicationRoleManagementException {
+
+        return applicationRoleMgtDAO.getScopesByRoleIds(roleIds, tenantDomain);
+    }
+
     /**
      * Validate application role id.
      *
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java
index d5506df2521e..2db86e9f69d8 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/ApplicationRoleMgtConstants.java
@@ -59,6 +59,9 @@ public enum ErrorMessages {
         ERROR_CODE_CHECKING_ROLE_EXISTENCE_BY_ID("65011", "Error occurred while checking the role " +
                 "existence by id.", "Error occurred while checking whether the role with id : %s."),
 
+        ERROR_CODE_GET_SCOPES_BY_ROLE_ID("65010", "Error occurred while retrieving scopes by " +
+                "roleId", "Error occurred while retrieving the scopes by roleId: %s."),
+
         // Client Errors.
         ERROR_CODE_DUPLICATE_ROLE("60001", "Role already exists.",
                 "Role with name: %s already exists in application: %s."),
@@ -76,6 +79,8 @@ public enum ErrorMessages {
                 "IDP with id: %s doesn't exist."),
         ERROR_CODE_INVALID_ROLE_NAME("60008", "Invalid role name.",
                 "Invalid role name."),
+        ERROR_CODE_SCOPE_ALREADY_ASSIGNED("60009", "Unable to assign scope to app role.",
+                "Scope already assign for the roleId: %s."),
         ;
 
         private final String code;
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java
index 46b4dacc4251..bb521f1f550e 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java
@@ -104,12 +104,28 @@ public class SQLConstants {
             "ar.APP_ID FROM APP_ROLE as ar INNER JOIN USER_ROLE as ur ON ar.ROLE_ID = ur.ROLE_ID WHERE ur.USER_ID = :"
             + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_USER_ID + "; AND ar.TENANT_ID = :" +
             SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";";
-
+    public static final String GET_APPLICATION_ROLES_BY_USER_ID_APP_ID = "SELECT ar.ROLE_ID, ar.ROLE_NAME, " +
+            "ar.TENANT_ID, ar.APP_ID FROM APP_ROLE as ar INNER JOIN USER_ROLE as ur ON ar.ROLE_ID = ur.ROLE_ID " +
+            "WHERE ur.USER_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_USER_ID + "; AND ar.APP_ID = :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_APP_ID + "; AND ar.TENANT_ID = :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";";
     public static final String GET_APPLICATION_ROLES_BY_GROUP_ID = "SELECT ar.ROLE_ID, ar.ROLE_NAME, ar.TENANT_ID, " +
             "ar.APP_ID FROM APP_ROLE as ar INNER JOIN GROUP_ROLE as gr ON ar.ROLE_ID = gr.ROLE_ID WHERE gr.GROUP_ID = :"
             + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_GROUP_ID + "; AND ar.TENANT_ID = :" +
             SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";";
+    public static final String GET_APPLICATION_ROLES_BY_GROUP_ID_APP_ID = "SELECT ar.ROLE_ID, ar.ROLE_NAME, " +
+            "ar.TENANT_ID, ar.APP_ID FROM APP_ROLE as ar INNER JOIN GROUP_ROLE as gr ON ar.ROLE_ID = gr.ROLE_ID " +
+            "WHERE gr.GROUP_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_GROUP_ID + "; AND ar.APP_ID = :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_APP_ID + "; AND ar.TENANT_ID = :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";";
+
+    public static final String GET_APPLICATION_ROLES_BY_GROUP_IDS = "SELECT ar.ROLE_ID, ar.ROLE_NAME, ar.TENANT_ID, " +
+            "ar.APP_ID FROM APP_ROLE as ar INNER JOIN GROUP_ROLE as gr ON ar.ROLE_ID = gr.ROLE_ID WHERE " +
+            "ar.APP_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_APP_ID + "; AND ar.TENANT_ID = :" +
+            SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";";
 
+    public static final String GET_SCOPES_BY_ROLE_IDS = "SELECT SCOPE_NAME FROM ROLE_SCOPE WHERE " +
+            "TENANT_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";";
     public static final String IS_APPLICATION_ROLE_EXISTS_BY_ID = "SELECT COUNT(1) FROM APP_ROLE WHERE ROLE_ID = :" +
             SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + "; AND TENANT_ID = :" +
             SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + "; ";
@@ -131,4 +147,5 @@ public static final class SQLPlaceholders {
 
     public static final String USER_ROLE_UNIQUE_CONSTRAINT = "user_role_unique";
     public static final String GROUP_ROLE_UNIQUE_CONSTRAINT = "group_role_unique";
+    public static final String ROLE_SCOPE_UNIQUE_CONSTRAINT = "role_scope_unique";
 }
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java
index 6e50b0c79278..a53f3d7d7f93 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/ApplicationRoleMgtDAO.java
@@ -35,10 +35,10 @@ public interface ApplicationRoleMgtDAO {
      *
      * @param applicationRole Application role.
      * @param tenantDomain Tenant domain.
-     * @throws ApplicationRoleManagementServerException Error occurred while adding application role.
+     * @throws ApplicationRoleManagementException Error occurred while adding application role.
      */
     ApplicationRole addApplicationRole(ApplicationRole applicationRole, String tenantDomain)
-            throws ApplicationRoleManagementServerException;
+            throws ApplicationRoleManagementException;
 
     /**
      * Get application role by id.
@@ -66,11 +66,11 @@ ApplicationRole getApplicationRoleById(String roleId, String tenantDomain)
      * @param addedScopes Scope to be added.
      * @param removedScopes Scope to be removed.
      * @param tenantDomain Tenant domain.
-     * @throws ApplicationRoleManagementServerException Error occurred while updating application role.
+     * @throws ApplicationRoleManagementException Error occurred while updating application role.
      */
     ApplicationRole updateApplicationRole(String roleId, String newName, List<String> addedScopes,
                                           List<String> removedScopes, String tenantDomain)
-            throws ApplicationRoleManagementServerException;
+            throws ApplicationRoleManagementException;
 
     /**
      * Delete application role.
@@ -168,6 +168,17 @@ ApplicationRole getApplicationRoleAssignedGroups(String roleId, String idpId, St
     List<ApplicationRole> getApplicationRolesByUserId(String userId, String tenantDomain)
             throws ApplicationRoleManagementException;
 
+    /**
+     * Get application roles by userId.
+     *
+     * @param userId User Id.
+     * @param appId App Id.
+     * @param tenantDomain Tenant domain.
+     * @throws ApplicationRoleManagementException Error occurred while getting application roles by userId.
+     */
+    List<ApplicationRole> getApplicationRolesByUserId(String userId, String appId, String tenantDomain)
+            throws ApplicationRoleManagementException;
+
     /**
      * Get application roles by groupId.
      *
@@ -177,4 +188,35 @@ List<ApplicationRole> getApplicationRolesByUserId(String userId, String tenantDo
      */
     List<ApplicationRole> getApplicationRolesByGroupId(String groupId, String tenantDomain)
             throws ApplicationRoleManagementException;
+
+    /**
+     * Get application roles by groupId.
+     *
+     * @param groupId Group Id.
+     * @param appId App Id.
+     * @param tenantDomain Tenant domain.
+     * @throws ApplicationRoleManagementException Error occurred while getting application roles by groupId.
+     */
+    List<ApplicationRole> getApplicationRolesByGroupId(String groupId, String appId, String tenantDomain)
+            throws ApplicationRoleManagementException;
+
+    /**
+     * Get application roles by groupIds.
+     *
+     * @param groupIds Group Ids.
+     * @param tenantDomain Tenant domain.
+     * @throws ApplicationRoleManagementException Error occurred while getting application roles by groupId.
+     */
+    List<ApplicationRole> getApplicationRolesByGroupIds(List<String> groupIds, String appId, String tenantDomain)
+            throws ApplicationRoleManagementException;
+
+    /**
+     * Get the list of scopes of list of roles.
+     *
+     * @param roleIds role IDs.
+     * @param tenantDomain tenant domain.
+     * @throws ApplicationRoleManagementException Error occurred while updating the application role.
+     */
+    List<String> getScopesByRoleIds(List<String> roleIds, String tenantDomain)
+            throws ApplicationRoleManagementException;
 }
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
index 599871f24a1b..fa98602bb6f7 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
@@ -43,14 +43,17 @@
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_GET_ROLE_ASSIGNED_GROUPS;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_GET_ROLE_ASSIGNED_USERS;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_GET_ROLE_BY_ID;
+import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_GET_SCOPES_BY_ROLE_ID;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_GROUP_ALREADY_ASSIGNED;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_INSERT_ROLE;
+import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_SCOPE_ALREADY_ASSIGNED;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_UPDATE_ROLE;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_UPDATE_ROLE_ASSIGNED_GROUPS;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_UPDATE_ROLE_ASSIGNED_USERS;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_USER_ALREADY_ASSIGNED;
 import static org.wso2.carbon.identity.application.role.mgt.constants.ApplicationRoleMgtConstants.ErrorMessages.ERROR_CODE_USER_NOT_FOUND;
 import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.GROUP_ROLE_UNIQUE_CONSTRAINT;
+import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.ROLE_SCOPE_UNIQUE_CONSTRAINT;
 import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_APP_ID;
 import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_GROUP_ID;
 import static org.wso2.carbon.identity.application.role.mgt.constants.SQLConstants.SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_IDP_ID;
@@ -70,7 +73,7 @@ public class ApplicationRoleMgtDAOImpl implements ApplicationRoleMgtDAO {
 
     @Override
     public ApplicationRole addApplicationRole(ApplicationRole applicationRole, String tenantDomain)
-            throws ApplicationRoleManagementServerException {
+            throws ApplicationRoleManagementException {
 
         NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
         try {
@@ -100,6 +103,10 @@ public ApplicationRole addApplicationRole(ApplicationRole applicationRole, Strin
             });
             return getApplicationRoleById(applicationRole.getRoleId(), tenantDomain);
         } catch (TransactionException e) {
+            if (checkUniqueKeyConstrainViolated(e, ROLE_SCOPE_UNIQUE_CONSTRAINT)) {
+                throw ApplicationRoleMgtUtils.handleClientException(ERROR_CODE_SCOPE_ALREADY_ASSIGNED,
+                        applicationRole.getRoleId());
+            }
             throw handleServerException(ERROR_CODE_INSERT_ROLE, e, applicationRole.getRoleName(),
                     applicationRole.getApplicationId());
         }
@@ -146,9 +153,7 @@ public List<ApplicationRole> getApplicationRoles(String applicationId)
                             new ApplicationRole(resultSet.getString(DB_SCHEMA_COLUMN_NAME_ROLE_ID),
                                     resultSet.getString(DB_SCHEMA_COLUMN_NAME_ROLE_NAME),
                                     resultSet.getString(DB_SCHEMA_COLUMN_NAME_APP_ID)),
-                    preparedStatement -> {
-                        preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_APP_ID, applicationId);
-                    });
+                    preparedStatement -> preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_APP_ID, applicationId));
         } catch (DataAccessException e) {
             throw handleServerException(ERROR_CODE_GET_ROLES_BY_APPLICATION, e, applicationId);
         }
@@ -157,7 +162,7 @@ public List<ApplicationRole> getApplicationRoles(String applicationId)
     @Override
     public ApplicationRole updateApplicationRole(String roleId, String newName, List<String> addedScopes,
                                       List<String> removedScopes, String tenantDomain)
-            throws ApplicationRoleManagementServerException {
+            throws ApplicationRoleManagementException {
 
         NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
         try {
@@ -197,6 +202,9 @@ public ApplicationRole updateApplicationRole(String roleId, String newName, List
             });
             return getApplicationRoleById(roleId, tenantDomain);
         } catch (TransactionException e) {
+            if (checkUniqueKeyConstrainViolated(e, ROLE_SCOPE_UNIQUE_CONSTRAINT)) {
+                throw ApplicationRoleMgtUtils.handleClientException(ERROR_CODE_SCOPE_ALREADY_ASSIGNED, roleId);
+            }
             throw handleServerException(ERROR_CODE_UPDATE_ROLE, e, roleId);
         }
     }
@@ -431,6 +439,27 @@ public List<ApplicationRole> getApplicationRolesByUserId(String userId, String t
         }
     }
 
+    @Override
+    public List<ApplicationRole> getApplicationRolesByUserId(String userId, String appId, String tenantDomain)
+            throws ApplicationRoleManagementException {
+
+        NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
+        try {
+            return namedJdbcTemplate.executeQuery(SQLConstants.GET_APPLICATION_ROLES_BY_USER_ID_APP_ID,
+                    (resultSet, rowNumber) ->
+                            new ApplicationRole(resultSet.getString(DB_SCHEMA_COLUMN_NAME_ROLE_ID),
+                                    resultSet.getString(DB_SCHEMA_COLUMN_NAME_ROLE_NAME),
+                                    resultSet.getString(DB_SCHEMA_COLUMN_NAME_APP_ID)),
+                    preparedStatement -> {
+                        preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_USER_ID, userId);
+                        preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_APP_ID, appId);
+                        preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
+                    });
+        } catch (DataAccessException e) {
+            throw handleServerException(ERROR_CODE_GET_ROLES_BY_USER_ID, e, userId);
+        }
+    }
+
     @Override
     public List<ApplicationRole> getApplicationRolesByGroupId(String groupId, String tenantDomain)
             throws ApplicationRoleManagementException {
@@ -451,6 +480,99 @@ public List<ApplicationRole> getApplicationRolesByGroupId(String groupId, String
         }
     }
 
+    @Override
+    public List<ApplicationRole> getApplicationRolesByGroupId(String groupId, String appId, String tenantDomain)
+            throws ApplicationRoleManagementException {
+
+        NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
+        try {
+            return namedJdbcTemplate.executeQuery(SQLConstants.GET_APPLICATION_ROLES_BY_GROUP_ID_APP_ID,
+                    (resultSet, rowNumber) ->
+                            new ApplicationRole(resultSet.getString(DB_SCHEMA_COLUMN_NAME_ROLE_ID),
+                                    resultSet.getString(DB_SCHEMA_COLUMN_NAME_ROLE_NAME),
+                                    resultSet.getString(DB_SCHEMA_COLUMN_NAME_APP_ID)),
+                    preparedStatement -> {
+                        preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_GROUP_ID, groupId);
+                        preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_APP_ID, appId);
+                        preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
+                    });
+        } catch (DataAccessException e) {
+            throw handleServerException(ERROR_CODE_GET_ROLES_BY_GROUP_ID, e, groupId);
+        }
+    }
+
+    @Override
+    public List<ApplicationRole> getApplicationRolesByGroupIds(List<String> groupIds, String appId, String tenantDomain)
+            throws ApplicationRoleManagementException {
+
+        NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
+        try {
+            String query = buildArrayFlattenQuery(SQLConstants.GET_APPLICATION_ROLES_BY_GROUP_IDS,
+                    DB_SCHEMA_COLUMN_NAME_GROUP_ID, groupIds);
+            return namedJdbcTemplate.executeQuery(query,
+                    (resultSet, rowNumber) ->
+                            new ApplicationRole(resultSet.getString(DB_SCHEMA_COLUMN_NAME_ROLE_ID),
+                                    resultSet.getString(DB_SCHEMA_COLUMN_NAME_ROLE_NAME),
+                                    resultSet.getString(DB_SCHEMA_COLUMN_NAME_APP_ID)),
+                    preparedStatement -> {
+                        preparedStatement.setString(DB_SCHEMA_COLUMN_NAME_APP_ID, appId);
+                        preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
+                        for (int i = 0; i < groupIds.size(); i++) {
+                            preparedStatement.setString(i + 3, groupIds.get(i));
+                        }
+                    });
+        } catch (DataAccessException e) {
+            throw handleServerException(ERROR_CODE_GET_ROLES_BY_GROUP_ID, e);
+        }
+    }
+
+    @Override
+    public List<String> getScopesByRoleIds(List<String> roleIds, String tenantDomain)
+            throws ApplicationRoleManagementException {
+
+        NamedJdbcTemplate namedJdbcTemplate = getNewTemplate();
+        try {
+            String query = buildArrayFlattenQuery(SQLConstants.GET_SCOPES_BY_ROLE_IDS,
+                    DB_SCHEMA_COLUMN_NAME_ROLE_ID, roleIds);
+            return namedJdbcTemplate.executeQuery(query,
+                    (resultSet, rowNumber) ->
+                            resultSet.getString(DB_SCHEMA_COLUMN_NAME_SCOPE_NAME),
+                    preparedStatement -> {
+                        preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
+                        for (int i = 0; i < roleIds.size(); i++) {
+                            preparedStatement.setString(i + 2, roleIds.get(i));
+                        }
+                    });
+        } catch (DataAccessException e) {
+            throw handleServerException(ERROR_CODE_GET_SCOPES_BY_ROLE_ID, e);
+        }
+    }
+
+    /**
+     * Build flatten query for given query with ids.
+     *
+     * @param query SQL query.
+     * @param colName Column name.
+     * @param ids List of IDs.
+     */
+    private String buildArrayFlattenQuery(String query, String colName, List<String> ids) {
+
+        StringBuilder queryBuilder = new StringBuilder(query);
+        queryBuilder.append(" AND ").append(colName).append(" IN (");
+
+        // Create placeholders for the IDs
+        for (int i = 0; i < ids.size(); i++) {
+            queryBuilder.append("?");
+            if (i < ids.size() - 1) {
+                queryBuilder.append(",");
+            }
+        }
+
+        queryBuilder.append(");");
+
+        return queryBuilder.toString();
+    }
+
     /**
      * Validate users.
      *
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java
index 6e7c0dcce8bc..02a52aed1cd9 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/CacheBackedApplicationRoleMgtDAOImpl.java
@@ -50,7 +50,7 @@ public CacheBackedApplicationRoleMgtDAOImpl(ApplicationRoleMgtDAOImpl applicatio
 
     @Override
     public ApplicationRole addApplicationRole(ApplicationRole applicationRole, String tenantDomain)
-            throws ApplicationRoleManagementServerException {
+            throws ApplicationRoleManagementException {
 
         return applicationRoleMgtDAO.addApplicationRole(applicationRole, tenantDomain);
     }
@@ -79,7 +79,7 @@ public List<ApplicationRole> getApplicationRoles(String applicationId)
     @Override
     public ApplicationRole updateApplicationRole(String roleId, String newName, List<String> addedScopes,
                                       List<String> removedScopes, String tenantDomain)
-            throws ApplicationRoleManagementServerException {
+            throws ApplicationRoleManagementException {
 
         clearFromCache(roleId, tenantDomain);
         return applicationRoleMgtDAO.updateApplicationRole(roleId, newName, addedScopes, removedScopes, tenantDomain);
@@ -159,6 +159,13 @@ public List<ApplicationRole> getApplicationRolesByUserId(String userId, String t
         return applicationRoleMgtDAO.getApplicationRolesByUserId(userId, tenantDomain);
     }
 
+    @Override
+    public List<ApplicationRole> getApplicationRolesByUserId(String userId, String appId, String tenantDomain)
+            throws ApplicationRoleManagementException {
+
+        return applicationRoleMgtDAO.getApplicationRolesByUserId(userId, appId, tenantDomain);
+    }
+
     @Override
     public List<ApplicationRole> getApplicationRolesByGroupId(String groupId, String tenantDomain)
             throws ApplicationRoleManagementException {
@@ -166,6 +173,27 @@ public List<ApplicationRole> getApplicationRolesByGroupId(String groupId, String
         return applicationRoleMgtDAO.getApplicationRolesByGroupId(groupId, tenantDomain);
     }
 
+    @Override
+    public List<ApplicationRole> getApplicationRolesByGroupId(String groupId, String appId, String tenantDomain)
+            throws ApplicationRoleManagementException {
+
+        return applicationRoleMgtDAO.getApplicationRolesByGroupId(groupId, appId, tenantDomain);
+    }
+
+    @Override
+    public List<ApplicationRole> getApplicationRolesByGroupIds(List<String> groupIds, String appId, String tenantDomain)
+            throws ApplicationRoleManagementException {
+
+        return applicationRoleMgtDAO.getApplicationRolesByGroupIds(groupIds, appId, tenantDomain);
+    }
+
+    @Override
+    public List<String> getScopesByRoleIds(List<String> roleIds, String tenantDomain)
+            throws ApplicationRoleManagementException {
+
+        return applicationRoleMgtDAO.getScopesByRoleIds(roleIds, tenantDomain);
+    }
+
     private ApplicationRole getApplicationRoleFromCache(String applicationRoleId, String tenantDomain) {
 
         ApplicationRole applicationRole = null;
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/dbscripts/h2.sql b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/dbscripts/h2.sql
index 4484e5bb0051..914081712d20 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/dbscripts/h2.sql
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/test/resources/dbscripts/h2.sql
@@ -1322,12 +1322,11 @@ CREATE TABLE IF NOT EXISTS SCOPE (
     CONSTRAINT SCOPE_UNIQUE UNIQUE (TENANT_ID, NAME)
 );
 
-
 CREATE TABLE IF NOT EXISTS ROLE_SCOPE (
    ROLE_ID varchar(255) NOT NULL,
    SCOPE_NAME varchar(255) NOT NULL,
    TENANT_ID INT NOT NULL,
-   UNIQUE (ROLE_ID, SCOPE_NAME),
+   CONSTRAINT ROLE_SCOPE_UNIQUE UNIQUE (ROLE_ID, SCOPE_NAME, TENANT_ID),
    FOREIGN KEY (ROLE_ID) REFERENCES APP_ROLE(ROLE_ID) ON DELETE CASCADE,
    FOREIGN KEY (SCOPE_NAME, TENANT_ID) REFERENCES SCOPE(NAME, TENANT_ID) ON DELETE CASCADE
 );
diff --git a/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/h2.sql b/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/h2.sql
index dd512dccf67f..711aa9b0f418 100644
--- a/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/h2.sql
+++ b/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/h2.sql
@@ -1327,7 +1327,7 @@ CREATE TABLE IF NOT EXISTS ROLE_SCOPE (
    ROLE_ID varchar(255) NOT NULL,
    SCOPE_NAME varchar(255) NOT NULL,
    TENANT_ID INT NOT NULL,
-   UNIQUE (ROLE_ID, SCOPE_NAME),
+   CONSTRAINT ROLE_SCOPE_UNIQUE UNIQUE (ROLE_ID, SCOPE_NAME, TENANT_ID),
    FOREIGN KEY (ROLE_ID) REFERENCES APP_ROLE(ROLE_ID) ON DELETE CASCADE,
    FOREIGN KEY (SCOPE_NAME, TENANT_ID) REFERENCES SCOPE(NAME, TENANT_ID) ON DELETE CASCADE
 );

From 065eece665e625634ee4b34015e6384d97ff68f1 Mon Sep 17 00:00:00 2001
From: Thilina Shashimal Senarath <thilinasenarath97@gmail.com>
Date: Thu, 7 Sep 2023 13:10:28 +0530
Subject: [PATCH 20/21] fix role patching

---
 .../role/mgt/ApplicationRoleManagerImpl.java     | 16 ++++++++++++++--
 .../mgt/dao/impl/ApplicationRoleMgtDAOImpl.java  |  6 +++---
 .../role/mgt/util/ApplicationRoleMgtUtils.java   | 12 ------------
 3 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
index bd3fbfced1e3..3e7e3911ecdb 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
@@ -75,7 +75,7 @@ public ApplicationRole addApplicationRole(ApplicationRole applicationRole)
                     applicationRole.getApplicationId());
         }
         // Validate scopes are authorized to given application.
-        ApplicationRoleMgtUtils.validateAuthorizedScopes(applicationRole.getApplicationId(),
+        validateAuthorizedScopes(applicationRole.getApplicationId(),
                 Arrays.asList(applicationRole.getPermissions()));
         return applicationRoleMgtDAO.addApplicationRole(applicationRole, tenantDomain);
     }
@@ -105,7 +105,7 @@ public ApplicationRole updateApplicationRole(String applicationId, String roleId
             ApplicationRoleMgtUtils.removeCommonValues(addedScopes, removedScopes);
         }
         // Validate scopes are authorized to given application.
-        ApplicationRoleMgtUtils.validateAuthorizedScopes(applicationId, addedScopes);
+        validateAuthorizedScopes(applicationId, addedScopes);
         return applicationRoleMgtDAO.updateApplicationRole(roleId, newName, addedScopes, removedScopes, tenantDomain);
     }
 
@@ -271,4 +271,16 @@ private void resolveAssignedGroupsOfRole(List<Group> assignedGroups, String tena
             }
         }
     }
+
+    /**
+     * Check scopes are authorized to the application.
+     *
+     * @param appId Application ID.
+     * @throws ApplicationRoleManagementException Error occurred while checking group exists.
+     */
+    private void validateAuthorizedScopes(String appId, List<String> scopes)
+            throws ApplicationRoleManagementException {
+
+        // TODO : validate scopes
+    }
 }
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
index fa98602bb6f7..df51491bc042 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/dao/impl/ApplicationRoleMgtDAOImpl.java
@@ -88,7 +88,7 @@ public ApplicationRole addApplicationRole(ApplicationRole applicationRole, Strin
                     preparedStatement.setInt(DB_SCHEMA_COLUMN_NAME_TENANT_ID, getTenantId(tenantDomain));
                     }, null, false);
                 // Insert scopes.
-                if (applicationRole.getPermissions().length > 0) {
+                if (applicationRole != null && applicationRole.getPermissions().length > 0) {
                     template.executeBatchInsert(SQLConstants.ADD_ROLE_SCOPE,
                         preparedStatement -> {
                             for (String scope : applicationRole.getPermissions()) {
@@ -176,7 +176,7 @@ public ApplicationRole updateApplicationRole(String roleId, String newName, List
                     });
                 }
                 // Add scopes.
-                if (addedScopes.size() > 0) {
+                if (addedScopes != null && !addedScopes.isEmpty()) {
                     template.executeBatchInsert(SQLConstants.ADD_ROLE_SCOPE,
                         preparedStatement -> {
                             for (String scope : addedScopes) {
@@ -188,7 +188,7 @@ public ApplicationRole updateApplicationRole(String roleId, String newName, List
                         }, roleId);
                 }
                 // Remove scopes.
-                if (removedScopes.size() > 0) {
+                if (removedScopes != null && !removedScopes.isEmpty()) {
                     for (String scope: removedScopes) {
                         template.executeUpdate(SQLConstants.DELETE_ROLE_SCOPE,
                             preparedStatement -> {
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/ApplicationRoleMgtUtils.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/ApplicationRoleMgtUtils.java
index 3183f6e1a662..1b8ef7b99b7a 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/ApplicationRoleMgtUtils.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/util/ApplicationRoleMgtUtils.java
@@ -97,18 +97,6 @@ public static ApplicationRoleManagementClientException handleClientException(
         return new ApplicationRoleManagementClientException(error.getMessage(), description, error.getCode());
     }
 
-    /**
-     * Check scopes are authorized to the application.
-     *
-     * @param appId Application ID.
-     * @throws ApplicationRoleManagementException Error occurred while checking group exists.
-     */
-    public static void validateAuthorizedScopes(String appId, List<String> scopes)
-            throws ApplicationRoleManagementException {
-
-        // TODO : validate scopes
-    }
-
     /**
      * Check group exists by id.
      *

From 69ea785edb3d981812888cba4e574734bcd23fcd Mon Sep 17 00:00:00 2001
From: Thilina Shashimal Senarath <thilinasenarath97@gmail.com>
Date: Thu, 7 Sep 2023 14:06:06 +0530
Subject: [PATCH 21/21] add method to validate role name

---
 .../pom.xml                                   |  2 +-
 .../role/mgt/ApplicationRoleManagerImpl.java  | 32 +++++++++++--------
 .../role/mgt/constants/SQLConstants.java      | 16 +++++++---
 3 files changed, 32 insertions(+), 18 deletions(-)

diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/pom.xml b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/pom.xml
index 52784ca145ab..3afd0a340bfa 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/pom.xml
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/pom.xml
@@ -129,7 +129,7 @@
                 <version>${maven.surefire.plugin.version}</version>
                 <configuration>
                     <argLine>
-                    --add-opens java.xml/jdk.xml.internal=ALL-UNNAMED
+                        --add-opens java.xml/jdk.xml.internal=ALL-UNNAMED
                         --add-exports java.base/jdk.internal.loader=ALL-UNNAMED
                     </argLine>
                         <suiteXmlFiles>
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
index 3e7e3911ecdb..63f754fcf968 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/ApplicationRoleManagerImpl.java
@@ -67,13 +67,8 @@ public ApplicationRole addApplicationRole(ApplicationRole applicationRole)
         if (StringUtils.isBlank(applicationRole.getRoleName())) {
             throw handleClientException(ERROR_CODE_INVALID_ROLE_NAME);
         }
-        boolean existingRole =
-                applicationRoleMgtDAO.isExistingRole(applicationRole.getApplicationId(), applicationRole.getRoleName(),
-                        tenantDomain);
-        if (existingRole) {
-            throw handleClientException(ERROR_CODE_DUPLICATE_ROLE, applicationRole.getRoleName(),
-                    applicationRole.getApplicationId());
-        }
+        // Validate role name.
+        validateAppRoleName(applicationRole.getRoleName(), applicationRole.getApplicationId(), tenantDomain);
         // Validate scopes are authorized to given application.
         validateAuthorizedScopes(applicationRole.getApplicationId(),
                 Arrays.asList(applicationRole.getPermissions()));
@@ -93,12 +88,7 @@ public ApplicationRole updateApplicationRole(String applicationId, String roleId
                 throw handleClientException(ERROR_CODE_INVALID_ROLE_NAME);
             }
             // Check whether new role name is already exists.
-            boolean existingRole =
-                    applicationRoleMgtDAO.isExistingRole(applicationId, newName, tenantDomain);
-            if (existingRole) {
-                throw handleClientException(ERROR_CODE_DUPLICATE_ROLE, newName,
-                        applicationId);
-            }
+            validateAppRoleName(newName, applicationId, tenantDomain);
         }
         if (addedScopes != null && removedScopes != null) {
             // Remove common scopes in both added and removed scopes.
@@ -243,6 +233,22 @@ private void validateAppRoleId(String roleId) throws ApplicationRoleManagementEx
         }
     }
 
+    /**
+     * Validate application role name.
+     *
+     * @param name Role name.
+     * @throws  ApplicationRoleManagementException Error occurred while validating roleId.
+     */
+    private void validateAppRoleName(String name, String applicationId, String tenantDomain) throws ApplicationRoleManagementException {
+
+        boolean existingRole =
+                applicationRoleMgtDAO.isExistingRole(applicationId, name, tenantDomain);
+        if (existingRole) {
+            throw handleClientException(ERROR_CODE_DUPLICATE_ROLE, name,
+                    applicationId);
+        }
+    }
+
     /**
      * Resolve assigned groups of a role.
      *
diff --git a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java
index bb521f1f550e..6ebed350daa8 100644
--- a/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java
+++ b/components/application-role-mgt/org.wso2.carbon.identity.application.role.mgt/src/main/java/org/wso2/carbon/identity/application/role/mgt/constants/SQLConstants.java
@@ -40,6 +40,7 @@ public class SQLConstants {
             SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + "; AND SCOPE_NAME = :" +
             SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_SCOPE_NAME + "; AND TENANT_ID = :" +
             SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";";
+
     public static final String GET_APPLICATION_ROLE_BY_ID = "SELECT ROLE_ID, ROLE_NAME, TENANT_ID, APP_ID " +
             "FROM APP_ROLE WHERE ROLE_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + ";";
 
@@ -96,23 +97,28 @@ public class SQLConstants {
             "FROM GROUP_ROLE WHERE ROLE_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID +
             "; AND TENANT_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";";
 
+
     public static final String GET_ASSIGNED_GROUPS_OF_APPLICATION_ROLE_IDP_FILTER = "SELECT GROUP_ID, IDP_ID " +
             "FROM GROUP_ROLE WHERE ROLE_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID +
             "; AND IDP_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_IDP_ID +
             "; AND TENANT_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";";
+
     public static final String GET_APPLICATION_ROLES_BY_USER_ID = "SELECT ar.ROLE_ID, ar.ROLE_NAME, ar.TENANT_ID, " +
             "ar.APP_ID FROM APP_ROLE as ar INNER JOIN USER_ROLE as ur ON ar.ROLE_ID = ur.ROLE_ID WHERE ur.USER_ID = :"
             + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_USER_ID + "; AND ar.TENANT_ID = :" +
             SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";";
+
     public static final String GET_APPLICATION_ROLES_BY_USER_ID_APP_ID = "SELECT ar.ROLE_ID, ar.ROLE_NAME, " +
             "ar.TENANT_ID, ar.APP_ID FROM APP_ROLE as ar INNER JOIN USER_ROLE as ur ON ar.ROLE_ID = ur.ROLE_ID " +
             "WHERE ur.USER_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_USER_ID + "; AND ar.APP_ID = :" +
             SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_APP_ID + "; AND ar.TENANT_ID = :" +
             SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";";
+
     public static final String GET_APPLICATION_ROLES_BY_GROUP_ID = "SELECT ar.ROLE_ID, ar.ROLE_NAME, ar.TENANT_ID, " +
             "ar.APP_ID FROM APP_ROLE as ar INNER JOIN GROUP_ROLE as gr ON ar.ROLE_ID = gr.ROLE_ID WHERE gr.GROUP_ID = :"
             + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_GROUP_ID + "; AND ar.TENANT_ID = :" +
             SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";";
+
     public static final String GET_APPLICATION_ROLES_BY_GROUP_ID_APP_ID = "SELECT ar.ROLE_ID, ar.ROLE_NAME, " +
             "ar.TENANT_ID, ar.APP_ID FROM APP_ROLE as ar INNER JOIN GROUP_ROLE as gr ON ar.ROLE_ID = gr.ROLE_ID " +
             "WHERE gr.GROUP_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_GROUP_ID + "; AND ar.APP_ID = :" +
@@ -126,10 +132,16 @@ public class SQLConstants {
 
     public static final String GET_SCOPES_BY_ROLE_IDS = "SELECT SCOPE_NAME FROM ROLE_SCOPE WHERE " +
             "TENANT_ID = :" + SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + ";";
+
     public static final String IS_APPLICATION_ROLE_EXISTS_BY_ID = "SELECT COUNT(1) FROM APP_ROLE WHERE ROLE_ID = :" +
             SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_ROLE_ID + "; AND TENANT_ID = :" +
             SQLPlaceholders.DB_SCHEMA_COLUMN_NAME_TENANT_ID + "; ";
 
+    public static final String USER_ROLE_UNIQUE_CONSTRAINT = "user_role_unique";
+    public static final String GROUP_ROLE_UNIQUE_CONSTRAINT = "group_role_unique";
+    public static final String ROLE_SCOPE_UNIQUE_CONSTRAINT = "role_scope_unique";
+
+
     /**
      * SQL Placeholders.
      */
@@ -144,8 +156,4 @@ public static final class SQLPlaceholders {
         public static final String DB_SCHEMA_COLUMN_NAME_GROUP_ID = "GROUP_ID";
         public static final String DB_SCHEMA_COLUMN_NAME_IDP_ID = "IDP_ID";
     }
-
-    public static final String USER_ROLE_UNIQUE_CONSTRAINT = "user_role_unique";
-    public static final String GROUP_ROLE_UNIQUE_CONSTRAINT = "group_role_unique";
-    public static final String ROLE_SCOPE_UNIQUE_CONSTRAINT = "role_scope_unique";
 }