I'm using WSO2 API-M v3.0.0, and I have created a new role with Login & Subscribe permissions (same permissions that are granted to the "Internal/subscriber" role). But users within this new role are unable to login to the subscriber portal as access is being denied to them. The only workaround I see is to add those users to both the new role AND the Internal/subscriber role.
Are there any other changes that need to be done when any new role is created? I am not using a multi-tenant environment.
From APIM 3.0 onwards, the permission-based access control model is replaced with a role-based + permission-based model. So, by default, your users need to have the Internal/subscriber role to access the developer portal.
This is how it works. To access the developer portal, users should be able to get access tokens which have apim:api_subscribe scope. For that users need to have the Internal/subscriber role. This mapping is configured in /_system/config/apimgt/applicationdata/tenant-conf.json file in the registry. So, in your case you have to add your new role to this file.
From APIM 3.1 onwards, there will be a UI to configure this, which will make it easier than what we have now.
From docs[1].
In WSO2 API Manager 3.0.0, Developer Portal and Publisher Web Application UIs are populated by API-M REST APIs and all the authentication and authorization to access the different components in the UI solely depend on the scope role mapping defined in /_system/config/apimgt/applicationdata/tenant-conf.json that can be accessed through the Management Console from Resources > Browse.
By default, the scope-role mapping contains Internal/creator, Internal/publisher, Internal/subscriber as the default roles. If there are custom roles defined with API creator, API publisher, admin and API subscriber permissions, those roles have to be configured in tenant-conf.json under relevant scopes.