wso2 · Lashen1227 · May 18, 2026 · May 22, 2026 · May 22, 2026 · May 22, 2026
diff --git a/...ain/java/org/wso2/carbon/identity/action/execution/internal/util/OperationComparator.java b/...ain/java/org/wso2/carbon/identity/action/execution/internal/util/OperationComparator.java
@@ -54,11 +54,34 @@ public static boolean compare(AllowedOperation allowedOp, PerformableOperation p
 
         for (String allowedPath : allowedOp.getPaths()) {
             if (performableOp.getPath().equals(allowedPath) ||
-                    performableOperationBasePath.equals(allowedPath)) {
+                    performableOperationBasePath.equals(allowedPath) ||
+                    performableOp.getPath().startsWith(allowedPath) ||
+                    matchesPathTemplate(allowedPath, performableOp.getPath())) {
                 return true;
             }
         }
 
         return false;
     }
+
+    // Allowed operation paths can contain placeholders (e.g /user/claims[uri={claim_uri}]).
+    private static boolean matchesPathTemplate(String allowedPathTemplate, String performablePath) {
+
+        if (allowedPathTemplate == null || performablePath == null || !allowedPathTemplate.contains("{")) {
+            return false;
+        }
+
+        int templateVariableStart = allowedPathTemplate.indexOf('{');
+        int templateVariableEnd = allowedPathTemplate.indexOf('}', templateVariableStart);
+        if (templateVariableStart == -1 || templateVariableEnd == -1 || templateVariableEnd < templateVariableStart) {
+            return false;
+        }
+
+        String prefix = allowedPathTemplate.substring(0, templateVariableStart);
+        String suffix = allowedPathTemplate.substring(templateVariableEnd + 1);
+
+        return performablePath.startsWith(prefix) &&
+                performablePath.endsWith(suffix) &&
+                performablePath.length() > (prefix.length() + suffix.length());
+    }
 }
diff --git a/...src/test/java/org/wso2/carbon/identity/action/execution/util/OperationComparatorTest.java b/...src/test/java/org/wso2/carbon/identity/action/execution/util/OperationComparatorTest.java
@@ -102,4 +102,19 @@ public void testCompareNonMatchingPath() {
 
         assertFalse(OperationComparator.compare(allowedOp, performableOp));
     }
+
+    @Test
+    public void testCompareMatchingPathForTemplateBasedClaimFilterPath() {
+
+        AllowedOperation allowedOp = new AllowedOperation();
+        allowedOp.setOp(Operation.ADD);
+        allowedOp.setPaths(Arrays.asList("/user/claims[uri={claim_uri}]"));
+
+        PerformableOperation performableOp = new PerformableOperation();
+        performableOp.setOp(Operation.ADD);
+        performableOp.setPath("/user/claims[uri=http://wso2.org/claims/country]");
+        performableOp.setValue("Sri Lanka");
+
+        assertTrue(OperationComparator.compare(allowedOp, performableOp));
+    }
 }
diff --git a/components/user-mgt/org.wso2.carbon.identity.user.pre.update.profile.action/pom.xml b/components/user-mgt/org.wso2.carbon.identity.user.pre.update.profile.action/pom.xml
@@ -143,6 +143,7 @@
                             org.wso2.carbon.identity.rule.evaluation.api.model; version="${carbon.identity.package.import.version.range}",
                             org.wso2.carbon.identity.rule.evaluation.api.exception; version="${carbon.identity.package.import.version.range}",
                             org.wso2.carbon.identity.rule.evaluation.api.provider; version="${carbon.identity.package.import.version.range}",
+                            org.wso2.carbon.identity.central.log.mgt.utils; version="${carbon.identity.package.import.version.range}",
                             org.wso2.carbon.identity.application.authentication.framework.util; version="${carbon.identity.package.import.version.range}"
                         </Import-Package>
                     </instructions>

diff --git a/...ity/user/pre/update/profile/action/internal/execution/PreUpdateProfileRequestBuilder.java b/...ity/user/pre/update/profile/action/internal/execution/PreUpdateProfileRequestBuilder.java
@@ -23,8 +23,10 @@
 import org.wso2.carbon.identity.action.execution.api.model.ActionExecutionRequest;
 import org.wso2.carbon.identity.action.execution.api.model.ActionExecutionRequestContext;
 import org.wso2.carbon.identity.action.execution.api.model.ActionType;
+import org.wso2.carbon.identity.action.execution.api.model.AllowedOperation;
 import org.wso2.carbon.identity.action.execution.api.model.Event;
 import org.wso2.carbon.identity.action.execution.api.model.FlowContext;
+import org.wso2.carbon.identity.action.execution.api.model.Operation;
 import org.wso2.carbon.identity.action.execution.api.model.Organization;
 import org.wso2.carbon.identity.action.execution.api.model.Tenant;
 import org.wso2.carbon.identity.action.execution.api.model.User;
@@ -54,7 +56,9 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
+import java.util.function.Function;
 import java.util.regex.Pattern;
+import java.util.stream.Collectors;
 
 /**
  * Pre Update Profile Action Request Builder.
@@ -63,6 +67,7 @@
 
     private static final String ROLE_CLAIM_URI = "http://wso2.org/claims/roles";
     private static final String GROUP_CLAIM_URI = "http://wso2.org/claims/groups";
+    public static final String USER_CLAIMS_FILTERED_PATH_TEMPLATE = "/user/claims[uri={claim_uri}]";
 
     @Override
     public ActionType getSupportedActionType() {
@@ -78,13 +83,37 @@
         UserActionContext userActionContext =
                 flowContext.getValue(UserActionContext.USER_ACTION_CONTEXT_REFERENCE_KEY, UserActionContext.class);
         PreUpdateProfileAction preUpdateProfileAction = (PreUpdateProfileAction) actionExecutionContext.getAction();
+        Event event  = getEvent(userActionContext, preUpdateProfileAction);
 
         return new ActionExecutionRequest.Builder()
                 .actionType(getSupportedActionType())
-                .event(getEvent(userActionContext, preUpdateProfileAction))
+                .event(event)
+                .allowedOperations(getAllowedOperations(event))
                 .build();
     }
 
+    private List<AllowedOperation> getAllowedOperations(Event event) throws ActionExecutionRequestBuilderException {
+
+        List<String> allowedPaths = new ArrayList<>();
+        allowedPaths.add(USER_CLAIMS_FILTERED_PATH_TEMPLATE);
+
+        List<AllowedOperation> allowedOperations = new ArrayList<>();
+
+        allowedOperations.add(createAllowedOperation(Operation.ADD, allowedPaths));
+        allowedOperations.add(createAllowedOperation(Operation.REMOVE, allowedPaths));
+        allowedOperations.add(createAllowedOperation(Operation.REPLACE, allowedPaths));
+
+        return allowedOperations;
+    }
+
+    private AllowedOperation createAllowedOperation(Operation op, List<String> paths) {
+
+        AllowedOperation operation = new AllowedOperation();
+        operation.setOp(op);
+        operation.setPaths(new ArrayList<>(paths));
+        return operation;
+    }
+
     private Event getEvent(UserActionContext userActionContext, PreUpdateProfileAction preUpdateProfileAction)
             throws ActionExecutionRequestBuilderException {
 
@@ -93,10 +122,9 @@
         eventBuilder.action(PreUpdateProfileEvent.Action.UPDATE);
         eventBuilder.request(getPreUpdateProfileRequest(userActionContext));
         eventBuilder.tenant(getTenant());
-        eventBuilder.user(getUser(userActionContext, preUpdateProfileAction));
 
-        String tenantDomain = IdentityContext.getThreadLocalIdentityContext().getTenantDomain();
-        UniqueIDUserStoreManager userStoreManager = RequestBuilderUtil.getUserStoreManager(tenantDomain);
+        UniqueIDUserStoreManager userStoreManager = getUserStoreManager();
+        eventBuilder.user(getUser(userActionContext, preUpdateProfileAction, userStoreManager));
         eventBuilder.userStore(getUserStore(userActionContext.getUserActionRequestDTO(), userStoreManager));
         eventBuilder.organization(getOrganization());
 
@@ -180,8 +208,8 @@
                 .build();
     }
 
-    private User getUser(UserActionContext userActionContext, PreUpdateProfileAction preUpdateProfileAction)
-            throws ActionExecutionRequestBuilderException {
+    private User getUser(UserActionContext userActionContext, PreUpdateProfileAction preUpdateProfileAction,
+                         UniqueIDUserStoreManager userStoreManager) throws ActionExecutionRequestBuilderException {
 
         UserActionRequestDTO userActionRequestDTO = userActionContext.getUserActionRequestDTO();
         List<String> userClaimsToSetInEvent = preUpdateProfileAction.getAttributes();
@@ -193,9 +221,8 @@
             return userBuilder.build();
         }
 
-        String tenantDomain = IdentityContext.getThreadLocalIdentityContext().getTenantDomain();
-        Map<String, String> claimValues = RequestBuilderUtil.getClaimValues(resolveOrgBoundUserId(userActionRequestDTO),
-                userClaimsToSetInEvent, tenantDomain);
+        Map<String, String> claimValues = getClaimValues(resolveOrgBoundUserId(userActionRequestDTO),
+                userClaimsToSetInEvent, userStoreManager);
         String multiAttributeSeparator = FrameworkUtils.getMultiAttributeSeparator();
 
         setClaimsInUserBuilder(userBuilder, claimValues, userActionRequestDTO.getClaims(), multiAttributeSeparator);
@@ -204,7 +231,24 @@
         return userBuilder.build();
     }
 
+    private Map<String, String> getClaimValues(String userId, List<String> requestedClaims,
+                                               UniqueIDUserStoreManager userStoreManager)
+            throws ActionExecutionRequestBuilderException {
+
+        try {
+            Map<String, String> claimValues = userStoreManager.getUserClaimValuesWithID(userId,
+                    requestedClaims.toArray(new String[0]), UserCoreConstants.DEFAULT_PROFILE);
+
+            // Filter out the extra claims that are not requested.
+            return requestedClaims.stream()
+                    .filter(claimValues::containsKey)
+                    .collect(Collectors.toMap(Function.identity(), claimValues::get));
+        } catch (org.wso2.carbon.user.core.UserStoreException e) {
+            throw new ActionExecutionRequestBuilderException("Failed to retrieve user claims from user store.", e);
+        }
+    }
+
     private void setClaimsInUserBuilder(User.Builder userBuilder, Map<String, String> claimValues,
                                         Map<String, Object> updatingUserClaimsInRequest,
                                         String multiAttributeSeparator) throws ActionExecutionRequestBuilderException {

@@ -217,13 +261,37 @@
                 continue;
             }
 
+            UpdatingUserClaim claim;
             if (isMultiValuedClaim(claimKey)) {
-                userClaimValuesToSetInEvent.add(
-                        constructMultiValuedClaim(updatingUserClaimsInRequest, claimKey, claimValue,
-                                multiAttributeSeparator));
+                claim = constructMultiValuedClaim(updatingUserClaimsInRequest, claimKey, claimValue,
+                        multiAttributeSeparator);
             } else {
-                userClaimValuesToSetInEvent.add(constructSingleValuedClaim(updatingUserClaimsInRequest, claimKey,
-                        claimValue));
+                claim = constructSingleValuedClaim(updatingUserClaimsInRequest, claimKey, claimValue);
+            }
+            userClaimValuesToSetInEvent.add(claim);
+        }
+
+        if (updatingUserClaimsInRequest != null) {
+            for (Map.Entry<String, Object> entry : updatingUserClaimsInRequest.entrySet()) {
+                String claimKey = entry.getKey();
+                if (isRoleOrGroupClaim(claimKey) || claimValues.containsKey(claimKey) &&
+                        StringUtils.isNotBlank(claimValues.get(claimKey))) {
+                    continue;
+                }
+
+                Object updatingClaimValue = entry.getValue();
+                UpdatingUserClaim claim;
+                if (isMultiValuedClaim(claimKey)) {
+                    if (!(updatingClaimValue instanceof String[])) {
+                        throw new ActionExecutionRequestBuilderException(
+                                "Invalid claim value format for multi-valued claim: " + claimKey +
+                                        " Only String[] types are expected.");
+                    }
+                    claim = new UpdatingUserClaim(claimKey, new String[0], (String[]) updatingClaimValue);
+                } else {
+                    claim = new UpdatingUserClaim(claimKey, null, String.valueOf(updatingClaimValue));
+                }
+                userClaimValuesToSetInEvent.add(claim);
             }
         }
 
@@ -293,6 +361,12 @@
         return new UserStore(userStoreDomain);
     }
 
+    private UniqueIDUserStoreManager getUserStoreManager() throws ActionExecutionRequestBuilderException {
+
+        String tenantDomain = IdentityContext.getThreadLocalIdentityContext().getTenantDomain();
+        return RequestBuilderUtil.getUserStoreManager(tenantDomain);
+    }
+
     private boolean isMultiValuedClaim(String claimUri) throws ActionExecutionRequestBuilderException {
 
         ClaimMetadataManagementService claimMetadataManagementService =