wso2 · mpmadhavig · Jun 23, 2026
diff --git a/components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/pom.xml b/components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/pom.xml
@@ -109,6 +109,7 @@
                             org.wso2.carbon.identity.base; version="${carbon.identity.package.import.version.range}",
                             org.wso2.carbon.identity.core; version="${carbon.identity.package.import.version.range}",
                             org.wso2.carbon.identity.core.model; version="${carbon.identity.package.import.version.range}",
+                            org.wso2.carbon.identity.core.util; version="${carbon.identity.package.import.version.range}",
                             org.wso2.carbon.utils; version="${carbon.kernel.package.import.version.range}",
                             org.wso2.carbon.identity.api.resource.mgt;
                             version="${carbon.identity.package.import.version.range}",

diff --git a/...rg/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionManagerImpl.java b/...rg/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionManagerImpl.java
@@ -42,6 +42,7 @@
 import java.util.stream.Collectors;
 
 import static org.wso2.carbon.identity.api.resource.collection.mgt.util.APIResourceCollectionManagementUtil.handleServerException;
+import static org.wso2.carbon.identity.api.resource.collection.mgt.util.APIResourceCollectionManagementUtil.isGranularConsolePermissionsEnabled;
 
 /**
  * API Resource Collection Manager Implementation.
@@ -127,22 +128,51 @@ private APIResourceCollection populateAPIResourcesForCollection(APIResourceColle
         }
         try {
             APIResourceCollection clonedCollection = cloneAPIResourceCollection(collection);
+            boolean granularEnabled = isGranularConsolePermissionsEnabled();
+
+            Set<String> writeScopes = new HashSet<>();
+            Optional.ofNullable(clonedCollection.getReadScopes()).ifPresent(writeScopes::addAll);
+            Optional.ofNullable(clonedCollection.getWriteScopes()).ifPresent(writeScopes::addAll);
 
-            // Combine read and write scopes for a single fetch.
             Set<String> combinedScopes = new HashSet<>();
             Optional.ofNullable(clonedCollection.getReadScopes()).ifPresent(combinedScopes::addAll);
             Optional.ofNullable(clonedCollection.getWriteScopes()).ifPresent(combinedScopes::addAll);
+            if (granularEnabled) {
+                Optional.ofNullable(clonedCollection.getCreateScopes()).ifPresent(combinedScopes::addAll);
+                Optional.ofNullable(clonedCollection.getUpdateScopes()).ifPresent(combinedScopes::addAll);
+                Optional.ofNullable(clonedCollection.getDeleteScopes()).ifPresent(combinedScopes::addAll);
+            }
             List<APIResource> allAPIResources = APIResourceCollectionMgtServiceDataHolder.getInstance()
                     .getAPIResourceManagementService().getScopeMetadata(new ArrayList<>(combinedScopes), tenantDomain);
 
             List<APIResource> readAPIResources =
                     filterAPIResources(allAPIResources, clonedCollection.getReadScopes());
             List<APIResource> writeAPIResources =
-                    filterAPIResources(allAPIResources, new ArrayList<>(combinedScopes));
+                    filterAPIResources(allAPIResources, new ArrayList<>(writeScopes));
 
             Map<String, List<APIResource>> apiResourcesMap = new HashMap<>();
             apiResourcesMap.put(APIResourceCollectionManagementConstants.READ, readAPIResources);
             apiResourcesMap.put(APIResourceCollectionManagementConstants.WRITE, writeAPIResources);
+            if (granularEnabled) {
+                Set<String> createScopes = new HashSet<>();
+                Optional.ofNullable(clonedCollection.getReadScopes()).ifPresent(createScopes::addAll);
+                Optional.ofNullable(clonedCollection.getCreateScopes()).ifPresent(createScopes::addAll);
+
+                Set<String> updateScopes = new HashSet<>();
+                Optional.ofNullable(clonedCollection.getReadScopes()).ifPresent(updateScopes::addAll);
+                Optional.ofNullable(clonedCollection.getUpdateScopes()).ifPresent(updateScopes::addAll);
+
+                Set<String> deleteScopes = new HashSet<>();
+                Optional.ofNullable(clonedCollection.getReadScopes()).ifPresent(deleteScopes::addAll);
+                Optional.ofNullable(clonedCollection.getDeleteScopes()).ifPresent(deleteScopes::addAll);
+
+                apiResourcesMap.put(APIResourceCollectionManagementConstants.CREATE,
+                        filterAPIResources(allAPIResources, new ArrayList<>(createScopes)));
+                apiResourcesMap.put(APIResourceCollectionManagementConstants.UPDATE,
+                        filterAPIResources(allAPIResources, new ArrayList<>(updateScopes)));
+                apiResourcesMap.put(APIResourceCollectionManagementConstants.DELETE,
+                        filterAPIResources(allAPIResources, new ArrayList<>(deleteScopes)));
+            }
             clonedCollection.setApiResources(apiResourcesMap);
             return clonedCollection;
         } catch (APIResourceMgtException e) {
@@ -199,10 +229,16 @@ private APIResourceCollection cloneAPIResourceCollection(APIResourceCollection a
                 .type(apiResourceCollection.getType())
                 .readScopes(apiResourceCollection.getReadScopes())
                 .writeScopes(apiResourceCollection.getWriteScopes())
+                .createScopes(apiResourceCollection.getCreateScopes())
+                .updateScopes(apiResourceCollection.getUpdateScopes())
+                .deleteScopes(apiResourceCollection.getDeleteScopes())
                 .legacyReadScopes(apiResourceCollection.getLegacyReadScopes())
                 .legacyWriteScopes(apiResourceCollection.getLegacyWriteScopes())
                 .viewFeatureScope(apiResourceCollection.getViewFeatureScope())
                 .editFeatureScope(apiResourceCollection.getEditFeatureScope())
+                .createFeatureScope(apiResourceCollection.getCreateFeatureScope())
+                .updateFeatureScope(apiResourceCollection.getUpdateFeatureScope())
+                .deleteFeatureScope(apiResourceCollection.getDeleteFeatureScope())
                 .apiResources(apiResourceCollection.getApiResources())
                 .build();
     }

diff --git a/...entity/api/resource/collection/mgt/constant/APIResourceCollectionManagementConstants.java b/...entity/api/resource/collection/mgt/constant/APIResourceCollectionManagementConstants.java
@@ -38,7 +38,12 @@ public class APIResourceCollectionManagementConstants {
     public static final String WRITE_SCOPES = "writeScopes";
     public static final String READ = "read";
     public static final String WRITE = "write";
+    public static final String CREATE = "create";
+    public static final String UPDATE = "update";
+    public static final String DELETE = "delete";
     public static final String API_RESOURCES = "apiResources";
+    public static final String USE_GRANULAR_CONSOLE_PERMISSIONS_CONFIG =
+            "ConsoleSettings.UseGranularConsolePermissions";
 
     /**
      * API resource collection configuration builder constants.
@@ -53,10 +58,16 @@ public static class APIResourceCollectionConfigBuilderConstants {
         public static final String DISPLAY_NAME = "displayName";
         public static final String TYPE = "type";
         public static final String READ = "Read";
+        public static final String CREATE = "Create";
+        public static final String UPDATE = "Update";
+        public static final String DELETE = "Delete";
         public static final String FEATURE = "Feature";
         public static final String VERSION = "version";
         public static final String VIEW_FEATURE_SCOPE_SUFFIX = "_view";
         public static final String EDIT_FEATURE_SCOPE_SUFFIX = "_edit";
+        public static final String CREATE_FEATURE_SCOPE_SUFFIX = "_create";
+        public static final String UPDATE_FEATURE_SCOPE_SUFFIX = "_update";
+        public static final String DELETE_FEATURE_SCOPE_SUFFIX = "_delete";
         public static final String CONSOLE_SCOPE_PREFIX = "console:";
         public static final String COLLECTION_VERSION_V0 = "v0";
     }

diff --git a/...ava/org/wso2/carbon/identity/api/resource/collection/mgt/model/APIResourceCollection.java b/...ava/org/wso2/carbon/identity/api/resource/collection/mgt/model/APIResourceCollection.java
@@ -34,10 +34,16 @@ public class APIResourceCollection {
     private String type;
     private List<String> readScopes;
     private List<String> writeScopes;
+    private List<String> createScopes;
+    private List<String> updateScopes;
+    private List<String> deleteScopes;
     private List<String> legacyReadScopes;
     private List<String> legacyWriteScopes;
     private String viewFeatureScope;
     private String editFeatureScope;
+    private String createFeatureScope;
+    private String updateFeatureScope;
+    private String deleteFeatureScope;
     private Map<String, List<APIResource>> apiResources;
 
     public APIResourceCollection() {
@@ -52,10 +58,16 @@ public APIResourceCollection(APIResourceCollectionBuilder apiResourceCollectionB
             this.apiResources = apiResourceCollectionBuilder.apiResources;
             this.readScopes = apiResourceCollectionBuilder.readScopes;
             this.writeScopes = apiResourceCollectionBuilder.writeScopes;
+            this.createScopes = apiResourceCollectionBuilder.createScopes;
+            this.updateScopes = apiResourceCollectionBuilder.updateScopes;
+            this.deleteScopes = apiResourceCollectionBuilder.deleteScopes;
             this.legacyReadScopes = apiResourceCollectionBuilder.legacyReadScopes;
             this.legacyWriteScopes = apiResourceCollectionBuilder.legacyWriteScopes;
             this.viewFeatureScope = apiResourceCollectionBuilder.viewFeatureScope;
             this.editFeatureScope = apiResourceCollectionBuilder.editFeatureScope;
+            this.createFeatureScope = apiResourceCollectionBuilder.createFeatureScope;
+            this.updateFeatureScope = apiResourceCollectionBuilder.updateFeatureScope;
+            this.deleteFeatureScope = apiResourceCollectionBuilder.deleteFeatureScope;
     }
 
     public String getId() {
@@ -108,6 +120,36 @@ public void setWriteScopes(List<String> writeScopes) {
         this.writeScopes = writeScopes;
     }
 
+    public List<String> getCreateScopes() {
+
+        return createScopes;
+    }
+
+    public void setCreateScopes(List<String> createScopes) {
+
+        this.createScopes = createScopes;
+    }
+
+    public List<String> getUpdateScopes() {
+
+        return updateScopes;
+    }
+
+    public void setUpdateScopes(List<String> updateScopes) {
+
+        this.updateScopes = updateScopes;
+    }
+
+    public List<String> getDeleteScopes() {
+
+        return deleteScopes;
+    }
+
+    public void setDeleteScopes(List<String> deleteScopes) {
+
+        this.deleteScopes = deleteScopes;
+    }
+
     public List<String> getLegacyReadScopes() {
 
         return legacyReadScopes;
@@ -148,6 +190,36 @@ public void setEditFeatureScope(String editFeatureScope) {
         this.editFeatureScope = editFeatureScope;
     }
 
+    public String getCreateFeatureScope() {
+
+        return createFeatureScope;
+    }
+
+    public void setCreateFeatureScope(String createFeatureScope) {
+
+        this.createFeatureScope = createFeatureScope;
+    }
+
+    public String getUpdateFeatureScope() {
+
+        return updateFeatureScope;
+    }
+
+    public void setUpdateFeatureScope(String updateFeatureScope) {
+
+        this.updateFeatureScope = updateFeatureScope;
+    }
+
+    public String getDeleteFeatureScope() {
+
+        return deleteFeatureScope;
+    }
+
+    public void setDeleteFeatureScope(String deleteFeatureScope) {
+
+        this.deleteFeatureScope = deleteFeatureScope;
+    }
+
     /**
      * Builder class for API Resource Collection.
      */
@@ -159,10 +231,16 @@ public static class APIResourceCollectionBuilder {
         private String type;
         private List<String> readScopes;
         private List<String> writeScopes;
+        private List<String> createScopes;
+        private List<String> updateScopes;
+        private List<String> deleteScopes;
         private List<String> legacyReadScopes;
         private List<String> legacyWriteScopes;
         private String viewFeatureScope;
         private String editFeatureScope;
+        private String createFeatureScope;
+        private String updateFeatureScope;
+        private String deleteFeatureScope;
         private Map<String, List<APIResource>> apiResources;
 
         public APIResourceCollectionBuilder() {
@@ -204,6 +282,24 @@ public APIResourceCollectionBuilder writeScopes(List<String> writeScopes) {
             return this;
         }
 
+        public APIResourceCollectionBuilder createScopes(List<String> createScopes) {
+
+            this.createScopes = createScopes;
+            return this;
+        }
+
+        public APIResourceCollectionBuilder updateScopes(List<String> updateScopes) {
+
+            this.updateScopes = updateScopes;
+            return this;
+        }
+
+        public APIResourceCollectionBuilder deleteScopes(List<String> deleteScopes) {
+
+            this.deleteScopes = deleteScopes;
+            return this;
+        }
+
 
         public APIResourceCollectionBuilder legacyReadScopes(List<String> legacyReadScopes) {
 
@@ -229,6 +325,24 @@ public APIResourceCollectionBuilder editFeatureScope(String editFeatureScope) {
             return this;
         }
 
+        public APIResourceCollectionBuilder createFeatureScope(String createFeatureScope) {
+
+            this.createFeatureScope = createFeatureScope;
+            return this;
+        }
+
+        public APIResourceCollectionBuilder updateFeatureScope(String updateFeatureScope) {
+
+            this.updateFeatureScope = updateFeatureScope;
+            return this;
+        }
+
+        public APIResourceCollectionBuilder deleteFeatureScope(String deleteFeatureScope) {
+
+            this.deleteFeatureScope = deleteFeatureScope;
+            return this;
+        }
+
         public APIResourceCollectionBuilder apiResources(Map<String, List<APIResource>> apiResources) {
 
             this.apiResources = apiResources;

diff --git a/...carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionManagementUtil.java b/...carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionManagementUtil.java
@@ -22,6 +22,7 @@
 import org.wso2.carbon.identity.api.resource.collection.mgt.constant.APIResourceCollectionManagementConstants;
 import org.wso2.carbon.identity.api.resource.collection.mgt.exception.APIResourceCollectionMgtClientException;
 import org.wso2.carbon.identity.api.resource.collection.mgt.exception.APIResourceCollectionMgtServerException;
+import org.wso2.carbon.identity.core.util.IdentityUtil;
 
 /**
  * Utility class for API Resource Collection Management.
@@ -63,4 +64,15 @@ public static APIResourceCollectionMgtServerException handleServerException(
         }
         return new APIResourceCollectionMgtServerException(error.getMessage(), description, error.getCode(), e);
     }
+
+    /**
+     * Check whether the granular console permission model (create/update/delete feature scopes) is enabled. Controlled
+     *
+     * @return True if granular console permissions are enabled.
+     */
+    public static boolean isGranularConsolePermissionsEnabled() {
+
+        return Boolean.parseBoolean(IdentityUtil.getProperty(
+                APIResourceCollectionManagementConstants.USE_GRANULAR_CONSOLE_PERMISSIONS_CONFIG));
+    }
 }