incubator-syncope-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fabio Martelli <fabio.marte...@gmail.com>
Subject Re: Users & roles
Date Fri, 30 Mar 2012 15:16:54 GMT

Il giorno 30/mar/2012, alle ore 15.51, Bob Lannoy ha scritto:

> Hi,
> 
> Maybe I should try to explain a bit more on what I'm trying to achieve ;)
> 
> - I have an external application that contains some general roles. and
> possibly custom roles for specific elements
> - several organisations will use that application
> 
> I was thinking that Syncope could manage the users of those
> organisations which means:
> - an admin user from orgA can create users for orgA and assign
> application roles to them
> - an admin user from orgB can create users for orgB and assign
> application roles to them
> The external app would then have to authenticate the user + get the
> application roles
> 
> However there is no notion of organisational structure in Syncope so I
> tried a role hierarchy to model a basic structure.
> orgA (roletype=org)
> -users
>  --user (roletype=user)
>  --admin (roletype=user)
> -applications
>  --app1 (roletype=app)
> OrgB
> ....
> Applications
> --app2 (roletype=app)

I think your design is correct.
Syncope roles could be used to simulate a generic organisational structure like yours.

> I could use the syncope entitlements so that the admin role in orgA
> can only create users in the orgA/users/user role and assign
> application roles.

This should be possible by default:
1. create entitlement called ROLE_<id of the role orgA/users/user>
2. add entitlement to the role orgA/users/admin

> From the application side I would have to get info from Syncope
> stating user X from orgA has applicationrole app1 and app2.
> In my case I would get the role "user" and need to get the parent with
> roletype=org to find the org name.

This should be done programmatically.

Regards,
F.

> But maybe I'm looking at it the wrong way.
> 
> Bob
> On 30 March 2012 15:09, Colm O hEigeartaigh <coheigea@apache.org> wrote:
>> Hi Fabio,
>> 
>>> Further, you have the method verifyPassword provided by UserController that
>>> could be used to verify userid/password.
>>> This method, for security reason can be called only by a user with USER_READ
>>> capability.
>> 
>> Consider the use-case as mentioned by Bob, where you have a third
>> party application which receives login credentials and wishes to
>> authenticate the user, and retrieve the roles associated with that
>> user for authorization. If the application logs on with the received
>> username/password, then it is assuming that the given user has a
>> USER_READ entitlement. IMO the application would log on with its own
>> credentials, and wish to authenticate the given username/password via
>> some kind of "authenticateUser" method as I mentioned before.
>> 
>> Do you see a use-case for this kind of functionality or am I missing something?
>> 
>>> Actually users have only the roles explicitly assigned.
>> 
>> The question is whether it is possible to easily retrieve the
>> hierarchy of roles for a particular user (or the authenticated user)?
>> 
>> Thanks,
>> 
>> Colm.


Mime
View raw message