incubator-syncope-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francesco Chicchiriccò <ilgro...@apache.org>
Subject Re: Users & roles
Date Fri, 30 Mar 2012 13:25:16 GMT
On 30/03/2012 15:13, Colm O hEigeartaigh wrote:
> Hi Francesco,
>
>> let me clarify one point: if role A (with entitlement E) has child role
>> B, and user U has role B assigned, this DOES NOT IMPLY that user U has
>> role A assigned as well.
>> When defining roles, you can choose whether a role will inherit some
>> information (entitlements, for example) from its parent.
> Are you referring to the "inherit attributes" checkbox when creating a
> child role? What is the exact meaning of this - that the child role
> does not inherit any attributes or entitlements from the parent role?
> Or is it stronger as you seem to be implying in the example, that no
> hierarchy exists (i.e. a user in the child role does not inherit the
> parent role at all when this box is ticket)?

Ops, I now realize that my sample was bound to an old version: you are
right: entitlements are ALWAYS inherited, but there are many things that
a role can inherit from its parent:

 * attributes (the checkbox you are referring above, under tab "Attributes")
 * derived attributes (under tab "Derived Attributes")
 * virtual attributes (under tab "Virtual Attributes")
 * password policies
 * account policies

Role hierarchy exists because each role might have a parent role and
child roles can inherit from parent roles.

But, as I've said before, user U is member of B, not A.

In this sense, one can say that roles are hierarchical but role
assignments (a.k.a. memberships) are not hierarchical.

Regards.

> 2012/3/30 Francesco Chicchiriccò <ilgrosso@apache.org>:
>> On 30/03/2012 14:48, Bob Lannoy wrote:
>>> On 30 March 2012 14:29, Colm O hEigeartaigh <coheigea@apache.org> wrote:
>>>> Hi Bob,
>>>>
>>>> I've been running into similar issues.
>>>>
>>>>> - /auth/getentitlements doesn't give me the roles of the connected user
>>>> It gives you the list of entitlements associated with the roles of the
>>>> connected user. Perhaps this controller should also have a similar
>>>> method for returning a list of role names of the connected user as
>>>> well?
>>> Through the console both are mixed so I confused entitlements with the roles.
>>> A "getroles" method for the connected user would indeed be handy.
>>> Ideally it could return the child with its parents
>>>
>>> I could try to have a go at it although I'm not a hard core developer ;)
>> Hi,
>> let me clarify one point: if role A (with entitlement E) has child role
>> B, and user U has role B assigned, this DOES NOT IMPLY that user U has
>> role A assigned as well.
>>
>> When defining roles, you can choose whether a role will inherit some
>> information (entitlements, for example) from its parent.
>>
>> This means, referring to example above, that if B is configured to
>> inherit entitlements from A, user U will have entitlement E.
>>
>> Hence, a method like the one above proposed by Colm will not be needed:
>> when using the self-read REST method (as indicated by Fabio in another
>> e-mail), you will find such information in UserTO.getRoles().
-- 
Francesco Chicchiriccò

Apache Cocoon PMC and Apache Syncope PPMC Member
http://people.apache.org/~ilgrosso/


Mime
View raw message