incubator-syncope-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bob Lannoy <>
Subject Re: Users & roles
Date Fri, 30 Mar 2012 13:51:42 GMT

Maybe I should try to explain a bit more on what I'm trying to achieve ;)

- I have an external application that contains some general roles. and
possibly custom roles for specific elements
- several organisations will use that application

I was thinking that Syncope could manage the users of those
organisations which means:
- an admin user from orgA can create users for orgA and assign
application roles to them
- an admin user from orgB can create users for orgB and assign
application roles to them
The external app would then have to authenticate the user + get the
application roles

However there is no notion of organisational structure in Syncope so I
tried a role hierarchy to model a basic structure.
orgA (roletype=org)
  --user (roletype=user)
  --admin (roletype=user)
  --app1 (roletype=app)
--app2 (roletype=app)

I could use the syncope entitlements so that the admin role in orgA
can only create users in the orgA/users/user role and assign
application roles.

>From the application side I would have to get info from Syncope
stating user X from orgA has applicationrole app1 and app2.
In my case I would get the role "user" and need to get the parent with
roletype=org to find the org name.

But maybe I'm looking at it the wrong way.

On 30 March 2012 15:09, Colm O hEigeartaigh <> wrote:
> Hi Fabio,
>> Further, you have the method verifyPassword provided by UserController that
>> could be used to verify userid/password.
>> This method, for security reason can be called only by a user with USER_READ
>> capability.
> Consider the use-case as mentioned by Bob, where you have a third
> party application which receives login credentials and wishes to
> authenticate the user, and retrieve the roles associated with that
> user for authorization. If the application logs on with the received
> username/password, then it is assuming that the given user has a
> USER_READ entitlement. IMO the application would log on with its own
> credentials, and wish to authenticate the given username/password via
> some kind of "authenticateUser" method as I mentioned before.
> Do you see a use-case for this kind of functionality or am I missing something?
>> Actually users have only the roles explicitly assigned.
> The question is whether it is possible to easily retrieve the
> hierarchy of roles for a particular user (or the authenticated user)?
> Thanks,
> Colm.

View raw message