syncope-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache Syncope > Authentication and authorization
Date Fri, 23 Mar 2012 10:23:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/3/_/styles/combined.css?spaceKey=SYNCOPE&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/SYNCOPE/Authentication+and+authorization">Authentication
and authorization</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~ilgrosso">Francesco
Chicchiricco</a>
    </h4>
        <br/>
                         <h4>Changes (4)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-added-lines" style="background-color: #dfd;">{toc:style=decimal}
<br></td></tr>
            <tr><td class="diff-unchanged" >h1. Introduction <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">Talking
about security aspects mostly involves examining how RESTful controllers implements communication
with external world. Hence, security is mostly implemented and enforced by the core, as the
console is basically an external REST client (check [High-level Architecture] for more details).
<br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">Talking
about security aspects mostly involves examining how RESTful controllers implements communication
with external world. Hence, security is mostly implemented and enforced by the core, as the
console is basically an external REST client (check [High-level Architecture|http://incubator.apache.org/syncope/architecture.html]
for more details). <br> <br></td></tr>
            <tr><td class="diff-unchanged" >h1. Entitlements <br> <br>Authentication
and authorization in Syncope is fundamentally based on *Entitlements*. Entitlements are basically
strings describing the right to perform an operation. <br> <br></td></tr>
            <tr><td class="diff-changed-lines" >Defaults entitlements are included
at the end of <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">[content.xml|http://syncope.googlecode.com/svn/trunk/core/src/main/resources/content.xml]</span>
<span class="diff-added-words"style="background-color: #dfd;">[content.xml|https://svn.us.apache.org/repos/asf/incubator/syncope/trunk/core/src/main/resources/content.xml]</span>
and always loaded into internal storage. <br></td></tr>
            <tr><td class="diff-unchanged" > <br>Entitlements can only be
assigned to roles: this is the basis of a *role-based authorization* mechanism. <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <style type='text/css'>/*<![CDATA[*/
div.rbtoc1332498175381 {margin-left: 1.5em;padding: 0px;}
div.rbtoc1332498175381 ul {list-style: decimal;margin-left: 0px;}
div.rbtoc1332498175381 li {margin-left: 0px;padding-left: 0px;}

/*]]>*/</style><div class='rbtoc1332498175381'>
<ul>
    <li><a href='#Authenticationandauthorization-Introduction'>Introduction</a></li>
    <li><a href='#Authenticationandauthorization-Entitlements'>Entitlements</a></li>
    <li><a href='#Authenticationandauthorization-Example'>Example</a></li>
    <li><a href='#Authenticationandauthorization-Rootadministrator'>Root administrator</a></li>
</ul></div>
<h1><a name="Authenticationandauthorization-Introduction"></a>Introduction</h1>

<p>Talking about security aspects mostly involves examining how RESTful controllers
implements communication with external world. Hence, security is mostly implemented and enforced
by the core, as the console is basically an external REST client (check <a href="http://incubator.apache.org/syncope/architecture.html"
class="external-link" rel="nofollow">High-level Architecture</a> for more details).</p>

<h1><a name="Authenticationandauthorization-Entitlements"></a>Entitlements</h1>

<p>Authentication and authorization in Syncope is fundamentally based on <b>Entitlements</b>.
Entitlements are basically strings describing the right to perform an operation.</p>

<p>Defaults entitlements are included at the end of <a href="https://svn.us.apache.org/repos/asf/incubator/syncope/trunk/core/src/main/resources/content.xml"
class="external-link" rel="nofollow">content.xml</a> and always loaded into internal
storage.</p>

<p>Entitlements can only be assigned to roles: this is the basis of a <b>role-based
authorization</b> mechanism.</p>

<p><b>Normal entitlements</b><br/>
related to the general operations that can be performed (like as <em>TASK_DELETE</em>
or <em>CONNECTOR_UPDATE</em>);<br/>
<b>Role operational entitlements</b><br/>
specifically bound to each and every role defined (like as <em>ROLE_10</em> or
<em>ROLE_23</em>).</p>

<p>Why such distinction is needed? Because Syncope implements a delegated role-based
authorization model so that an user can manage other users and this can be specified with
a very fine-grained mechanism.</p>

<h1><a name="Authenticationandauthorization-Example"></a>Example</h1>

<p>Let's suppose that we want to implement the following scenario:<br/>
<em>Administrator A can create users under role 5 but not under role 7, administrator
B can update users under role 6 and 8, administrator C can update role 8.</em></p>

<p>In this scenario, Syncope will have defined at least the following entitlements:</p>
<ul>
	<li><em>USER_CREATE</em>, <em>USER_UPDATE</em>, <em>ROLE_UPDATE</em></li>
	<li><em>ROLE_5</em>, <em>ROLE_6</em>, <em>ROLE_7</em>,
<em>ROLE_8</em></li>
</ul>


<p>Here it follows how entitlements should be assigned to administrators in order to
implement the scenario above:</p>
<ul>
	<li>A: <em>USER_CREATE</em> + <em>ROLE_5</em></li>
	<li>B: <em>USER_UPDATE</em> + <em>ROLE_6</em> + <em>ROLE_8</em></li>
	<li>C: <em>ROLE_UPDATE</em> + <em>ROLE_8</em></li>
</ul>


<h1><a name="Authenticationandauthorization-Rootadministrator"></a>Root
administrator</h1>

<p>There is of course a special <b>admin</b> user, granted by all the entitlements
defined in the system, thus capable of performing any available operation.</p>
    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/SYNCOPE/Authentication+and+authorization">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=27841569&revisedVersion=8&originalVersion=7">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/SYNCOPE/Authentication+and+authorization?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message