syncope-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Fabio Martelli (Confluence)" <>
Subject [CONF] Apache Syncope > Schema, attributes and mapping
Date Fri, 13 Dec 2013 09:53:00 GMT
    <base href="">
            <link rel="stylesheet" href="/confluence/s/en/2176/1/3/_/styles/combined.css?spaceKey=SYNCOPE&amp;forWysiwyg=true"
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="">Schema,
attributes and mapping</a></h2>
    <h4>Page <b>edited</b> by             <a href="">Fabio
                         <h4>Changes (2)</h4>
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >The typical usage of virtual attributes
is when an attribute can change on an external resource without notice and there is need of
having access to the most updated value without relying upon synchronization. <br> <br></td></tr>
            <tr><td class="diff-changed-lines" >Furthermore, for performance reason,
the best practice is to keep the number of <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">[plain|Schema,
attributes</span> <span class="diff-added-words"style="background-color: #dfd;">[plain|#Schema,attributesandmapping-Plainattributes]</span>
and <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">mapping#Schema,attributesandmapping-Plainattributes]
and [derived|Schema,</span> <span class="diff-added-words"style="background-color:
#dfd;">[derived|#Schema,attributesandmapping-Derivedattributes]</span> attributes
<span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">and
mapping#Schema,attributesandmapping-Derivedattributes] attributes</span> as low as possible:
Apache Syncope should declare plain attributes just for data on which it must have the ownership;
the rest should be declared virtual. <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-changed-lines" >A virtual attribute can be <span
class="diff-changed-words">[mapped|<span class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">Schema,
attributes and mapping</span>#Schema,attributesandmapping-SchemaMapping]</span>
among several resources. <br></td></tr>
            <tr><td class="diff-unchanged" >The values of a virtual attribute
is the composition (in a distinct way) of values coming from each resource it is mapped on.
 <br> <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <style type='text/css'>/*<![CDATA[*/
div.rbtoc1386928349567 {margin-left: 1.5em;padding: 0px;}
div.rbtoc1386928349567 ul {list-style: decimal;margin-left: 0px;}
div.rbtoc1386928349567 li {margin-left: 0px;padding-left: 0px;}

/*]]>*/</style><div class='rbtoc1386928349567'>
    <li><a href='#Schema%2Cattributesandmapping-Introduction'>Introduction</a></li>
    <li><a href='#Schema%2Cattributesandmapping-Attribute'>Attribute</a></li>
    <li><a href='#Schema%2Cattributesandmapping-Plainattributes'>Plain attributes</a></li>
    <li><a href='#Schema%2Cattributesandmapping-Readonly'>Read-only</a></li>
    <li><a href='#Schema%2Cattributesandmapping-Derivedattributes'>Derived attributes</a></li>
    <li><a href='#Schema%2Cattributesandmapping-Virtualattributes'>Virtual attributes</a></li>
    <li><a href='#Schema%2Cattributesandmapping-Readonly'>Read-only</a></li>
    <li><a href='#Schema%2Cattributesandmapping-Schema'>Schema</a></li>
    <li><a href='#Schema%2Cattributesandmapping-SchemaMapping'>Schema Mapping</a></li>

<h1><a name="Schema%2Cattributesandmapping-Introduction"></a>Introduction</h1>

<p>The primary purpose of identity management systems is to manage data belonging to
<em>users</em>; it is common practice in such systems to define as well entities
called <em>roles</em> that helps in defining and enforcing security policies.
In addition to this, Syncope explicitly represents the fact that users can be assigned to
roles by mean of <em>memberships</em>.</p>

<p>In summary, Syncope manages data about three kind of entities:</p>

<p>When saying "data", Syncope refers to a collection of so-called <em><a href="#Schema%2Cattributesandmapping-Attribute">attributes</a></em>.</p>

<p>This means that Syncope will manage User attributes, Role attributes and Membership

<h1><a name="Schema%2Cattributesandmapping-Attribute"></a>Attribute</h1>

<p>An attribute is a <em>(key,values)</em> pair where</p>
	<li><em>key</em> is a string label (i.e. <em>Surname</em>)</li>
	<li><em>values</em> is a (possibly singleton) collection of data (i.e.
[Doe] but also [,])</li>

<p>The type of values that can be assigned to each attribute is defined via <em><a

<p>Syncope will manage plain attributes, derived attributes and virtual attributes for
users, roles and memberships.</p>

<h2><a name="Schema%2Cattributesandmapping-Plainattributes"></a>Plain attributes</h2>
<p>In this case attribute values are persisted into the Syncope internal storage.<br/>
Plain attribute values are:</p>
	<li>updated via synchronization from external resources</li>
	<li>available for propagation towards external resources</li>

<h3><a name="Schema%2Cattributesandmapping-Readonly"></a>Read-only</h3>

<p>Read-only attribute value(s) cannot be changed via standard operations (e.g. REST,
synchronization from external resources, ...). Such attributes are reserved for internal usage,
so their value(s) can be changed only in the underlying DBMS or from inside the <a href="/confluence/display/SYNCOPE/User+Workflow"
title="User Workflow">workflow</a>.</p>

<h2><a name="Schema%2Cattributesandmapping-Derivedattributes"></a>Derived
<p>Sometimes it is handful to obtain values as arbitrary combination of other attributes'
values: for example, with 'Firstname' and 'Surname' plain attributes, it is natural to think
that 'Fullname' could be somehow defined as the concatenation of Firstname's and Surname's
values, separated by a blank space.</p>

<p>You can define a derived attribute via a <a href=""
class="external-link" rel="nofollow">JEXL</a> expression combining values of some
plain attributes.</p>

<p>Derived attribute values are:</p>
	<li>indirectly updated via synchronization from external resources (when component
plain attributes' values are updated via synchronization)</li>
	<li>available for propagation towards external resources</li>

<h2><a name="Schema%2Cattributesandmapping-Virtualattributes"></a>Virtual
<p>With virtual attributes, values are not kept into the Syncope internal storage but
somehow <em>linked</em> from an <a href="/confluence/display/SYNCOPE/Connectors+and+resources#Connectorsandresources-Externalresource">external

<p>The typical usage of virtual attributes is when an attribute can change on an external
resource without notice and there is need of having access to the most updated value without
relying upon synchronization.</p>

<p>Furthermore, for performance reason, the best practice is to keep the number of <a
and <a href="#Schema%2Cattributesandmapping-Schema%2CattributesandmappingDerivedattributes">derived</a>
attributes as low as possible: Apache Syncope should declare plain attributes just for data
on which it must have the ownership; the rest should be declared virtual.</p>

<p>A virtual attribute can be <a href="#Schema%2Cattributesandmapping-Schema%2CattributesandmappingSchemaMapping">mapped</a>
among several resources.<br/>
The values of a virtual attribute is the composition (in a distinct way) of values coming
from each resource it is mapped on. </p>

<p>Virtual attribute values are always retrieved from an external resource either in
case of <em>SYNCHRONIZATION</em>, <em>PROPAGATION</em> or <em>BOTH</em>
mapping purpose.<br/>
The only way to avoid virtual attribute values retrieving from a certain resource is to remove
<em>SEARCH</em> capability from the resource connector itself.</p>

<p>Virtual attribute values are:</p>
	<li>unaffected by synchronizing the resource where they come from (if and only if the
values are coming from one resource only)</li>
	<li>available for propagation towards external resources</li>

<p>For performance optimization, virtual attributes are managed by an internal cache
to limit access to external resources.<br/>
Virtual attribute cache is not configurable and cannot be disabled.</p>

<p>Each entry into the cache is key/values pair.<br/>
The key is composed of:</p>
	<li>attributable type (USER or ROLE)</li>
	<li>attributable id</li>
	<li>virtual schema name.</li>

<p>The entry expire time is one minute. By the way, it can expire before if the referenced
virtual attribute is interested by a propagation.<br/>
Entry expiration could be forced by interacting directly with VirAttrCache bean. This can
be done just by exploiting available <a href="/confluence/display/SYNCOPE/Extending+Syncope"
title="Extending Syncope">Syncope extension points</a>.</p>

<h3><a name="Schema%2Cattributesandmapping-Readonly"></a>Read-only</h3>

<p>When attribute value(s) from an external resource are needed only to be read within
Syncope, and can only be changed from the own resource, virtual read-only attributes are fit
for the job.</p>

<h1><a name="Schema%2Cattributesandmapping-Schema"></a>Schema</h1>

<p>An attribute schema describes the values that attributes with that schema will held:</p>
	<li><em>type</em> (String, Enum, Boolean, Long, Double, Date)</li>
	<li>whether values must respect UNIQUE constraint or not</li>
	<li>whether values must be singleton or not</li>
	<li>whether providing a value is mandatory or not</li>
	<li>whether input is accepted or not (<em>read-only</em>)</li>
	<li>whether values must be validated by some provided validator (like as <em>EMailAddressValidator</em>)</li>
	<li>how non-string values must be converted into / parsed from strings (<em>conversion

<p>This means that Syncope will manage schemas, derived schemas and virtual schemas
for users, roles and memberships.</p>

<h1><a name="Schema%2Cattributesandmapping-SchemaMapping"></a>Schema Mapping</h1>

<p>If Syncope was only able to define schemas and manage attributes for its internal
storage, there would have been little to profit from by deploying an IdM solution.</p>

<p>One of most important features is about to link such attributes to <a href="/confluence/display/SYNCOPE/Connectors+and+resources"
title="Connectors and resources">external resources</a> (LDAP server, Database, ...)
so that <a href="/confluence/display/SYNCOPE/Propagation+mode" title="Propagation mode">propagation</a>
and synchronization can take place effectively.</p>

<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/27841576/SchemaMapping.png?version=1&amp;modificationDate=1332337397000"
width="600pxpx" style="border: 0px solid black" /></span></p>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;" class="grey">
                        <a href="">Stop
watching space</a>
            <span style="padding: 0px 5px;">|</span>
                <a href="">Change
email notification preferences</a>
        <a href="">View
        <a href="">View

View raw message