Mailing-List: contact commits-help@syncope.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@syncope.apache.org
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: massi@apache.org
To: commits@syncope.apache.org
Message-Id: <3d8d119eb9854c7595bc37aab99fc9f3@git.apache.org>
Subject: syncope git commit: authentication and authorization: SYNCOPE-700
Date: Mon, 14 Dec 2015 08:26:44 +0000 (UTC)

Repository: syncope
Updated Branches:
  refs/heads/master ab13c7b8e -> 1ed178565


authentication and authorization: SYNCOPE-700


Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/1ed17856
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/1ed17856
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/1ed17856

Branch: refs/heads/master
Commit: 1ed1785657b9ca89e965c3f6ebc6ad13f95b8f2f
Parents: ab13c7b
Author: Massimiliano Perrone <massimiliano.perrone@tirasa.net>
Authored: Mon Dec 14 09:24:48 2015 +0100
Committer: Massimiliano Perrone <massimiliano.perrone@tirasa.net>
Committed: Mon Dec 14 09:24:52 2015 +0100

----------------------------------------------------------------------
 src/main/asciidoc/iam/accessmanager.adoc        | 23 -------
 .../iam/accessmanager/accessmanager.adoc        | 25 +++++++
 .../iam/accessmanager/authentication.adoc       | 69 ++++++++++++++++++++
 src/main/asciidoc/iam/iam.adoc                  |  2 +-
 4 files changed, 95 insertions(+), 24 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/syncope/blob/1ed17856/src/main/asciidoc/iam/accessmanager.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/iam/accessmanager.adoc b/src/main/asciidoc/iam/accessmanager.adoc
deleted file mode 100644
index 4235694..0000000
--- a/src/main/asciidoc/iam/accessmanager.adoc
+++ /dev/null
@@ -1,23 +0,0 @@
-//
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements.  See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership.  The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License.  You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the
-// specific language governing permissions and limitations
-// under the License.
-//
-=== Access Managers
-As briefly mentioned before, an access manager is not an identity manager. An access management software manages above all
-the authentication on a given environment. It provides the methods, generally called authentication module, to manage 
-the user authentication, the latter based on various identification system as the password, the fingerprint or based on 
-various protocols as SAML and OAuth 2.0.
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/syncope/blob/1ed17856/src/main/asciidoc/iam/accessmanager/accessmanager.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/iam/accessmanager/accessmanager.adoc b/src/main/asciidoc/iam/accessmanager/accessmanager.adoc
new file mode 100644
index 0000000..71a5aba
--- /dev/null
+++ b/src/main/asciidoc/iam/accessmanager/accessmanager.adoc
@@ -0,0 +1,25 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+=== Access Managers
+As briefly mentioned before, in general an access manager is not an identity manager. An access management software 
+manages above all the authentication on a given environment. It provides the methods, generally called authentication 
+module, to manage the user authentication, the latter based on various identification system as the password, 
+the fingerprint or based on various protocols as SAML and OAuth 2.0.
+
+include::authentication.adoc[]
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/syncope/blob/1ed17856/src/main/asciidoc/iam/accessmanager/authentication.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/iam/accessmanager/authentication.adoc b/src/main/asciidoc/iam/accessmanager/authentication.adoc
new file mode 100644
index 0000000..88d8123
--- /dev/null
+++ b/src/main/asciidoc/iam/accessmanager/authentication.adoc
@@ -0,0 +1,69 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+
+==== Authentication and authorization
+Talking about security aspects mostly involves examining how RESTful controllers implements communication with external 
+world. Hence, security is mostly implemented and enforced by the core, as the console is basically an external REST 
+client (check High-level Architecture for more details).
+
+===== Entitlements
+Authentication and authorization in Syncope is fundamentally based on Entitlements. 
+Entitlements are basically strings describing the right to perform an operation.
+Defaults entitlements are included at the end of content.xml and always loaded into internal storage.
+Entitlements can only be assigned to roles: this is the basis of a role-based authorization mechanism.
+
+* Normal entitlements::
+related to the general operations that can be performed (like as TASK_DELETE or CONNECTOR_UPDATE);
+* Role operational entitlements::
+specifically bound to each and every role defined (like as ROLE_10 or ROLE_23).
+
+Why such distinction is needed? Because Syncope implements a delegated role-based authorization model so that an user 
+can manage other users and this can be specified with a very fine-grained mechanism.
+
+===== Role ownership
+Starting with Syncope 1.1.0, the role owner concept is introduced: an user or a role can be defined as owner of a given 
+role.
+Users owning a role (or user assigned to a role owning a role) are granted to perform any operation on owned role and 
+also assigned any role operational entitlement of owned role.
+This means that if such owners are also granted some user-related entitlements (like as USER_CREATE or USER_UPDATE), 
+then they will be entitled to administer users of owned role as well.
+
+===== Example
+Let's suppose that we want to implement the following scenario:
+_Administrator A can create users under role 5 but not under role 7, administrator B can update users under role 6 and 8, 
+administrator C can update role 8._
+In this scenario, Syncope will have defined at least the following entitlements:
+
+* USER_CREATE, USER_UPDATE, ROLE_UPDATE
+* ROLE_5, ROLE_6, ROLE_7, ROLE_8
+
+Here it follows how entitlements should be assigned to administrators in order to implement the scenario above:
+
+* A: USER_CREATE + ROLE_5
+* B: USER_UPDATE + ROLE_6 + ROLE_8
+* C: ROLE_UPDATE + ROLE_8
+
+With role ownership, if administrator D is set as owner of role 8, the following entitlements will be automatically 
+granted:
+
+* D: ROLE_READ + ROLE_CREATE + ROLE_UPDATE + ROLE_DELETE + ROLE_8
+
+===== Root administrator
+There is of course a special admin user, granted by all the entitlements defined in the system, thus capable of 
+performing any available operation.
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/syncope/blob/1ed17856/src/main/asciidoc/iam/iam.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/iam/iam.adoc b/src/main/asciidoc/iam/iam.adoc
index f0417d5..80e7f74 100644
--- a/src/main/asciidoc/iam/iam.adoc
+++ b/src/main/asciidoc/iam/iam.adoc
@@ -31,6 +31,6 @@ include::identitystores.adoc[]
 
 include::provisioningengines.adoc[]
 
-include::accessmanager.adoc[]
+include::accessmanager/accessmanager.adoc[]
 
 include::thecompletepicture.adoc[]
\ No newline at end of file