syncope-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ilgro...@apache.org
Subject [2/2] syncope git commit: [SYNCOPE-1067] Doc update
Date Wed, 14 Jun 2017 11:57:34 GMT
[SYNCOPE-1067] Doc update


Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/a21329ee
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/a21329ee
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/a21329ee

Branch: refs/heads/master
Commit: a21329eeabb33f5e2690f54ac30a6c34ecfa00c5
Parents: 919b32e
Author: Francesco Chicchiriccò <ilgrosso@apache.org>
Authored: Wed Jun 14 13:57:16 2017 +0200
Committer: Francesco Chicchiriccò <ilgrosso@apache.org>
Committed: Wed Jun 14 13:57:24 2017 +0200

----------------------------------------------------------------------
 .../asciidoc/reference-guide/concepts/realms.adoc | 12 ++++++++++++
 .../asciidoc/reference-guide/concepts/roles.adoc  | 18 ++++++++++++++++--
 2 files changed, 28 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/syncope/blob/a21329ee/src/main/asciidoc/reference-guide/concepts/realms.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/reference-guide/concepts/realms.adoc b/src/main/asciidoc/reference-guide/concepts/realms.adoc
index 9e791e1..188cf07 100644
--- a/src/main/asciidoc/reference-guide/concepts/realms.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/realms.adoc
@@ -43,6 +43,18 @@ Moreover, this partition allows fine-grained control over policy enforcement
and
 <<entitlements,entitlements>> and <<roles,roles>>, helps to implement
 <<delegated-administration,delegated administration>>.
 
+[[dynamic-realms]]
+.Dynamic Realms
+****
+Realms provide a mean to model static containment hierarchies. +
+Such strategy might not be the ideal fit for situations where the set of Users, Groups and
Any Objects to administer
+cannot be statically defined by containment.
+
+Dynamic Realms can be used to identify Users, Groups and Any Objects according to some attributes'
value, resource
+assignment, group membership or any other condition available, with purpose of granting
+<<delegated-administration,delegated administration>> rights.
+****
+
 [TIP]
 .Logic Templates
 ====

http://git-wip-us.apache.org/repos/asf/syncope/blob/a21329ee/src/main/asciidoc/reference-guide/concepts/roles.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/reference-guide/concepts/roles.adoc b/src/main/asciidoc/reference-guide/concepts/roles.adoc
index 5cfc19e..662febc 100644
--- a/src/main/asciidoc/reference-guide/concepts/roles.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/roles.adoc
@@ -18,7 +18,8 @@
 //
 === Roles
 
-Roles map a set of <<entitlements,entitlements>> to a set of <<realms,realms>>.
+Roles map a set of <<entitlements,entitlements>> to a set of <<realms,realms>>
and / or
+<<dynamic-realms, dynamic realms>>.
 
 [TIP]
 .Static and Dynamic Memberships
@@ -31,10 +32,23 @@ role.
 
 ==== Delegated Administration
 
-The idea is that any user U assigned to a role R, which provides entitlements E~1~...E~n~
for realms Re~1~...Re~k~, can 
+The idea is that any user U assigned to a role R, which provides entitlements E~1~...E~n~
for realms Re~1~...Re~m~, can 
 exercise E~i~ on entities (Users, Groups, Any Objects of given types, depending on E~i~)
under any Re~j~ or related
 sub-realms.
 
+Moreover, any user U assigned to a role R, which provides entitlements E~1~...E~n~ for dynamic
realms DR~1~..DR~n~, can
+exercise E~i~ on entities (Users, Groups, Any Objects of given types, depending on E~i~)
matching the conditions defined
+for any DR~k~.
+
+[WARNING]
+.Dynamic Realms limitations
+====
+Users to whom administration rights were granted via Dynamic Realms can only *update* Users,
Groups and Any Objects,
+not create nor delete. +
+Moreover, the only accepted changes on a given entity are the ones that do not change any
Dynamic Realm's matching
+condition for such entity.
+====
+
 .Authorization
 ====
 Let's suppose that we want to implement the following scenario:


Mime
View raw message