syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francesco Chicchiriccò <>
Subject Re: [DISCUSS] - Support dynamic entitlements in Apache Syncope
Date Tue, 24 Jan 2017 19:31:56 GMT
On 24 jan 2017 18:29:22 CET, Colm O hEigeartaigh <> ha scritto:
>Hi Francesco,
>Thanks for your detailed reply! It's going to take me some time to wrap
>head around all of the details. :-)

Oh, sorry for this, but these ideas have been ringing in my head for quite some time...
I have also others, all in the direction of further improving Syncope, and I am happy to discuss
here to clarify, better define, go beyond my direct experience, etc.

>Let me just ask an initial question...when you define privilege
>as " the ability to discover, define and map the rights that users own
>external resources" - are you referring only to resources in the
>terminology here - Identity stores like LDAP etc.?
>The reason I ask is that our interest is in being able to define
>for external services (say some arbitrary REST service requires a given
>entitlement). Is this use-case accommadated by your proposal, or are we
>talking about separate things here?

Interesting point, indeed.
I admit that below I was exactly referring to Syncope's External Resources, but your sample
about REST service is significant.

Let's suppose we introduce the new concept of Application: what kind of communication will
Syncope establish with it?
Coming to your sample: what would be the use case of managing in Syncope the privileges available
into an external REST service? How would you fetch them? Supposing you're able to associate
them to (groups of) users, wow would you push such association to the REST service?

That's why I initially thought to reuse ConnId connectors for this purpose.


>On Fri, Jan 20, 2017 at 8:30 AM, Francesco Chicchiriccò
>> wrote:
>> With "dynamic entitlements", I think you are referring to privilege
>> management, e.g. the ability to discover, define and map the rights
>> users own on external resources.
>> I would not confuse this, however, with Syncope entitlements:
>> with 2.0, in fact, we now finally have a stable mechanism for which
>> entitlements are defined as constants in Java classes (and extensions
>> add their own, as shown by the Camel Provisioning Manager), with
>> effects on code organization both for Core's Spring Security
>> and Admin Console's delegated administration.
>> I think that privilege management is a great addition to Syncope;
>here are
>> few items coming to my mind:
>> 1. privileges must be represented as (JPA) entities, have their own
>> REST endpoint, Admin Console management, etc. (as all other entities)
>> 2. privileges should be defined / discovered in external resource(s):
>> resource R1 defines privileges P1, P2, P3; resource R2 defines
>> P4,P5; about discovery, ConnId does not provide (yet?) any primitive
>> 3. privileges should be grouped somehow and finally assigned to
>users, but
>> depend on each external resource
>> 4. privileges are not really for users (in the way Syncope defines
>> but rather for accounts, e.g. the mapped counterpart of a Syncope
>user onto
>> a given external resource.
>> I think we could take the chance to add both privilege management and
>> multi-account management (see SYNCOPE-957): both features require in
>fact a
>> new concept to be introduced in Syncope: accounts.
>> Naturally, I don't see any chance to land all above in 2.0
>> changes involved, even for internal storage); it will be 2.1 at
>> Regards.
>> [1]
>> [2]
>> [3]
>> [4]
>> [5]
>> On 19/01/2017 17:53, Colm O hEigeartaigh wrote:
>>> Hi all,
>>> I'd like to discuss the possibility of supporting dynamic
>entitlements in
>>> Apache Syncope. The goals being to explore if the Apache Syncope
>>> feels that this is a good idea, and if so to try to break the
>various work
>>> items down and start creating JIRAs etc.
>>> Entitlements in Apache Syncope are currently statically defined and
>>> used for internal authorization purposes only. The problem arises
>when you
>>> start considering things like integrating SCIM with Syncope, as the
>>> concepts of roles/entitlements in SCIM do not map naturally to
>groups in
>>> Syncope.
>>> So it would be great to be able to map roles/entitlements associated
>>> users directly to the same concepts in Syncope. I don't know whether
>>> might be desirable to have different types of entitlements, e.g.
>>> we
>>> want to maintain a separation between "internal" entitlements used
>>> authorization in Syncope, and general entitlements meant for
>>> consumption.
>>> The task would involve some UI work to be able to create
>entitlements. I'm
>>> not sure off-hand if we require REST changes, as we can get the
>>> entitlements of a User by getting the roles of the user, and then
>>> the entitlements associated with the role etc.
>>> Is it possible to associate roles with a group and then have members
>>> that group inherit the entitlements?
>>> WDYT?
>>> Colm.
>> --
>> Francesco Chicchiriccò
>> Tirasa - Open Source Excellence
>> Member at The Apache Software Foundation
>> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail

Francesco Chicchiriccò

Tirasa - Open Source Excellence

Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail

View raw message