syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject [DISCUSS] - Support dynamic entitlements in Apache Syncope
Date Thu, 19 Jan 2017 16:53:46 GMT
Hi all,

I'd like to discuss the possibility of supporting dynamic entitlements in
Apache Syncope. The goals being to explore if the Apache Syncope community
feels that this is a good idea, and if so to try to break the various work
items down and start creating JIRAs etc.

Entitlements in Apache Syncope are currently statically defined and are
used for internal authorization purposes only. The problem arises when you
start considering things like integrating SCIM with Syncope, as the
concepts of roles/entitlements in SCIM do not map naturally to groups in
Syncope.

So it would be great to be able to map roles/entitlements associated with
users directly to the same concepts in Syncope. I don't know whether it
might be desirable to have different types of entitlements, e.g. whether we
want to maintain a separation between "internal" entitlements used for
authorization in Syncope, and general entitlements meant for external
consumption.

The task would involve some UI work to be able to create entitlements. I'm
not sure off-hand if we require REST changes, as we can get the
entitlements of a User by getting the roles of the user, and then querying
the entitlements associated with the role etc.

Is it possible to associate roles with a group and then have members of
that group inherit the entitlements?

WDYT?

Colm.


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message