syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francesco Chicchiriccò (JIRA) <>
Subject [jira] [Assigned] (SYNCOPE-1067) More flexible delegated administration model
Date Thu, 25 May 2017 15:18:04 GMT


Francesco Chicchiriccò reassigned SYNCOPE-1067:

    Assignee: Francesco Chicchiriccò

> More flexible delegated administration model
> --------------------------------------------
>                 Key: SYNCOPE-1067
>                 URL:
>             Project: Syncope
>          Issue Type: Improvement
>          Components: console, core
>            Reporter: Francesco Chicchiriccò
>            Assignee: Francesco Chicchiriccò
>             Fix For: 2.0.4, 2.1.0
> The current implementation of [delegated administration|]
relies on Roles, where each Role associates a set of Entitlements (e.g. administrative actions)
to a set of Realms (e.g. containers for Users / Groups / Any Objects).
> This requires, however, that the set of Users / Groups / Any Objects to administer is
somehow statically defined by containment: "administrators with role R can manage users under
realms /a and /b" works as long as users to administer are fully contained by the Realms /a
and /b; but what if the set of Users that R can administer needs to be dynamically defined,
say by the value of a 'department' attribute?
> Two approaches can be taken here:
> # extend the Role concept to map Entitlements to Realms and / or Groups
> # introduce the new concept of Virtual Realm, e.g. containers that are defined by a dynamic
conditions (as currently happening for Groups and Roles), and make Roles to map Entitlements
to Realms / Virtual Realms

This message was sent by Atlassian JIRA

View raw message