Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id D1589200C01 for ; Thu, 19 Jan 2017 17:53:50 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id D00C9160B54; Thu, 19 Jan 2017 16:53:50 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 22CAC160B3A for ; Thu, 19 Jan 2017 17:53:49 +0100 (CET) Received: (qmail 26704 invoked by uid 500); 19 Jan 2017 16:53:49 -0000 Mailing-List: contact dev-help@syncope.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@syncope.apache.org Delivered-To: mailing list dev@syncope.apache.org Received: (qmail 26693 invoked by uid 99); 19 Jan 2017 16:53:49 -0000 Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 19 Jan 2017 16:53:49 +0000 Received: from mail-wm0-f53.google.com (mail-wm0-f53.google.com [74.125.82.53]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id B0F6F1A04E2 for ; Thu, 19 Jan 2017 16:53:48 +0000 (UTC) Received: by mail-wm0-f53.google.com with SMTP id r144so2152027wme.1 for ; Thu, 19 Jan 2017 08:53:48 -0800 (PST) X-Gm-Message-State: AIkVDXLEgOUblmttNxG1HcGSNXX+tUVzOwss7mIcN6a/2yu1flTtp58BjfqOJFjuAOiOpEQNnVdfeqO+QcIc1A== X-Received: by 10.223.139.152 with SMTP id o24mr8290514wra.122.1484844827281; Thu, 19 Jan 2017 08:53:47 -0800 (PST) MIME-Version: 1.0 Reply-To: coheigea@apache.org Received: by 10.80.192.73 with HTTP; Thu, 19 Jan 2017 08:53:46 -0800 (PST) From: Colm O hEigeartaigh Date: Thu, 19 Jan 2017 16:53:46 +0000 X-Gmail-Original-Message-ID: Message-ID: Subject: [DISCUSS] - Support dynamic entitlements in Apache Syncope To: "dev@syncope.apache.org" Content-Type: multipart/alternative; boundary=f403045e9ace7a163a05467560f9 archived-at: Thu, 19 Jan 2017 16:53:51 -0000 --f403045e9ace7a163a05467560f9 Content-Type: text/plain; charset=UTF-8 Hi all, I'd like to discuss the possibility of supporting dynamic entitlements in Apache Syncope. The goals being to explore if the Apache Syncope community feels that this is a good idea, and if so to try to break the various work items down and start creating JIRAs etc. Entitlements in Apache Syncope are currently statically defined and are used for internal authorization purposes only. The problem arises when you start considering things like integrating SCIM with Syncope, as the concepts of roles/entitlements in SCIM do not map naturally to groups in Syncope. So it would be great to be able to map roles/entitlements associated with users directly to the same concepts in Syncope. I don't know whether it might be desirable to have different types of entitlements, e.g. whether we want to maintain a separation between "internal" entitlements used for authorization in Syncope, and general entitlements meant for external consumption. The task would involve some UI work to be able to create entitlements. I'm not sure off-hand if we require REST changes, as we can get the entitlements of a User by getting the roles of the user, and then querying the entitlements associated with the role etc. Is it possible to associate roles with a group and then have members of that group inherit the entitlements? WDYT? Colm. -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com --f403045e9ace7a163a05467560f9--