Repository: syncope
Updated Branches:
  refs/heads/2_0_X 5545caf05 -> c13f9e626
  refs/heads/master 919b32e68 -> a21329eea


[SYNCOPE-1067] Doc update


Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/c13f9e62
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/c13f9e62
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/c13f9e62

Branch: refs/heads/2_0_X
Commit: c13f9e62653dd12485b22a50831225437a194ed7
Parents: 5545caf
Author: Francesco Chicchiriccò <ilgro...@apache.org>
Authored: Wed Jun 14 13:57:16 2017 +0200
Committer: Francesco Chicchiriccò <ilgro...@apache.org>
Committed: Wed Jun 14 13:57:16 2017 +0200

----------------------------------------------------------------------
 .../asciidoc/reference-guide/concepts/realms.adoc | 12 ++++++++++++
 .../asciidoc/reference-guide/concepts/roles.adoc  | 18 ++++++++++++++++--
 2 files changed, 28 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/syncope/blob/c13f9e62/src/main/asciidoc/reference-guide/concepts/realms.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/reference-guide/concepts/realms.adoc 
b/src/main/asciidoc/reference-guide/concepts/realms.adoc
index 8b4267c..ec9cfbc 100644
--- a/src/main/asciidoc/reference-guide/concepts/realms.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/realms.adoc
@@ -43,6 +43,18 @@ Moreover, this partition allows fine-grained control over 
policy enforcement and
 <<entitlements,entitlements>> and <<roles,roles>>, helps to implement
 <<delegated-administration,delegated administration>>.
 
+[[dynamic-realms]]
+.Dynamic Realms
+****
+Realms provide a mean to model static containment hierarchies. +
+Such strategy might not be the ideal fit for situations where the set of 
Users, Groups and Any Objects to administer
+cannot be statically defined by containment.
+
+Dynamic Realms can be used to identify Users, Groups and Any Objects according 
to some attributes' value, resource
+assignment, group membership or any other condition available, with purpose of 
granting
+<<delegated-administration,delegated administration>> rights.
+****
+
 [TIP]
 .Logic Templates
 ====

http://git-wip-us.apache.org/repos/asf/syncope/blob/c13f9e62/src/main/asciidoc/reference-guide/concepts/roles.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/reference-guide/concepts/roles.adoc 
b/src/main/asciidoc/reference-guide/concepts/roles.adoc
index 5cfc19e..662febc 100644
--- a/src/main/asciidoc/reference-guide/concepts/roles.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/roles.adoc
@@ -18,7 +18,8 @@
 //
 === Roles
 
-Roles map a set of <<entitlements,entitlements>> to a set of <<realms,realms>>.
+Roles map a set of <<entitlements,entitlements>> to a set of <<realms,realms>> 
and / or
+<<dynamic-realms, dynamic realms>>.
 
 [TIP]
 .Static and Dynamic Memberships
@@ -31,10 +32,23 @@ role.
 
 ==== Delegated Administration
 
-The idea is that any user U assigned to a role R, which provides entitlements 
E~1~...E~n~ for realms Re~1~...Re~k~, can 
+The idea is that any user U assigned to a role R, which provides entitlements 
E~1~...E~n~ for realms Re~1~...Re~m~, can 
 exercise E~i~ on entities (Users, Groups, Any Objects of given types, 
depending on E~i~) under any Re~j~ or related
 sub-realms.
 
+Moreover, any user U assigned to a role R, which provides entitlements 
E~1~...E~n~ for dynamic realms DR~1~..DR~n~, can
+exercise E~i~ on entities (Users, Groups, Any Objects of given types, 
depending on E~i~) matching the conditions defined
+for any DR~k~.
+
+[WARNING]
+.Dynamic Realms limitations
+====
+Users to whom administration rights were granted via Dynamic Realms can only 
*update* Users, Groups and Any Objects,
+not create nor delete. +
+Moreover, the only accepted changes on a given entity are the ones that do not 
change any Dynamic Realm's matching
+condition for such entity.
+====
+
 .Authorization
 ====
 Let's suppose that we want to implement the following scenario:

Reply via email to