Repository: syncope Updated Branches: refs/heads/2_0_X 5545caf05 -> c13f9e626 refs/heads/master 919b32e68 -> a21329eea
[SYNCOPE-1067] Doc update Project: http://git-wip-us.apache.org/repos/asf/syncope/repo Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/c13f9e62 Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/c13f9e62 Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/c13f9e62 Branch: refs/heads/2_0_X Commit: c13f9e62653dd12485b22a50831225437a194ed7 Parents: 5545caf Author: Francesco Chicchiriccò <ilgro...@apache.org> Authored: Wed Jun 14 13:57:16 2017 +0200 Committer: Francesco Chicchiriccò <ilgro...@apache.org> Committed: Wed Jun 14 13:57:16 2017 +0200 ---------------------------------------------------------------------- .../asciidoc/reference-guide/concepts/realms.adoc | 12 ++++++++++++ .../asciidoc/reference-guide/concepts/roles.adoc | 18 ++++++++++++++++-- 2 files changed, 28 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/syncope/blob/c13f9e62/src/main/asciidoc/reference-guide/concepts/realms.adoc ---------------------------------------------------------------------- diff --git a/src/main/asciidoc/reference-guide/concepts/realms.adoc b/src/main/asciidoc/reference-guide/concepts/realms.adoc index 8b4267c..ec9cfbc 100644 --- a/src/main/asciidoc/reference-guide/concepts/realms.adoc +++ b/src/main/asciidoc/reference-guide/concepts/realms.adoc @@ -43,6 +43,18 @@ Moreover, this partition allows fine-grained control over policy enforcement and <<entitlements,entitlements>> and <<roles,roles>>, helps to implement <<delegated-administration,delegated administration>>. +[[dynamic-realms]] +.Dynamic Realms +**** +Realms provide a mean to model static containment hierarchies. + +Such strategy might not be the ideal fit for situations where the set of Users, Groups and Any Objects to administer +cannot be statically defined by containment. + +Dynamic Realms can be used to identify Users, Groups and Any Objects according to some attributes' value, resource +assignment, group membership or any other condition available, with purpose of granting +<<delegated-administration,delegated administration>> rights. +**** + [TIP] .Logic Templates ==== http://git-wip-us.apache.org/repos/asf/syncope/blob/c13f9e62/src/main/asciidoc/reference-guide/concepts/roles.adoc ---------------------------------------------------------------------- diff --git a/src/main/asciidoc/reference-guide/concepts/roles.adoc b/src/main/asciidoc/reference-guide/concepts/roles.adoc index 5cfc19e..662febc 100644 --- a/src/main/asciidoc/reference-guide/concepts/roles.adoc +++ b/src/main/asciidoc/reference-guide/concepts/roles.adoc @@ -18,7 +18,8 @@ // === Roles -Roles map a set of <<entitlements,entitlements>> to a set of <<realms,realms>>. +Roles map a set of <<entitlements,entitlements>> to a set of <<realms,realms>> and / or +<<dynamic-realms, dynamic realms>>. [TIP] .Static and Dynamic Memberships @@ -31,10 +32,23 @@ role. ==== Delegated Administration -The idea is that any user U assigned to a role R, which provides entitlements E~1~...E~n~ for realms Re~1~...Re~k~, can +The idea is that any user U assigned to a role R, which provides entitlements E~1~...E~n~ for realms Re~1~...Re~m~, can exercise E~i~ on entities (Users, Groups, Any Objects of given types, depending on E~i~) under any Re~j~ or related sub-realms. +Moreover, any user U assigned to a role R, which provides entitlements E~1~...E~n~ for dynamic realms DR~1~..DR~n~, can +exercise E~i~ on entities (Users, Groups, Any Objects of given types, depending on E~i~) matching the conditions defined +for any DR~k~. + +[WARNING] +.Dynamic Realms limitations +==== +Users to whom administration rights were granted via Dynamic Realms can only *update* Users, Groups and Any Objects, +not create nor delete. + +Moreover, the only accepted changes on a given entity are the ones that do not change any Dynamic Realm's matching +condition for such entity. +==== + .Authorization ==== Let's suppose that we want to implement the following scenario: