[SYNCOPE-1189] Clarifying about additional entitlements needed for delegated administration via Admin Console
Project: http://git-wip-us.apache.org/repos/asf/syncope/repo Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/4af3c217 Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/4af3c217 Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/4af3c217 Branch: refs/heads/2_0_X Commit: 4af3c2175e874d9abbc41f2323ad9e945b956ead Parents: c6ffe56 Author: Francesco Chicchiriccò <ilgro...@apache.org> Authored: Tue Aug 8 12:40:22 2017 +0200 Committer: Francesco Chicchiriccò <ilgro...@apache.org> Committed: Tue Aug 8 12:40:22 2017 +0200 ---------------------------------------------------------------------- pom.xml | 4 ++-- .../reference-guide/concepts/roles.adoc | 22 ++++++++++++++++++++ 2 files changed, 24 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/syncope/blob/4af3c217/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index be12b2c..58ae149 100644 --- a/pom.xml +++ b/pom.xml @@ -2331,7 +2331,7 @@ under the License. <plugin> <groupId>org.asciidoctor</groupId> <artifactId>asciidoctor-maven-plugin</artifactId> - <version>1.5.6</version> + <version>1.5.5</version> <dependencies> <dependency> <groupId>org.asciidoctor</groupId> @@ -2341,7 +2341,7 @@ under the License. <dependency> <groupId>org.asciidoctor</groupId> <artifactId>asciidoctorj</artifactId> - <version>1.5.5</version> + <version>1.5.6</version> </dependency> </dependencies> <configuration> http://git-wip-us.apache.org/repos/asf/syncope/blob/4af3c217/src/main/asciidoc/reference-guide/concepts/roles.adoc ---------------------------------------------------------------------- diff --git a/src/main/asciidoc/reference-guide/concepts/roles.adoc b/src/main/asciidoc/reference-guide/concepts/roles.adoc index 662febc..63949f4 100644 --- a/src/main/asciidoc/reference-guide/concepts/roles.adoc +++ b/src/main/asciidoc/reference-guide/concepts/roles.adoc @@ -81,3 +81,25 @@ The practical consequence of this setting is that Users owning a Group (either b or members of the owning group) is that they are entitled to perform all operations (create, update, delete, ...) on the owned group, regardless of the Realm. ==== + +[[delegated-administration-console]] +[TIP] +.Delegated Administration via Admin Console +==== +When administering via <<REST>>, the entitlements to be granted to delegated administrators are straightforward: +`USER_CREATE` for certain <<Realms>> will allow to create users under such Realms. + +When using the <<Admin Console>>, instead, more entitlements are generally required: this because the underlying +implementation takes care of simplifying the UX as much as possible. + +For example, the following entitlements are normally required to be granted for user administration, besides the actual +`USER_CREATE`, `USER_UPDATE` and `USER_DELETE`: + +. `USER_SEARCH` +. `USER_LIST` +. `ANYTYPECLASS_READ` +. `ANYTYPE_LIST` +. `ANYTYPECLASS_LIST` +. `USER_READ` +. `ANYTYPE_READ` +. `REALM_LIST` +====
