On 04/05/2017 04:59, Kwong,Vincent wrote:
Hi All,
I am new to syncope and going to evaulate the syncope functionality
for my coming project.
I am trying to setup a organization like this, but I cannot figure out
how I can achieve the delegated administration.
Sample Structure:
Parent Company (e.g. /) -> Multiple Sub-Group (e.g. /Group1) ->
Multiple Teams (e.g. /Group1/Team1)
1.Each team will have a admin to mange the user under that realm
2.Each sub-group will have another admin to look after all teams
3.Each admin have the control for their own sub-group / team only
I tried to createa role with some user/realm related access under
particular realm, but after I tried to login with the account with
that role, I can see/update the parent realm or other sub realm.
Is it possible for syncope to achieve what I want? Or anyone have
simialr experience?ù
Hi Vincent, glad of your interest in Apache Syncope.
To be sure, I have created some sample data in an attempt to replicate
your use case.
First, the realms: [1] where g1 and g2 are 'sub-groups' as you name them
above (please beware that groups are a different concept in Syncope) and
t11 / t12 / t21 / t22 / t23 are 'teams'.
Then I have created some roles: [2], one for each of the realms above,
with full entitlements about users, and REALM_LIST which is only
required if you are planning to operate via Admin Console (as it seems).
Finally I have created some users in several realms, /g1/t11 [3],
/g1/t12 [4] (which are all reported in /g1 [5]) and /g2 [6]: as you can
see, there are plain users and admin users, where the username of the
latter is given to show which realm they are actually managing, e.g.
* admi...@syncope.apache.org which is granted the role 'Managing g1' and
thus is allowed to manage users in /g1 [5]
* admin...@syncope.apache.org which is granted the role 'Managing t11'
and thus is allowed to manager users in /g1/t11 [3]
* admin...@syncope.apache.org which is granted the role 'Managing t12'
and thus is allowed to manager users in /g1/t12 [4]
* admi...@syncope.apache.org which is granted the role 'Managing g2' and
thus is allowed to manage users in /g2 [6]
Given such setup, everything is working as expected and every admin user
can only see and manage the users contained by the realms he / she is
granted by role.
The only quirk I could find is that the realms view always starts from
/, but even in this case the only users shown are the expected.
HTH
Regards.
[1] http://pasteboard.co/29sHsujiu.png
[2] http://pasteboard.co/29sWCF785.png
[3] http://pasteboard.co/29tBRMtxQ.png
[4] http://pasteboard.co/29tMu5CWi.png
[5] http://pasteboard.co/dlwgYicg.png
[6] http://pasteboard.co/29tnvwPlb.png
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/