On 05/05/2017 09:13, Kwong,Vincent wrote:
It would be good if extend to those menu items in the console like
Reports, Topology, Configuration, etc… as well.
I see: the relevant menu entries are already disabled, but this is not
very much visible without attempting to click.
Please comment SYNCOPE-1072.
Regards.
*From:*Kwong,Vincent [mailto:vincent_kw...@pactera.com]
*Sent:* Friday, May 05, 2017 3:10 PM
*To:* user@syncope.apache.org
*Subject:* RE: Delegate admin for realms
The case 1072 covered my point 2. Same as your understanding, those
non-relevant button should be hidden or disabled to avoid confusion.
Thanks.
Regards,
Vincent
*From:*Francesco Chicchiriccò [mailto:ilgro...@apache.org]
*Sent:* Friday, May 05, 2017 2:58 PM
*To:* user@syncope.apache.org <mailto:user@syncope.apache.org>
*Subject:* Re: Delegate admin for realms
On 05/05/2017 06:06, Kwong,Vincent wrote:
Hi Francesco,
Tried with positive result, thanks a lot.
That's good to hear.
But the display is confusing, the add user button is available in
all realms, and only display error when I am at the last step on
create user.
I have now created
https://issues.apache.org/jira/browse/SYNCOPE-1072
https://issues.apache.org/jira/browse/SYNCOPE-1073
Here is my comments:
1.Better to display the realms where the user have access only, in
some situation I may not want the non-delegated sub-group visible
especially they are individual companies
I have also created
https://issues.apache.org/jira/browse/SYNCOPE-1074
2.Some console display should reflect user access to avoid confusion
Please give more details, this is not clear.
Regards.
*From:*Francesco Chicchiriccò [mailto:ilgro...@apache.org]
*Sent:*Thursday, May 04, 2017 4:57 PM
*To:* user@syncope.apache.org <mailto:user@syncope.apache.org>
*Subject:* Re: Delegate admin for realms
On 04/05/2017 04:59, Kwong,Vincent wrote:
Hi All,
I am new to syncope and going to evaulate the syncope
functionality for my coming project.
I am trying to setup a organization like this, but I cannot
figure out how I can achieve the delegated administration.
Sample Structure:
Parent Company (e.g. /) -> Multiple Sub-Group (e.g. /Group1)
-> Multiple Teams (e.g. /Group1/Team1)
1.Each team will have a admin to mange the user under that realm
2.Each sub-group will have another admin to look after all teams
3.Each admin have the control for their own sub-group / team only
I tried to createa role with some user/realm related access
under particular realm, but after I tried to login with the
account with that role, I can see/update the parent realm or
other sub realm.
Is it possible for syncope to achieve what I want? Or anyone
have simialr experience?ù
Hi Vincent, glad of your interest in Apache Syncope.
To be sure, I have created some sample data in an attempt to
replicate your use case.
First, the realms: [1] where g1 and g2 are 'sub-groups' as you
name them above (please beware that groups are a different concept
in Syncope) and t11 / t12 / t21 / t22 / t23 are 'teams'.
Then I have created some roles: [2], one for each of the realms
above, with full entitlements about users, and REALM_LIST which is
only required if you are planning to operate via Admin Console (as
it seems).
Finally I have created some users in several realms, /g1/t11 [3],
/g1/t12 [4] (which are all reported in /g1 [5]) and /g2 [6]: as
you can see, there are plain users and admin users, where the
username of the latter is given to show which realm they are
actually managing, e.g.
* admi...@syncope.apache.org <mailto:admi...@syncope.apache.org>
which is granted the role 'Managing g1' and thus is allowed to
manage users in /g1 [5]
* admin...@syncope.apache.org <mailto:admin...@syncope.apache.org>
which is granted the role 'Managing t11' and thus is allowed to
manager users in /g1/t11 [3]
* admin...@syncope.apache.org <mailto:admin...@syncope.apache.org>
which is granted the role 'Managing t12' and thus is allowed to
manager users in /g1/t12 [4]
* admi...@syncope.apache.org <mailto:admi...@syncope.apache.org>
which is granted the role 'Managing g2' and thus is allowed to
manage users in /g2 [6]
Given such setup, everything is working as expected and every
admin user can only see and manage the users contained by the
realms he / she is granted by role.
The only quirk I could find is that the realms view always starts
from /, but even in this case the only users shown are the expected.
HTH
Regards.
[1] http://pasteboard.co/29sHsujiu.png
[2] http://pasteboard.co/29sWCF785.png
[3] http://pasteboard.co/29tBRMtxQ.png
[4] http://pasteboard.co/29tMu5CWi.png
[5] http://pasteboard.co/dlwgYicg.png
[6] http://pasteboard.co/29tnvwPlb.png
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/