On Fri, Jan 27, 2017 at 12:18 PM, Johann Nallathamby <[email protected]> wrote:
> Hi Nuwan, > > On Fri, Jan 27, 2017 at 10:40 AM, Nuwan Dias <[email protected]> wrote: > >> Hi, >> >> In C5, since Groups and Roles are supposed to be treated as two different >> entities, we need to clearly understand how to use them and a bit of their >> implementation details. I'm listing some assumptions and questions below, >> please see if the assumptions are correct and please provide answers to the >> questions too. >> >> *Assumptions* >> >> 1. Groups are in the LDAP (User Store) and Roles are in the Context of >> Carbon (in a DB schema introduced by WSO2 Products). >> > > Yes. User Store can be in Database as well. So Groups can exist in User > StoreDB schema as well. > > >> 2. Roles are always created through a carbon admin service (MSF4J). >> > > Yes. We have an OSGi service as well which exposes AuthorizationStore API > as a service. > > >> 3. Roles can be attached to users *and* groups. >> > > Yes. > > >> 4. Role to User and Role to Group mappings will be will be stored in a DB >> schema maintained by carbon. >> > > Yes. > > >> 5. Users, Roles and Groups will all have unique identifiers (ids) so that >> products don't have to maintain direct references to the their literal >> values. >> > > Yes. > > Another addition is Users and Groups can have attributes in C5. > @Jayanga: can you confirm if this is implemented already? If not we need > to track this user story. > Yes we have this capability already implemented. > > >> >> *Questions* >> >> 1. When saving information to represent "who can do what", do we save the >> role or group? Ex: GET /apis can be performed by [role or group or both]? >> > > Its Roles. > The question "who" represents either user or group - a set of users. The > mapping between resource, action (resource + action = permission) and user > or group is done through roles. > > > >> 2. Do we have a concept of "default role(s)" or "internal role(s)" which >> are common to all products? >> > > So far we have not come across any requirement for "default" roles. But > that would depend on the products I guess. E.g. in APIM we would need > publisher and subscriber roles. > > There will be no concept of "internal" roles because technically roles are > anyway internal to IS. Only groups can be external in a user store. Earlier > we had the concept of "internal" roles because we treated both groups and > roles as roles. So groups were called "external roles" and roles were > called "internal roles". > > >> 3. Are roles common across all user stores? If my assumption (1) is >> correct, the answer should be yes I guess. >> > > Yes. > > >> >> >> Thanks, >> NuwanD. >> >> -- >> Nuwan Dias >> >> Software Architect - WSO2, Inc. http://wso2.com >> email : [email protected] >> Phone : +94 777 775 729 <+94%2077%20777%205729> >> > > > > -- > Thanks & Regards, > > *Johann Dilantha Nallathamby* > Technical Lead & Product Lead of WSO2 Identity Server > Governance Technologies Team > WSO2, Inc. > lean.enterprise.middleware > > Mobile - *+94777776950* > Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
