> > 4. Role to User and Role to Group mappings will be will be stored in a DB >> schema maintained by carbon >> > Yes. > So it's not in LDAP?
On Fri, Jan 27, 2017 at 8:23 AM, Jayanga Kaushalya <[email protected]> wrote: > On Fri, Jan 27, 2017 at 12:18 PM, Johann Nallathamby <[email protected]> > wrote: > >> Hi Nuwan, >> >> On Fri, Jan 27, 2017 at 10:40 AM, Nuwan Dias <[email protected]> wrote: >> >>> Hi, >>> >>> In C5, since Groups and Roles are supposed to be treated as two >>> different entities, we need to clearly understand how to use them and a bit >>> of their implementation details. I'm listing some assumptions and questions >>> below, please see if the assumptions are correct and please provide answers >>> to the questions too. >>> >>> *Assumptions* >>> >>> 1. Groups are in the LDAP (User Store) and Roles are in the Context of >>> Carbon (in a DB schema introduced by WSO2 Products). >>> >> >> Yes. User Store can be in Database as well. So Groups can exist in User >> StoreDB schema as well. >> >> >>> 2. Roles are always created through a carbon admin service (MSF4J). >>> >> >> Yes. We have an OSGi service as well which exposes AuthorizationStore API >> as a service. >> >> >>> 3. Roles can be attached to users *and* groups. >>> >> >> Yes. >> >> >>> 4. Role to User and Role to Group mappings will be will be stored in a >>> DB schema maintained by carbon. >>> >> >> Yes. >> >> >>> 5. Users, Roles and Groups will all have unique identifiers (ids) so >>> that products don't have to maintain direct references to the their literal >>> values. >>> >> >> Yes. >> >> Another addition is Users and Groups can have attributes in C5. >> @Jayanga: can you confirm if this is implemented already? If not we need >> to track this user story. >> > > Yes we have this capability already implemented. > >> >> >>> >>> *Questions* >>> >>> 1. When saving information to represent "who can do what", do we save >>> the role or group? Ex: GET /apis can be performed by [role or group or >>> both]? >>> >> >> Its Roles. >> The question "who" represents either user or group - a set of users. The >> mapping between resource, action (resource + action = permission) and user >> or group is done through roles. >> >> >> >>> 2. Do we have a concept of "default role(s)" or "internal role(s)" which >>> are common to all products? >>> >> >> So far we have not come across any requirement for "default" roles. But >> that would depend on the products I guess. E.g. in APIM we would need >> publisher and subscriber roles. >> >> There will be no concept of "internal" roles because technically roles >> are anyway internal to IS. Only groups can be external in a user store. >> Earlier we had the concept of "internal" roles because we treated both >> groups and roles as roles. So groups were called "external roles" and roles >> were called "internal roles". >> >> >>> 3. Are roles common across all user stores? If my assumption (1) is >>> correct, the answer should be yes I guess. >>> >> >> Yes. >> >> >>> >>> >>> Thanks, >>> NuwanD. >>> >>> -- >>> Nuwan Dias >>> >>> Software Architect - WSO2, Inc. http://wso2.com >>> email : [email protected] >>> Phone : +94 777 775 729 <+94%2077%20777%205729> >>> >> >> >> >> -- >> Thanks & Regards, >> >> *Johann Dilantha Nallathamby* >> Technical Lead & Product Lead of WSO2 Identity Server >> Governance Technologies Team >> WSO2, Inc. >> lean.enterprise.middleware >> >> Mobile - *+94777776950* >> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >> > > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- With regards, *Manu*ranga Perera. phone : 071 7 70 20 50 mail : [email protected]
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
