Hi Manu,
On Fri, Jan 27, 2017 at 3:45 PM, Manuranga Perera <[email protected]> wrote: > 4. Role to User and Role to Group mappings will be will be stored in a DB >>> schema maintained by carbon >>> >> Yes. >> > So it's not in LDAP? > Yes. The mapping is stored in a local DB, Not in LDAP Thanks Isura. > > > On Fri, Jan 27, 2017 at 8:23 AM, Jayanga Kaushalya <[email protected]> > wrote: > >> On Fri, Jan 27, 2017 at 12:18 PM, Johann Nallathamby <[email protected]> >> wrote: >> >>> Hi Nuwan, >>> >>> On Fri, Jan 27, 2017 at 10:40 AM, Nuwan Dias <[email protected]> wrote: >>> >>>> Hi, >>>> >>>> In C5, since Groups and Roles are supposed to be treated as two >>>> different entities, we need to clearly understand how to use them and a bit >>>> of their implementation details. I'm listing some assumptions and questions >>>> below, please see if the assumptions are correct and please provide answers >>>> to the questions too. >>>> >>>> *Assumptions* >>>> >>>> 1. Groups are in the LDAP (User Store) and Roles are in the Context of >>>> Carbon (in a DB schema introduced by WSO2 Products). >>>> >>> >>> Yes. User Store can be in Database as well. So Groups can exist in User >>> StoreDB schema as well. >>> >>> >>>> 2. Roles are always created through a carbon admin service (MSF4J). >>>> >>> >>> Yes. We have an OSGi service as well which exposes AuthorizationStore >>> API as a service. >>> >>> >>>> 3. Roles can be attached to users *and* groups. >>>> >>> >>> Yes. >>> >>> >>>> 4. Role to User and Role to Group mappings will be will be stored in a >>>> DB schema maintained by carbon. >>>> >>> >>> Yes. >>> >>> >>>> 5. Users, Roles and Groups will all have unique identifiers (ids) so >>>> that products don't have to maintain direct references to the their literal >>>> values. >>>> >>> >>> Yes. >>> >>> Another addition is Users and Groups can have attributes in C5. >>> @Jayanga: can you confirm if this is implemented already? If not we need >>> to track this user story. >>> >> >> Yes we have this capability already implemented. >> >>> >>> >>>> >>>> *Questions* >>>> >>>> 1. When saving information to represent "who can do what", do we save >>>> the role or group? Ex: GET /apis can be performed by [role or group or >>>> both]? >>>> >>> >>> Its Roles. >>> The question "who" represents either user or group - a set of users. The >>> mapping between resource, action (resource + action = permission) and user >>> or group is done through roles. >>> >>> >>> >>>> 2. Do we have a concept of "default role(s)" or "internal role(s)" >>>> which are common to all products? >>>> >>> >>> So far we have not come across any requirement for "default" roles. But >>> that would depend on the products I guess. E.g. in APIM we would need >>> publisher and subscriber roles. >>> >>> There will be no concept of "internal" roles because technically roles >>> are anyway internal to IS. Only groups can be external in a user store. >>> Earlier we had the concept of "internal" roles because we treated both >>> groups and roles as roles. So groups were called "external roles" and roles >>> were called "internal roles". >>> >>> >>>> 3. Are roles common across all user stores? If my assumption (1) is >>>> correct, the answer should be yes I guess. >>>> >>> >>> Yes. >>> >>> >>>> >>>> >>>> Thanks, >>>> NuwanD. >>>> >>>> -- >>>> Nuwan Dias >>>> >>>> Software Architect - WSO2, Inc. http://wso2.com >>>> email : [email protected] >>>> Phone : +94 777 775 729 <+94%2077%20777%205729> >>>> >>> >>> >>> >>> -- >>> Thanks & Regards, >>> >>> *Johann Dilantha Nallathamby* >>> Technical Lead & Product Lead of WSO2 Identity Server >>> Governance Technologies Team >>> WSO2, Inc. >>> lean.enterprise.middleware >>> >>> Mobile - *+94777776950* >>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >>> >> >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > With regards, > *Manu*ranga Perera. > > phone : 071 7 70 20 50 > mail : [email protected] > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > >
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
