On Fri, Jan 27, 2017 at 12:18 PM, Johann Nallathamby <[email protected]> wrote:
> Hi Nuwan, > > On Fri, Jan 27, 2017 at 10:40 AM, Nuwan Dias <[email protected]> wrote: > >> Hi, >> >> In C5, since Groups and Roles are supposed to be treated as two different >> entities, we need to clearly understand how to use them and a bit of their >> implementation details. I'm listing some assumptions and questions below, >> please see if the assumptions are correct and please provide answers to the >> questions too. >> >> *Assumptions* >> >> 1. Groups are in the LDAP (User Store) and Roles are in the Context of >> Carbon (in a DB schema introduced by WSO2 Products). >> > > Yes. User Store can be in Database as well. So Groups can exist in User > StoreDB schema as well. > > >> 2. Roles are always created through a carbon admin service (MSF4J). >> > > Yes. We have an OSGi service as well which exposes AuthorizationStore API > as a service. > > >> 3. Roles can be attached to users *and* groups. >> > > Yes. > > >> 4. Role to User and Role to Group mappings will be will be stored in a DB >> schema maintained by carbon. >> > > Yes. > > >> 5. Users, Roles and Groups will all have unique identifiers (ids) so that >> products don't have to maintain direct references to the their literal >> values. >> > > Yes. > > Another addition is Users and Groups can have attributes in C5. > @Jayanga: can you confirm if this is implemented already? If not we need > to track this user story. > > >> >> *Questions* >> >> 1. When saving information to represent "who can do what", do we save the >> role or group? Ex: GET /apis can be performed by [role or group or both]? >> > > Its Roles. > The question "who" represents either user or group - a set of users. The > mapping between resource, action (resource + action = permission) and user > or group is done through roles. > Does this mean if a user is in a particular group, the permission level of that group (given by the roles mapped to that group) is the basic level of permissions that user can have? He/she could be assigned to other roles as well so a user might have more permissions than the assigned group but not less. > > > >> 2. Do we have a concept of "default role(s)" or "internal role(s)" which >> are common to all products? >> > > So far we have not come across any requirement for "default" roles. But > that would depend on the products I guess. E.g. in APIM we would need > publisher and subscriber roles. > > There will be no concept of "internal" roles because technically roles are > anyway internal to IS. Only groups can be external in a user store. Earlier > we had the concept of "internal" roles because we treated both groups and > roles as roles. So groups were called "external roles" and roles were > called "internal roles". > > >> 3. Are roles common across all user stores? If my assumption (1) is >> correct, the answer should be yes I guess. >> > > Yes. > Assuming users can assign groups to themselves, will that be handled under one permission level? Say there is a Manager group with high permission level roles and there's Employee group with low permission level roles, will the users who can assign themselves to Employee group will be capable of assigning themselves to Manager group as well? > > >> >> >> Thanks, >> NuwanD. >> >> -- >> Nuwan Dias >> >> Software Architect - WSO2, Inc. http://wso2.com >> email : [email protected] >> Phone : +94 777 775 729 <+94%2077%20777%205729> >> > > > > -- > Thanks & Regards, > > *Johann Dilantha Nallathamby* > Technical Lead & Product Lead of WSO2 Identity Server > Governance Technologies Team > WSO2, Inc. > lean.enterprise.middleware > > Mobile - *+94777776950* > Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Best Regards, Nuwandi Wickramasinghe Software Engineer WSO2 Inc. Web : http://wso2.com Mobile : 0719214873
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
