On Sun, Jan 29, 2017 at 1:52 PM, Nuwandi Wickramasinghe <[email protected]> wrote:
> > > On Fri, Jan 27, 2017 at 12:18 PM, Johann Nallathamby <[email protected]> > wrote: > >> Hi Nuwan, >> >> On Fri, Jan 27, 2017 at 10:40 AM, Nuwan Dias <[email protected]> wrote: >> >>> Hi, >>> >>> In C5, since Groups and Roles are supposed to be treated as two >>> different entities, we need to clearly understand how to use them and a bit >>> of their implementation details. I'm listing some assumptions and questions >>> below, please see if the assumptions are correct and please provide answers >>> to the questions too. >>> >>> *Assumptions* >>> >>> 1. Groups are in the LDAP (User Store) and Roles are in the Context of >>> Carbon (in a DB schema introduced by WSO2 Products). >>> >> >> Yes. User Store can be in Database as well. So Groups can exist in User >> StoreDB schema as well. >> >> >>> 2. Roles are always created through a carbon admin service (MSF4J). >>> >> >> Yes. We have an OSGi service as well which exposes AuthorizationStore API >> as a service. >> >> >>> 3. Roles can be attached to users *and* groups. >>> >> >> Yes. >> >> >>> 4. Role to User and Role to Group mappings will be will be stored in a >>> DB schema maintained by carbon. >>> >> >> Yes. >> >> >>> 5. Users, Roles and Groups will all have unique identifiers (ids) so >>> that products don't have to maintain direct references to the their literal >>> values. >>> >> >> Yes. >> >> Another addition is Users and Groups can have attributes in C5. >> @Jayanga: can you confirm if this is implemented already? If not we need >> to track this user story. >> >> >>> >>> *Questions* >>> >>> 1. When saving information to represent "who can do what", do we save >>> the role or group? Ex: GET /apis can be performed by [role or group or >>> both]? >>> >> >> Its Roles. >> The question "who" represents either user or group - a set of users. The >> mapping between resource, action (resource + action = permission) and user >> or group is done through roles. >> > Does this mean if a user is in a particular group, the permission level of > that group (given by the roles mapped to that group) is the basic level of > permissions that user can have? He/she could be assigned to other roles as > well so a user might have more permissions than the assigned group but not > less. > Yes. If a user belongs to a particular group, that user inherits roles from that particular group. And a user can have additional roles but not less. > >> >> >>> 2. Do we have a concept of "default role(s)" or "internal role(s)" which >>> are common to all products? >>> >> >> So far we have not come across any requirement for "default" roles. But >> that would depend on the products I guess. E.g. in APIM we would need >> publisher and subscriber roles. >> >> There will be no concept of "internal" roles because technically roles >> are anyway internal to IS. Only groups can be external in a user store. >> Earlier we had the concept of "internal" roles because we treated both >> groups and roles as roles. So groups were called "external roles" and roles >> were called "internal roles". >> >> >>> 3. Are roles common across all user stores? If my assumption (1) is >>> correct, the answer should be yes I guess. >>> >> >> Yes. >> > > Assuming users can assign groups to themselves, will that be handled under > one permission level? Say there is a Manager group with high permission > level roles and there's Employee group with low permission level roles, > will the users who can assign themselves to Employee group will be capable > of assigning themselves to Manager group as well? > In my opinion, we shouldn't allow users to assign groups to them selves. It should be handled by a role which has higher privileges (Same as how we assign roles). Eg: A group admin can add users to the group. > >> >>> >>> >>> Thanks, >>> NuwanD. >>> >>> -- >>> Nuwan Dias >>> >>> Software Architect - WSO2, Inc. http://wso2.com >>> email : [email protected] >>> Phone : +94 777 775 729 <+94%2077%20777%205729> >>> >> >> >> >> -- >> Thanks & Regards, >> >> *Johann Dilantha Nallathamby* >> Technical Lead & Product Lead of WSO2 Identity Server >> Governance Technologies Team >> WSO2, Inc. >> lean.enterprise.middleware >> >> Mobile - *+94777776950* >> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > > Best Regards, > > Nuwandi Wickramasinghe > > Software Engineer > > WSO2 Inc. > > Web : http://wso2.com > > Mobile : 0719214873 > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > >
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
