On Mon, Feb 6, 2017 at 7:18 AM, Isuru Haththotuwa <[email protected]> wrote:
> Hi Jayanga, > > On Fri, Jan 27, 2017 at 1:53 PM, Jayanga Kaushalya <[email protected]> > wrote: > >> On Fri, Jan 27, 2017 at 12:18 PM, Johann Nallathamby <[email protected]> >> wrote: >> >>> Hi Nuwan, >>> >>> On Fri, Jan 27, 2017 at 10:40 AM, Nuwan Dias <[email protected]> wrote: >>> >>>> Hi, >>>> >>>> In C5, since Groups and Roles are supposed to be treated as two >>>> different entities, we need to clearly understand how to use them and a bit >>>> of their implementation details. I'm listing some assumptions and questions >>>> below, please see if the assumptions are correct and please provide answers >>>> to the questions too. >>>> >>>> *Assumptions* >>>> >>>> 1. Groups are in the LDAP (User Store) and Roles are in the Context of >>>> Carbon (in a DB schema introduced by WSO2 Products). >>>> >>> >>> Yes. User Store can be in Database as well. So Groups can exist in User >>> StoreDB schema as well. >>> >>> >>>> 2. Roles are always created through a carbon admin service (MSF4J). >>>> >>> >>> Yes. We have an OSGi service as well which exposes AuthorizationStore >>> API as a service. >>> >>> >>>> 3. Roles can be attached to users *and* groups. >>>> >>> >>> Yes. >>> >>> >>>> 4. Role to User and Role to Group mappings will be will be stored in a >>>> DB schema maintained by carbon. >>>> >>> >>> Yes. >>> >>> >>>> 5. Users, Roles and Groups will all have unique identifiers (ids) so >>>> that products don't have to maintain direct references to the their literal >>>> values. >>>> >>> >>> Yes. >>> >>> Another addition is Users and Groups can have attributes in C5. >>> >> Can the permission checking involve both roles and attributes? For an > example, can I restrict access to a resource based on a particular role as > well as an attribute? > Attribute based access control is a feature we will provide in IS using XACML or some other approach in IS 6.0.0. We won't support that as part of our identity-mgt APIs. > @Jayanga: can you confirm if this is implemented already? If not we need >>> to track this user story. >>> >> >> Yes we have this capability already implemented. >> >>> >>> >>>> >>>> *Questions* >>>> >>>> 1. When saving information to represent "who can do what", do we save >>>> the role or group? Ex: GET /apis can be performed by [role or group or >>>> both]? >>>> >>> >>> Its Roles. >>> The question "who" represents either user or group - a set of users. The >>> mapping between resource, action (resource + action = permission) and user >>> or group is done through roles. >>> >>> >>> >>>> 2. Do we have a concept of "default role(s)" or "internal role(s)" >>>> which are common to all products? >>>> >>> >>> So far we have not come across any requirement for "default" roles. But >>> that would depend on the products I guess. E.g. in APIM we would need >>> publisher and subscriber roles. >>> >>> There will be no concept of "internal" roles because technically roles >>> are anyway internal to IS. Only groups can be external in a user store. >>> Earlier we had the concept of "internal" roles because we treated both >>> groups and roles as roles. So groups were called "external roles" and roles >>> were called "internal roles". >>> >>> >>>> 3. Are roles common across all user stores? If my assumption (1) is >>>> correct, the answer should be yes I guess. >>>> >>> >>> Yes. >>> >>> >>>> >>>> >>>> Thanks, >>>> NuwanD. >>>> >>>> -- >>>> Nuwan Dias >>>> >>>> Software Architect - WSO2, Inc. http://wso2.com >>>> email : [email protected] >>>> Phone : +94 777 775 729 <+94%2077%20777%205729> >>>> >>> >>> >>> >>> -- >>> Thanks & Regards, >>> >>> *Johann Dilantha Nallathamby* >>> Technical Lead & Product Lead of WSO2 Identity Server >>> Governance Technologies Team >>> WSO2, Inc. >>> lean.enterprise.middleware >>> >>> Mobile - *+94777776950* >>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >>> >> >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Thanks and Regards, > > Isuru H. > +94 716 358 048 <+94%2071%20635%208048>* <http://wso2.com/>* > > > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Thanks & Regards, *Johann Dilantha Nallathamby* Technical Lead & Product Lead of WSO2 Identity Server Governance Technologies Team WSO2, Inc. lean.enterprise.middleware Mobile - *+94777776950* Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
