Repository: syncope Updated Branches: refs/heads/master 75387d7ac -> 8714fa8b6
provisioning, SYNCOPE-700 Project: http://git-wip-us.apache.org/repos/asf/syncope/repo Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/8714fa8b Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/8714fa8b Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/8714fa8b Branch: refs/heads/master Commit: 8714fa8b67ae5f4fa4eab408bcb4ef63fadbd97e Parents: 75387d7 Author: Massimiliano Perrone <[email protected]> Authored: Fri Dec 11 16:34:42 2015 +0100 Committer: Massimiliano Perrone <[email protected]> Committed: Fri Dec 11 16:34:42 2015 +0100 ---------------------------------------------------------------------- src/main/asciidoc/concepts/concepts.adoc | 8 +-- .../concepts/provisioning/connectors.adoc | 32 ++++++++++++ .../concepts/provisioning/propagation.adoc | 34 +++++++++++++ .../concepts/provisioning/provisioning.adoc | 37 ++++++++++++++ .../asciidoc/concepts/provisioning/push.adoc | 51 +++++++++++++++++++ .../concepts/provisioning/resources.adoc | 51 +++++++++++++++++++ .../asciidoc/concepts/provisioning/sync.adoc | 52 ++++++++++++++++++++ 7 files changed, 258 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/syncope/blob/8714fa8b/src/main/asciidoc/concepts/concepts.adoc ---------------------------------------------------------------------- diff --git a/src/main/asciidoc/concepts/concepts.adoc b/src/main/asciidoc/concepts/concepts.adoc index 2798816..c781e50 100644 --- a/src/main/asciidoc/concepts/concepts.adoc +++ b/src/main/asciidoc/concepts/concepts.adoc @@ -32,13 +32,7 @@ === Tasks -=== Provisioning - -==== Connectors - -==== Resources - -==== Propagation, Push & Synchronization +include::provisioning/provisioning.adoc[] === Policies http://git-wip-us.apache.org/repos/asf/syncope/blob/8714fa8b/src/main/asciidoc/concepts/provisioning/connectors.adoc ---------------------------------------------------------------------- diff --git a/src/main/asciidoc/concepts/provisioning/connectors.adoc b/src/main/asciidoc/concepts/provisioning/connectors.adoc new file mode 100644 index 0000000..835d95a --- /dev/null +++ b/src/main/asciidoc/concepts/provisioning/connectors.adoc @@ -0,0 +1,32 @@ +// +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. +// +==== Connectors +Syncope uses entities like connectors bundles, connector instances and external resources to synchronize user accounts +with and propagate to external systems. This paragraph clarifies what the responsibility and scope of each of these entities are. + +===== Connector bundle +Connector bundles are the components that are able to connect to classes of systems when configured correctly and +told to do so. They are not bound to Syncope specifically, as they are part of the separate framework +http://connid.tirasa.net/[ConnId], but they can be plugged into a deployed Syncope system. + +===== Connector instance +Connectors instances are instance of connector bundles, obtained by assigning values to configuration properties +defined in bundles. +For instance, there is only a single "DatabaseTable connector" (the bundle) that can be instantiated many times, for +example if there is need to connect to two different databases. \ No newline at end of file http://git-wip-us.apache.org/repos/asf/syncope/blob/8714fa8b/src/main/asciidoc/concepts/provisioning/propagation.adoc ---------------------------------------------------------------------- diff --git a/src/main/asciidoc/concepts/provisioning/propagation.adoc b/src/main/asciidoc/concepts/provisioning/propagation.adoc new file mode 100644 index 0000000..d58ba53 --- /dev/null +++ b/src/main/asciidoc/concepts/provisioning/propagation.adoc @@ -0,0 +1,34 @@ +// +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. +// +==== Propagation +The propagation is the mechanism to extend provisioning operations on external resources. +The propagation layer implements remote creation, maintenance, activation and deactivation of user and role objects +and their attributes. +A propagation towards a specific external resource occurs if and only if the external resource's connector +instance capabilities permit. +Propagation will be tried on an external resource for each provisioning operation involving users or roles assigned +to that resource. + +===== Configuration +Connectors:: +Connector instances can be configured to create, update and delete operations. +Propagation tasks:: +When propagation tasks are created, their propagation mode will be set according to the mode of the external resource. +Operation:: +When tasks are executed, the execution status will be set to SUCCESS or FAILURE, based on the actual propagation result. \ No newline at end of file http://git-wip-us.apache.org/repos/asf/syncope/blob/8714fa8b/src/main/asciidoc/concepts/provisioning/provisioning.adoc ---------------------------------------------------------------------- diff --git a/src/main/asciidoc/concepts/provisioning/provisioning.adoc b/src/main/asciidoc/concepts/provisioning/provisioning.adoc new file mode 100644 index 0000000..35f5987 --- /dev/null +++ b/src/main/asciidoc/concepts/provisioning/provisioning.adoc @@ -0,0 +1,37 @@ +// +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. +// +=== Provisioning +The main purpose of identity management systems is to manage user and role provisioning. +User and role provisioning refers to the creation, maintenance, activation and deactivation of user and role objects +and their attributes. Provisioning operations can act on Apache Syncope only or be propagated towards external +resources as well. +The provisioning operation can be initiated by an authorized user (for instance, working on Apache Syncope +administration console) or by an internal task like a synchronization task. +A synchronization task can be used to perform a bulk provisioning operation involving either Syncope and one +or more external resources. + +include::connectors.adoc[] + +include::resources.adoc[] + +include::propagation.adoc[] + +include::push.adoc[] + +include::sync.adoc[] \ No newline at end of file http://git-wip-us.apache.org/repos/asf/syncope/blob/8714fa8b/src/main/asciidoc/concepts/provisioning/push.adoc ---------------------------------------------------------------------- diff --git a/src/main/asciidoc/concepts/provisioning/push.adoc b/src/main/asciidoc/concepts/provisioning/push.adoc new file mode 100644 index 0000000..06ea053 --- /dev/null +++ b/src/main/asciidoc/concepts/provisioning/push.adoc @@ -0,0 +1,51 @@ +// +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. +// +==== Push +Basically, the push is a sort of synchronization mechanism used by Apache Syncope to propagate a filtered set of +user/role/membership data to external resources. +Push can be "full" only: all the data matching the configured filter (potentially the same set of data) will be sent +to the external resource at each push task execution. + +===== From Syncope to an external resource +All the entity (user/group) data involved by a push are retrieved locally and compared with remote ones before sending out. +An entity to be sent out can be: + +. a matching entity, if a corresponding remote entity has been found; +. or an unmatching entity, otherwise. + +By default, Syncope will propagate all the unmatching entities for provisioning (without linking entities and resources) +and will update all the matching ones. +By the way, a different behaviour can be configured working with matching/unmatching rules. + +===== Matching and Unmatching rules +Unmatching (corresponding user not found on external resource): + +* IGNORE (do not perform any action); +* UNLINK (just unlink resource without performing any (de-)provisioning operation - of course, if any link is found); +* ASSIGN (provision entity linking the resource); +* PROVISION (provision entity without linking the resource). + +Matching (corresponding users found on external resource): + +* IGNORE (do not perform any action); +* UPDATE (update matching entity); +* DEPROVISION (delete resource entity); +* UNASSIGN (unlink resource and delete resource entity) ; +* UNLINK (just unlink resource without performing any (de-)provisioning operation); +* LINK (just link resource without performing any (de-)provisioning operation). \ No newline at end of file http://git-wip-us.apache.org/repos/asf/syncope/blob/8714fa8b/src/main/asciidoc/concepts/provisioning/resources.adoc ---------------------------------------------------------------------- diff --git a/src/main/asciidoc/concepts/provisioning/resources.adoc b/src/main/asciidoc/concepts/provisioning/resources.adoc new file mode 100644 index 0000000..b9b7070 --- /dev/null +++ b/src/main/asciidoc/concepts/provisioning/resources.adoc @@ -0,0 +1,51 @@ +// +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. +// +==== Resources +The propagation implements the provisioning on external resources. It depends on the assignment, directly or indirectly + (via memberships), of users/roles to external resources. +Users and roles can be assigned or linked to an external resource in three different ways: with a soft link, +with a hard link, without any link (see below for more details). +Each provisioning operation involving a certain user/role will be propagated (if permitted by resource connector +instance capabilities) towards each resource linked by the user/role object itself. +In general, the provisioning won't occur on a certain external resource if any direct/indirect link exists with +that resource. + +===== Manage external resource provisioning directly +Provisioning will occur on a certain external resource every time the operation involves users or roles assigned +to that resource. +Users and roles can be assigned to an external resource by defining a direct or indirect link between objects. +By the way, Apache Syncope empowers the possibility to control the existence of users/roles on external resources +giving the possibility to manage remote provisioning directly. +In fact, an authorized user (or an internal task - a sync task, for instance) can ask for + +* *link / unlink* users/roles to/from specific resources (soft link), +* *assign / unassign* users/roles to/from specific resources (hard link), +* *provision / de-provision* users/roles on/from specific resources (maybe, without any link). + +link/unlink:: +Apache Syncope gives the possibility to create and remove a sort of soft linking between users/roles and resources. +This kind of link doesn't imply any propagation at link creation/deletion time. +Provision/De-Provision:: +Apache Syncope gives the possibility to directly provision and de-provision users/roles on/from resources, without any +link in place. This provisioning feature (disjoint from the resource link mechanisms) is often very useful in case +of reclaims. +Assign/Unassign:: +Apache Syncope gives the possibility to create and remove a sort of hard linking between users/roles and resources. +This kind of link implies propagation at link creation/deletion time: it is the composition between link/unlink and +provision/de-provision operations. \ No newline at end of file http://git-wip-us.apache.org/repos/asf/syncope/blob/8714fa8b/src/main/asciidoc/concepts/provisioning/sync.adoc ---------------------------------------------------------------------- diff --git a/src/main/asciidoc/concepts/provisioning/sync.adoc b/src/main/asciidoc/concepts/provisioning/sync.adoc new file mode 100644 index 0000000..7bc130f --- /dev/null +++ b/src/main/asciidoc/concepts/provisioning/sync.adoc @@ -0,0 +1,52 @@ +// +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. +// +==== Synchronization +Basically, the synchronization is the mechanism used by Apache Syncope to acquire user/group data from external resources. +Synchronization can be "full" (full reconciliation) or "incremental". +In the former case, each sync task execution will take over just of changes from the previous execution +(if exists and connector permits incremental sync). +In the latter case, each sync task execution will take over of the entire set of data managed by the external resource. + +===== From an external resource to Syncope +All the entity (user/group) data involved by a synchronization are retrieved from an external resource and processed +internally by Syncope itself. +A retrieved entity can be: + +. a matching entity, if a corresponding local/internal entity has been found; +. or an unmatching entity, otherwise. + +By default, Syncope will create locally all the unmatching entities (without linking entities and resources) and will +update all the matching ones. +By the way, a different behaviour can be configured working with matching/unmatching rules. + +===== Matching and Unmatching rules +Unmatching (corresponding user not found on Syncope): + +* IGNORE / UNLINK (do not perform any action); +* ASSIGN (create entity linking the resource); +* PROVISION (create entity without linking the resource). + +Matching (corresponding users found on Syncope): + +* IGNORE (do not perform any action); +* UPDATE (update matching entity); +* DEPROVISION (delete resource entity); +* UNASSIGN (unlink resource and delete resource entity) ; +* UNLINK (just unlink resource without performing any (de-)provisioning operation); +* LINK (just link resource without performing any (de-)provisioning operation). \ No newline at end of file
