Francesco Chicchiriccò created SYNCOPE-249:
----------------------------------------------
Summary: Implement RoleOwnerSchema for role propagation and
synchronization
Key: SYNCOPE-249
URL: https://issues.apache.org/jira/browse/SYNCOPE-249
Project: Syncope
Issue Type: Improvement
Affects Versions: 1.1.0
Reporter: Francesco Chicchiriccò
Fix For: 1.1.0
SYNCOPE-225 introduced the concept of role owner, than could be either a user
or another role (not both at the same time).
Test content provides an example of how role owner can be propagated by
empowering a derived attribute (ownerDN): this approach is working only for
propagation and makes the AccountLink expression duplicated.
A more complete approach is to define a new type of internal mapping,
RoleOwnerSchema.
During role propagation (in MappingUtil.getIntValues()):
* if userOwner != null and the propagating resource has UMapping defined
* if roleOwner != null (the propagating resource has RMapping because of the
ongoing propagation)
the AccountLink (or AccountId if no AccountLink is defined) is generated and
given as value for the external attribute mapped to RoleOwnerSchema
During role synchronization (in
ConnObjectUtil.getAttributableTOFromConnObject()), if a value is present in the
ConnectorObject for the role being synchronized, this value must be used for
searching the same connector for either ObjectClass.ACCOUNT and
ObjectClass.GROUP; if a unique match is found, the matching ConnectorObject can
be used to find the corresponding Syncope entity (user or role); now userOwner
or roleOwner of the role being synchronized can be set.
Especially in case of roleOwner, precedence issues must be taken into account:
it might happen, in fact, that the owned role is being synchronized before the
owner role synchronization takes place.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
