Re: [DISCUSS] Realms

Tue, 24 Mar 2015 07:19:39 -0700 

Il 24/03/2015 15:13, Francesco Chicchiriccò ha scritto:

On 24/03/2015 14:17, Francesco Chicchiriccò wrote:

On 24/03/2015 13:25, Marco Di Sabatino Di Diodoro wrote:

Hi Francesco,

Il 23/03/2015 14:26, Francesco Chicchiriccò ha scritto:

Hi all,
I've summarized at [1] the feature and changes that I intend to implement about security realms.
Please take a look and let me know your thoughts: my idea is to start working on this topic in more or less one month, so we have plenty of time to discuss. 

I agree with you.
In the new security model,why not extend the conceptto the realms?

For example:
The realm X has assigned entitlements E_1 ...E_n .Than all usersin therealm X can exercise entitlements E_1 ...E_n.
This can be interesting: only, I would need some solid reasons to not keep the entitlement assignment in a single place (e.g. roles).
After some more thoughts, it seems to me that we might extend the proposal at [1] by:
* introducing a new *Group* entity - with purpose of representing groups on external resources (attributes, resources, no entitlements) * introducing a new *Role* entity - with purpose of assigning entitlements (and realm(s) where to apply) to users
Assigning a user to a group would mean create a membership; assigning a user to a role will imply granting such user some entitlements. One can even think to extend the concept in SYNCOPE-140 (Dynamic role memberships) in order to support both groups and roles so that the statement above (all users in realm X can exercise entitlement E on users from realm Y) can be implemented having: 

 1. role R with entitlement E on realm Y
 2. dynamic assignment of role R to users from realm X
Finally, it seems to me that what is coming out from this discussion is a progressive refactoring of the "old" (e.g. up to 1.2.X) role concept to the new realm, role and group concepts. 

WDYT?
[1] https://cwiki.apache.org/confluence/display/SYNCOPE/%5BDISCUSS%5D+Realms 


Group and Role concept separation +1
Dynamic role memberships +1
Dynamic (group) memberships +1

Regards,
F.

--
Fabio Martelli

Tirasa - Open Source Excellence
http://www.tirasa.net/

Apache Syncope PMC
http://people.apache.org/~fmartelli/

Reply via email to