On 24/03/2015 15:13, Francesco Chicchiriccò wrote:
[...]
After some more thoughts, it seems to me that we might extend the
proposal at [1] by:
* introducing a new *Group* entity - with purpose of representing
groups on external resources (attributes, resources, no entitlements)
* introducing a new *Role* entity - with purpose of assigning
entitlements (and realm(s) where to apply) to users
Assigning a user to a group would mean create a membership; assigning
a user to a role will imply granting such user some entitlements.
One can even think to extend the concept in SYNCOPE-140 (Dynamic role
memberships) in order to support both groups and roles so that the
statement above (all users in realm X can exercise entitlement E on
users from realm Y) can be implemented having:
1. role R with entitlement E on realm Y
2. dynamic assignment of role R to users from realm X
Finally, it seems to me that what is coming out from this discussion
is a progressive refactoring of the "old" (e.g. up to 1.2.X) role
concept to the new realm, role and group concepts.
FYI I have updated [1] accordingly.
Regards.
[1]
https://cwiki.apache.org/confluence/display/SYNCOPE/%5BDISCUSS%5D+Realms
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/
