Francesco Chicchiriccò created SYNCOPE-1067:
-----------------------------------------------
Summary: More flexible delegated administration model
Key: SYNCOPE-1067
URL: https://issues.apache.org/jira/browse/SYNCOPE-1067
Project: Syncope
Issue Type: Improvement
Components: console, core
Reporter: Francesco Chicchiriccò
Fix For: 2.0.4, 2.1.0
The current implementation of [delegated
administration|https://syncope.apache.org/docs/reference-guide.html#delegated-administration]
relies on Roles, where each Role associates a set of Entitlements (e.g.
administrative actions) to a set of Realms (e.g. containers for Users / Groups
/ Any Objects).
This requires, however, that the set of Users / Groups / Any Objects to
administer is somehow statically defined by containment: "administrators with
role R can manage users under realms /a and /b" works as long as users to
administer are fully contained by the Realms /a and /b; but what if the set of
Users that R can administer needs to be dynamically defined, say by the value
of a 'department' attribute?
Two approaches can be taken here:
# extend the Role concept to map Entitlements to Realms and / or Groups
# introduce the new concept of Virtual Realm, e.g. containers that are defined
by a dynamic conditions (as currently happening for Groups and Roles), and make
Roles to map Entitlements to Realms / Virtual Realms
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
