[
https://issues.apache.org/jira/browse/SYNCOPE-957?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16930618#comment-16930618
]
Francesco Chicchiriccò commented on SYNCOPE-957:
------------------------------------------------
We can introduce a new concept: *Account*.
Nowadays, Accounts don't have an explicit representation, they are just the
result of applying a Mapping to an Identity (User, Group or Any Object).
We can introduce the possibility to link Accounts to a User, from the various
defined External Resources.
The former can be named Mapped Account, the latter Linked Accounts.
A Linked Account is defined by:
# the linked User
# the External Resource it comes from
# the set of Plain Attributes for which different values are provided, compared
to the linked User (override values)
# the set of Privileges assigned, different from the ones that linked User owns
via Roles
When Propagation is triggered onto a certain External Resource (either because
User was changed, or for Push execution), several Propagation Tasks will be
generated, e.g. one for each Account (Mapped and Linked) for that External
Resource; propagation values will be calculated by applying the existing
Mapping to either standard User attributes or override values defined for
Linked Accounts.
During Pull the current behavior will remain, e.g. for each SyncDelta of type
{{CREATE_OR_UPDATE}} a new User is created unless a match is found, generating
an update; Pull Policies could also be enhanced to include the possibility to
transform the SyncDelta into a Linked Account of an existing User rather than
creating a new User.
Two new features are needed:
# manual link of Accounts to Users
# manual merge of two Users resolving into keeping one as User and transforming
the other one as Linked Account
Finally, Admin Console and Enduser UI will have to be updated to allow for (1)
Linked Accounts display and (2) managing override values and privileges, for
each Linked Account.
> Multiaccount
> ------------
>
> Key: SYNCOPE-957
> URL: https://issues.apache.org/jira/browse/SYNCOPE-957
> Project: Syncope
> Issue Type: New Feature
> Reporter: Francesco Chicchiriccò
> Priority: Major
> Fix For: 3.0.0
>
>
> Users, as groups and any objects, can be mapped to external resources and
> pull, push or propagation might result in associating them to accounts there.
> So far, there have always been a 1-to-1 correspondence between Syncope users
> and external accounts, given a certain mapping for an external resource.
> There are use cases, however, when this could be limiting: in particular, the
> existence of "service accounts" which can be defined on LDAP or Active
> Directory. In such cases, there could be more accounts mapping to a Syncope
> user.
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
