syncope git commit: [SYNCOPE-1067] provides the possibility to select for a dynamic realms and manage object inside it

[fmartelli]

Repository: syncope
Updated Branches:
  refs/heads/2_0_X c13f9e626 -> 65a0f14d4


[SYNCOPE-1067] provides the possibility to select for a dynamic realms and 
manage object inside it


Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/65a0f14d
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/65a0f14d
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/65a0f14d

Branch: refs/heads/2_0_X
Commit: 65a0f14d49351b29ce8ba78b02916b9a72e7ad52
Parents: c13f9e6
Author: fmartelli 
Authored: Wed Jun 14 17:37:22 2017 +0200
Committer: fmartelli 
Committed: Wed Jun 14 17:37:22 2017 +0200

--
 .../console/panels/AnyDirectoryPanel.java   |   6 +-
 .../console/panels/AnyObjectDirectoryPanel.java |   8 +-
 .../syncope/client/console/panels/AnyPanel.java |  68 ++---
 .../console/panels/GroupDirectoryPanel.java |  11 ++
 .../syncope/client/console/panels/Realm.java|  68 -
 .../client/console/panels/RealmChoicePanel.java | 143 ++-
 .../console/panels/UserDirectoryPanel.java  |  11 +-
 .../client/console/rest/RealmRestClient.java|  12 ++
 .../META-INF/resources/css/syncopeConsole.css   |   4 +
 .../client/console/pages/Realms.properties  |   4 +
 .../client/console/pages/Realms_it.properties   |   4 +
 .../console/pages/Realms_pt_BR.properties   |   4 +
 .../client/console/pages/Realms_ru.properties   |   4 +
 .../client/console/panels/RealmChoicePanel.html |   2 +-
 .../syncope/fit/console/RealmsITCase.java   |   6 +-
 .../apache/syncope/fit/console/UsersITCase.java |   2 +-
 16 files changed, 291 insertions(+), 66 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/syncope/blob/65a0f14d/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyDirectoryPanel.java
--
diff --git 
a/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyDirectoryPanel.java
 
b/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyDirectoryPanel.java
index 64cb0b0..4bc4b7b 100644
--- 
a/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyDirectoryPanel.java
+++ 
b/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyDirectoryPanel.java
@@ -43,6 +43,7 @@ import 
org.apache.syncope.client.console.wicket.markup.html.bootstrap.dialog.Bas
 import org.apache.syncope.client.console.wicket.markup.html.form.ActionLink;
 import org.apache.syncope.client.console.wizards.any.AnyWrapper;
 import org.apache.syncope.client.console.wizards.any.StatusPanel;
+import org.apache.syncope.common.lib.SyncopeConstants;
 import org.apache.syncope.common.lib.to.AnyTO;
 import org.apache.syncope.common.lib.to.AnyTypeClassTO;
 import org.apache.syncope.common.lib.to.ConnObjectTO;
@@ -91,7 +92,8 @@ public abstract class AnyDirectoryPanel builder, 
final boolean wizardInModal) {
 super(id, builder, wizardInModal);
-if (SyncopeConsoleSession.get().owns(String.format("%s_CREATE", 
builder.type), builder.realm)) {
+if (SyncopeConsoleSession.get().owns(String.format("%s_CREATE", 
builder.type), builder.realm)
+&& builder.realm.startsWith(SyncopeConstants.ROOT_REALM)) {
 MetaDataRoleAuthorizationStrategy.authorizeAll(addAjaxLink, 
RENDER);
 } else {
 MetaDataRoleAuthorizationStrategy.unauthorizeAll(addAjaxLink, 
RENDER);
@@ -176,7 +178,7 @@ public abstract class AnyDirectoryPanelhttp://git-wip-us.apache.org/repos/asf/syncope/blob/65a0f14d/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyObjectDirectoryPanel.java
--
diff --git 
a/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyObjectDirectoryPanel.java
 
b/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyObjectDirectoryPanel.java
index a8a1207..75803d9 100644
--- 
a/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyObjectDirectoryPanel.java
+++ 
b/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyObjectDirectoryPanel.java
@@ -40,6 +40,7 @@ import org.apache.syncope.client.console.wizards.AjaxWizard;
 import org.apache.syncope.client.console.wizards.WizardMgtPanel;
 import org.apache.syncope.client.console.wizards.any.AnyWrapper;
 import org.apache.syncope.common.lib.SyncopeClientException;
+import org.apache.syncope.common.lib.SyncopeConstants;
 import org.apache.syncope.common.lib.to.AnyObjectTO;
 import org.apache.syncope.common.lib.to.AnyTypeClassTO;
 import org.apache.syncope.common.lib.types.AnyEntitlement;
@@ -172,7 +173,7 @@ public class AnyObjectDirectoryPanel extends 

Syncope-2_0_X - Build # 381 - Failure

[Apache Jenkins Server]

The Apache Jenkins build system has built Syncope-2_0_X (build #381)

Status: Failure

Check console output at https://builds.apache.org/job/Syncope-2_0_X/381/ to 
view the results.

syncope git commit: [SYNCOPE-1067] fix to build with Java7

[fmartelli]

Repository: syncope
Updated Branches:
  refs/heads/2_0_X 65a0f14d4 -> a2c5c100d


[SYNCOPE-1067] fix to build with Java7


Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/a2c5c100
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/a2c5c100
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/a2c5c100

Branch: refs/heads/2_0_X
Commit: a2c5c100dcde30b5c4b32b644284353e22758aff
Parents: 65a0f14
Author: fmartelli 
Authored: Wed Jun 14 18:01:25 2017 +0200
Committer: fmartelli 
Committed: Wed Jun 14 18:01:25 2017 +0200

--
 .../org/apache/syncope/client/console/panels/RealmChoicePanel.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--


http://git-wip-us.apache.org/repos/asf/syncope/blob/a2c5c100/client/console/src/main/java/org/apache/syncope/client/console/panels/RealmChoicePanel.java
--
diff --git 
a/client/console/src/main/java/org/apache/syncope/client/console/panels/RealmChoicePanel.java
 
b/client/console/src/main/java/org/apache/syncope/client/console/panels/RealmChoicePanel.java
index 2204289..4f0bbde 100644
--- 
a/client/console/src/main/java/org/apache/syncope/client/console/panels/RealmChoicePanel.java
+++ 
b/client/console/src/main/java/org/apache/syncope/client/console/panels/RealmChoicePanel.java
@@ -123,7 +123,7 @@ public class RealmChoicePanel extends Panel {
 @Override
 protected List load() {
 final List dynRealms = 
realmRestClient.listDynReams();
-dynRealms.sort(new Comparator() {
+Collections.sort(dynRealms, new Comparator() {
 
 @Override
 public int compare(final DynRealmTO left, final DynRealmTO 
right) {

Syncope-2_0_X - Build # 382 - Fixed

[Apache Jenkins Server]

The Apache Jenkins build system has built Syncope-2_0_X (build #382)

Status: Fixed

Check console output at https://builds.apache.org/job/Syncope-2_0_X/382/ to 
view the results.

syncope git commit: [SYNCOPE-1067] provides the possibility to select for a dynamic realms and manage object inside it

[fmartelli]

Repository: syncope
Updated Branches:
  refs/heads/master a21329eea -> 03d5364b1


[SYNCOPE-1067] provides the possibility to select for a dynamic realms and 
manage object inside it


Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/03d5364b
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/03d5364b
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/03d5364b

Branch: refs/heads/master
Commit: 03d5364b14bb911358f8b468924e304576ff99da
Parents: a21329e
Author: fmartelli 
Authored: Wed Jun 14 17:37:22 2017 +0200
Committer: fmartelli 
Committed: Wed Jun 14 17:38:08 2017 +0200

--
 .../console/panels/AnyDirectoryPanel.java   |   6 +-
 .../console/panels/AnyObjectDirectoryPanel.java |   8 +-
 .../syncope/client/console/panels/AnyPanel.java |  68 ++---
 .../console/panels/GroupDirectoryPanel.java |  11 ++
 .../syncope/client/console/panels/Realm.java|  68 -
 .../client/console/panels/RealmChoicePanel.java | 143 ++-
 .../console/panels/UserDirectoryPanel.java  |  11 +-
 .../client/console/rest/RealmRestClient.java|  12 ++
 .../META-INF/resources/css/syncopeConsole.css   |   4 +
 .../client/console/pages/Realms.properties  |   4 +
 .../client/console/pages/Realms_it.properties   |   4 +
 .../console/pages/Realms_pt_BR.properties   |   4 +
 .../client/console/pages/Realms_ru.properties   |   4 +
 .../client/console/panels/RealmChoicePanel.html |   2 +-
 .../syncope/fit/console/RealmsITCase.java   |   6 +-
 .../apache/syncope/fit/console/UsersITCase.java |   2 +-
 16 files changed, 291 insertions(+), 66 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/syncope/blob/03d5364b/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyDirectoryPanel.java
--
diff --git 
a/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyDirectoryPanel.java
 
b/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyDirectoryPanel.java
index 64cb0b0..4bc4b7b 100644
--- 
a/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyDirectoryPanel.java
+++ 
b/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyDirectoryPanel.java
@@ -43,6 +43,7 @@ import 
org.apache.syncope.client.console.wicket.markup.html.bootstrap.dialog.Bas
 import org.apache.syncope.client.console.wicket.markup.html.form.ActionLink;
 import org.apache.syncope.client.console.wizards.any.AnyWrapper;
 import org.apache.syncope.client.console.wizards.any.StatusPanel;
+import org.apache.syncope.common.lib.SyncopeConstants;
 import org.apache.syncope.common.lib.to.AnyTO;
 import org.apache.syncope.common.lib.to.AnyTypeClassTO;
 import org.apache.syncope.common.lib.to.ConnObjectTO;
@@ -91,7 +92,8 @@ public abstract class AnyDirectoryPanel builder, 
final boolean wizardInModal) {
 super(id, builder, wizardInModal);
-if (SyncopeConsoleSession.get().owns(String.format("%s_CREATE", 
builder.type), builder.realm)) {
+if (SyncopeConsoleSession.get().owns(String.format("%s_CREATE", 
builder.type), builder.realm)
+&& builder.realm.startsWith(SyncopeConstants.ROOT_REALM)) {
 MetaDataRoleAuthorizationStrategy.authorizeAll(addAjaxLink, 
RENDER);
 } else {
 MetaDataRoleAuthorizationStrategy.unauthorizeAll(addAjaxLink, 
RENDER);
@@ -176,7 +178,7 @@ public abstract class AnyDirectoryPanelhttp://git-wip-us.apache.org/repos/asf/syncope/blob/03d5364b/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyObjectDirectoryPanel.java
--
diff --git 
a/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyObjectDirectoryPanel.java
 
b/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyObjectDirectoryPanel.java
index a8a1207..75803d9 100644
--- 
a/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyObjectDirectoryPanel.java
+++ 
b/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyObjectDirectoryPanel.java
@@ -40,6 +40,7 @@ import org.apache.syncope.client.console.wizards.AjaxWizard;
 import org.apache.syncope.client.console.wizards.WizardMgtPanel;
 import org.apache.syncope.client.console.wizards.any.AnyWrapper;
 import org.apache.syncope.common.lib.SyncopeClientException;
+import org.apache.syncope.common.lib.SyncopeConstants;
 import org.apache.syncope.common.lib.to.AnyObjectTO;
 import org.apache.syncope.common.lib.to.AnyTypeClassTO;
 import org.apache.syncope.common.lib.types.AnyEntitlement;
@@ -172,7 +173,7 @@ public class AnyObjectDirectoryPanel extends 

[2/3] syncope git commit: Formatting curl JWT as AsciiDoctor's sample

[ilgrosso]

Formatting curl JWT as AsciiDoctor's sample


Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/5545caf0
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/5545caf0
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/5545caf0

Branch: refs/heads/2_0_X
Commit: 5545caf056b22b8520df508dfef89d9a42f6172b
Parents: 12aa89d
Author: Francesco Chicchiriccò 
Authored: Wed Jun 14 10:28:25 2017 +0200
Committer: Francesco Chicchiriccò 
Committed: Wed Jun 14 10:28:25 2017 +0200

--
 .../workingwithapachesyncope/restfulservices.adoc| 11 +--
 1 file changed, 5 insertions(+), 6 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/syncope/blob/5545caf0/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
--
diff --git 
a/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
 
b/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
index 32b6247..b16fc71 100644
--- 
a/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
+++ 
b/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
@@ -89,11 +89,10 @@ user.
 The same header with provided value must be included in all subsequent 
requests, in order for the requester to
 be checked for authorization.
 
-For example, using http://curl.haxx.se/[curl^]:
-
+.Obtaining JWT with http://curl.haxx.se/[curl^] 
+
 
-curl -I -u admin:password -X POST \
-   http://localhost:9080/syncope/rest/accessTokens/login
+curl -I -u admin:password -X POST 
http://localhost:9080/syncope/rest/accessTokens/login
 
 returns
 
@@ -102,9 +101,9 @@ X-Syncope-Token: eyJ0e..
 
 which can then be used to make a call to the REST API
 .
-curl -I -H "X-Syncope-Token: eyJ0e.." \
-   http://localhost:9080/syncope/rest/users/self
+curl -I -H "X-Syncope-Token: eyJ0e.." 
http://localhost:9080/syncope/rest/users/self
 .
+
 
 The token duration can be configured via the `jwt.lifetime.minutes` property - 
see
 <> for details.

[3/3] syncope git commit: Formatting curl JWT as AsciiDoctor's sample

[ilgrosso]

Formatting curl JWT as AsciiDoctor's sample


Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/919b32e6
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/919b32e6
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/919b32e6

Branch: refs/heads/master
Commit: 919b32e6840ae330db944cb1990baccae365a245
Parents: d5a5079
Author: Francesco Chicchiriccò 
Authored: Wed Jun 14 10:28:25 2017 +0200
Committer: Francesco Chicchiriccò 
Committed: Wed Jun 14 10:28:40 2017 +0200

--
 .../workingwithapachesyncope/restfulservices.adoc| 11 +--
 1 file changed, 5 insertions(+), 6 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/syncope/blob/919b32e6/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
--
diff --git 
a/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
 
b/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
index d602a61..544b143 100644
--- 
a/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
+++ 
b/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
@@ -89,11 +89,10 @@ user.
 The same header with provided value must be included in all subsequent 
requests, in order for the requester to
 be checked for authorization.
 
-For example, using http://curl.haxx.se/[curl^]:
-
+.Obtaining JWT with http://curl.haxx.se/[curl^] 
+
 
-curl -I -u admin:password -X POST \
-   http://localhost:9080/syncope/rest/accessTokens/login
+curl -I -u admin:password -X POST 
http://localhost:9080/syncope/rest/accessTokens/login
 
 returns
 
@@ -102,9 +101,9 @@ X-Syncope-Token: eyJ0e..
 
 which can then be used to make a call to the REST API
 .
-curl -I -H "X-Syncope-Token: eyJ0e.." \
-   http://localhost:9080/syncope/rest/users/self
+curl -I -H "X-Syncope-Token: eyJ0e.." 
http://localhost:9080/syncope/rest/users/self
 .
+
 
 The token duration can be configured via the `jwt.lifetime.minutes` property - 
see
 <> for details.

[1/3] syncope git commit: Adding an example to show how to obtain a JWT Token using curl and use it to make an invocation

[ilgrosso]

Repository: syncope
Updated Branches:
  refs/heads/2_0_X a1302562e -> 5545caf05
  refs/heads/master d5a5079cc -> 919b32e68


Adding an example to show how to obtain a JWT Token using curl and use it to 
make an invocation


Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/12aa89d3
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/12aa89d3
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/12aa89d3

Branch: refs/heads/2_0_X
Commit: 12aa89d31385ed1534dc443d6bff5a6d1626324d
Parents: a130256
Author: Colm O hEigeartaigh 
Authored: Tue Jun 13 17:29:31 2017 +0100
Committer: Francesco Chicchiriccò 
Committed: Wed Jun 14 10:18:00 2017 +0200

--
 .../workingwithapachesyncope/restfulservices.adoc  | 17 +
 1 file changed, 17 insertions(+)
--


http://git-wip-us.apache.org/repos/asf/syncope/blob/12aa89d3/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
--
diff --git 
a/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
 
b/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
index 340ebf2..32b6247 100644
--- 
a/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
+++ 
b/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
@@ -89,6 +89,23 @@ user.
 The same header with provided value must be included in all subsequent 
requests, in order for the requester to
 be checked for authorization.
 
+For example, using http://curl.haxx.se/[curl^]:
+
+
+curl -I -u admin:password -X POST \
+   http://localhost:9080/syncope/rest/accessTokens/login
+
+returns
+
+HTTP/1.1 204 
+X-Syncope-Token: eyJ0e..
+
+which can then be used to make a call to the REST API
+.
+curl -I -H "X-Syncope-Token: eyJ0e.." \
+   http://localhost:9080/syncope/rest/users/self
+.
+
 The token duration can be configured via the `jwt.lifetime.minutes` property - 
see
 <> for details.
 

[2/2] syncope git commit: [SYNCOPE-1067] Doc update

[ilgrosso]

[SYNCOPE-1067] Doc update


Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/a21329ee
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/a21329ee
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/a21329ee

Branch: refs/heads/master
Commit: a21329eeabb33f5e2690f54ac30a6c34ecfa00c5
Parents: 919b32e
Author: Francesco Chicchiriccò 
Authored: Wed Jun 14 13:57:16 2017 +0200
Committer: Francesco Chicchiriccò 
Committed: Wed Jun 14 13:57:24 2017 +0200

--
 .../asciidoc/reference-guide/concepts/realms.adoc | 12 
 .../asciidoc/reference-guide/concepts/roles.adoc  | 18 --
 2 files changed, 28 insertions(+), 2 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/syncope/blob/a21329ee/src/main/asciidoc/reference-guide/concepts/realms.adoc
--
diff --git a/src/main/asciidoc/reference-guide/concepts/realms.adoc 
b/src/main/asciidoc/reference-guide/concepts/realms.adoc
index 9e791e1..188cf07 100644
--- a/src/main/asciidoc/reference-guide/concepts/realms.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/realms.adoc
@@ -43,6 +43,18 @@ Moreover, this partition allows fine-grained control over 
policy enforcement and
 <> and <>, helps to implement
 <>.
 
+[[dynamic-realms]]
+.Dynamic Realms
+
+Realms provide a mean to model static containment hierarchies. +
+Such strategy might not be the ideal fit for situations where the set of 
Users, Groups and Any Objects to administer
+cannot be statically defined by containment.
+
+Dynamic Realms can be used to identify Users, Groups and Any Objects according 
to some attributes' value, resource
+assignment, group membership or any other condition available, with purpose of 
granting
+<> rights.
+
+
 [TIP]
 .Logic Templates
 

http://git-wip-us.apache.org/repos/asf/syncope/blob/a21329ee/src/main/asciidoc/reference-guide/concepts/roles.adoc
--
diff --git a/src/main/asciidoc/reference-guide/concepts/roles.adoc 
b/src/main/asciidoc/reference-guide/concepts/roles.adoc
index 5cfc19e..662febc 100644
--- a/src/main/asciidoc/reference-guide/concepts/roles.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/roles.adoc
@@ -18,7 +18,8 @@
 //
 === Roles
 
-Roles map a set of <> to a set of <>.
+Roles map a set of <> to a set of <> 
and / or
+<>.
 
 [TIP]
 .Static and Dynamic Memberships
@@ -31,10 +32,23 @@ role.
 
  Delegated Administration
 
-The idea is that any user U assigned to a role R, which provides entitlements 
E~1~...E~n~ for realms Re~1~...Re~k~, can 
+The idea is that any user U assigned to a role R, which provides entitlements 
E~1~...E~n~ for realms Re~1~...Re~m~, can 
 exercise E~i~ on entities (Users, Groups, Any Objects of given types, 
depending on E~i~) under any Re~j~ or related
 sub-realms.
 
+Moreover, any user U assigned to a role R, which provides entitlements 
E~1~...E~n~ for dynamic realms DR~1~..DR~n~, can
+exercise E~i~ on entities (Users, Groups, Any Objects of given types, 
depending on E~i~) matching the conditions defined
+for any DR~k~.
+
+[WARNING]
+.Dynamic Realms limitations
+
+Users to whom administration rights were granted via Dynamic Realms can only 
*update* Users, Groups and Any Objects,
+not create nor delete. +
+Moreover, the only accepted changes on a given entity are the ones that do not 
change any Dynamic Realm's matching
+condition for such entity.
+
+
 .Authorization
 
 Let's suppose that we want to implement the following scenario:

[1/2] syncope git commit: [SYNCOPE-1067] Doc update

[ilgrosso]

Repository: syncope
Updated Branches:
  refs/heads/2_0_X 5545caf05 -> c13f9e626
  refs/heads/master 919b32e68 -> a21329eea


[SYNCOPE-1067] Doc update


Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/c13f9e62
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/c13f9e62
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/c13f9e62

Branch: refs/heads/2_0_X
Commit: c13f9e62653dd12485b22a50831225437a194ed7
Parents: 5545caf
Author: Francesco Chicchiriccò 
Authored: Wed Jun 14 13:57:16 2017 +0200
Committer: Francesco Chicchiriccò 
Committed: Wed Jun 14 13:57:16 2017 +0200

--
 .../asciidoc/reference-guide/concepts/realms.adoc | 12 
 .../asciidoc/reference-guide/concepts/roles.adoc  | 18 --
 2 files changed, 28 insertions(+), 2 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/syncope/blob/c13f9e62/src/main/asciidoc/reference-guide/concepts/realms.adoc
--
diff --git a/src/main/asciidoc/reference-guide/concepts/realms.adoc 
b/src/main/asciidoc/reference-guide/concepts/realms.adoc
index 8b4267c..ec9cfbc 100644
--- a/src/main/asciidoc/reference-guide/concepts/realms.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/realms.adoc
@@ -43,6 +43,18 @@ Moreover, this partition allows fine-grained control over 
policy enforcement and
 <> and <>, helps to implement
 <>.
 
+[[dynamic-realms]]
+.Dynamic Realms
+
+Realms provide a mean to model static containment hierarchies. +
+Such strategy might not be the ideal fit for situations where the set of 
Users, Groups and Any Objects to administer
+cannot be statically defined by containment.
+
+Dynamic Realms can be used to identify Users, Groups and Any Objects according 
to some attributes' value, resource
+assignment, group membership or any other condition available, with purpose of 
granting
+<> rights.
+
+
 [TIP]
 .Logic Templates
 

http://git-wip-us.apache.org/repos/asf/syncope/blob/c13f9e62/src/main/asciidoc/reference-guide/concepts/roles.adoc
--
diff --git a/src/main/asciidoc/reference-guide/concepts/roles.adoc 
b/src/main/asciidoc/reference-guide/concepts/roles.adoc
index 5cfc19e..662febc 100644
--- a/src/main/asciidoc/reference-guide/concepts/roles.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/roles.adoc
@@ -18,7 +18,8 @@
 //
 === Roles
 
-Roles map a set of <> to a set of <>.
+Roles map a set of <> to a set of <> 
and / or
+<>.
 
 [TIP]
 .Static and Dynamic Memberships
@@ -31,10 +32,23 @@ role.
 
  Delegated Administration
 
-The idea is that any user U assigned to a role R, which provides entitlements 
E~1~...E~n~ for realms Re~1~...Re~k~, can 
+The idea is that any user U assigned to a role R, which provides entitlements 
E~1~...E~n~ for realms Re~1~...Re~m~, can 
 exercise E~i~ on entities (Users, Groups, Any Objects of given types, 
depending on E~i~) under any Re~j~ or related
 sub-realms.
 
+Moreover, any user U assigned to a role R, which provides entitlements 
E~1~...E~n~ for dynamic realms DR~1~..DR~n~, can
+exercise E~i~ on entities (Users, Groups, Any Objects of given types, 
depending on E~i~) matching the conditions defined
+for any DR~k~.
+
+[WARNING]
+.Dynamic Realms limitations
+
+Users to whom administration rights were granted via Dynamic Realms can only 
*update* Users, Groups and Any Objects,
+not create nor delete. +
+Moreover, the only accepted changes on a given entity are the ones that do not 
change any Dynamic Realm's matching
+condition for such entity.
+
+
 .Authorization
 
 Let's suppose that we want to implement the following scenario: