syncope git commit: [SYNCOPE-1067] provides the possibility to select for a dynamic realms and manage object inside it
Repository: syncope Updated Branches: refs/heads/2_0_X c13f9e626 -> 65a0f14d4 [SYNCOPE-1067] provides the possibility to select for a dynamic realms and manage object inside it Project: http://git-wip-us.apache.org/repos/asf/syncope/repo Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/65a0f14d Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/65a0f14d Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/65a0f14d Branch: refs/heads/2_0_X Commit: 65a0f14d49351b29ce8ba78b02916b9a72e7ad52 Parents: c13f9e6 Author: fmartelliAuthored: Wed Jun 14 17:37:22 2017 +0200 Committer: fmartelli Committed: Wed Jun 14 17:37:22 2017 +0200 -- .../console/panels/AnyDirectoryPanel.java | 6 +- .../console/panels/AnyObjectDirectoryPanel.java | 8 +- .../syncope/client/console/panels/AnyPanel.java | 68 ++--- .../console/panels/GroupDirectoryPanel.java | 11 ++ .../syncope/client/console/panels/Realm.java| 68 - .../client/console/panels/RealmChoicePanel.java | 143 ++- .../console/panels/UserDirectoryPanel.java | 11 +- .../client/console/rest/RealmRestClient.java| 12 ++ .../META-INF/resources/css/syncopeConsole.css | 4 + .../client/console/pages/Realms.properties | 4 + .../client/console/pages/Realms_it.properties | 4 + .../console/pages/Realms_pt_BR.properties | 4 + .../client/console/pages/Realms_ru.properties | 4 + .../client/console/panels/RealmChoicePanel.html | 2 +- .../syncope/fit/console/RealmsITCase.java | 6 +- .../apache/syncope/fit/console/UsersITCase.java | 2 +- 16 files changed, 291 insertions(+), 66 deletions(-) -- http://git-wip-us.apache.org/repos/asf/syncope/blob/65a0f14d/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyDirectoryPanel.java -- diff --git a/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyDirectoryPanel.java b/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyDirectoryPanel.java index 64cb0b0..4bc4b7b 100644 --- a/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyDirectoryPanel.java +++ b/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyDirectoryPanel.java @@ -43,6 +43,7 @@ import org.apache.syncope.client.console.wicket.markup.html.bootstrap.dialog.Bas import org.apache.syncope.client.console.wicket.markup.html.form.ActionLink; import org.apache.syncope.client.console.wizards.any.AnyWrapper; import org.apache.syncope.client.console.wizards.any.StatusPanel; +import org.apache.syncope.common.lib.SyncopeConstants; import org.apache.syncope.common.lib.to.AnyTO; import org.apache.syncope.common.lib.to.AnyTypeClassTO; import org.apache.syncope.common.lib.to.ConnObjectTO; @@ -91,7 +92,8 @@ public abstract class AnyDirectoryPanel builder, final boolean wizardInModal) { super(id, builder, wizardInModal); -if (SyncopeConsoleSession.get().owns(String.format("%s_CREATE", builder.type), builder.realm)) { +if (SyncopeConsoleSession.get().owns(String.format("%s_CREATE", builder.type), builder.realm) +&& builder.realm.startsWith(SyncopeConstants.ROOT_REALM)) { MetaDataRoleAuthorizationStrategy.authorizeAll(addAjaxLink, RENDER); } else { MetaDataRoleAuthorizationStrategy.unauthorizeAll(addAjaxLink, RENDER); @@ -176,7 +178,7 @@ public abstract class AnyDirectoryPanelhttp://git-wip-us.apache.org/repos/asf/syncope/blob/65a0f14d/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyObjectDirectoryPanel.java -- diff --git a/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyObjectDirectoryPanel.java b/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyObjectDirectoryPanel.java index a8a1207..75803d9 100644 --- a/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyObjectDirectoryPanel.java +++ b/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyObjectDirectoryPanel.java @@ -40,6 +40,7 @@ import org.apache.syncope.client.console.wizards.AjaxWizard; import org.apache.syncope.client.console.wizards.WizardMgtPanel; import org.apache.syncope.client.console.wizards.any.AnyWrapper; import org.apache.syncope.common.lib.SyncopeClientException; +import org.apache.syncope.common.lib.SyncopeConstants; import org.apache.syncope.common.lib.to.AnyObjectTO; import org.apache.syncope.common.lib.to.AnyTypeClassTO; import org.apache.syncope.common.lib.types.AnyEntitlement; @@ -172,7 +173,7 @@ public class AnyObjectDirectoryPanel extends
Syncope-2_0_X - Build # 381 - Failure
The Apache Jenkins build system has built Syncope-2_0_X (build #381) Status: Failure Check console output at https://builds.apache.org/job/Syncope-2_0_X/381/ to view the results.
syncope git commit: [SYNCOPE-1067] fix to build with Java7
Repository: syncope Updated Branches: refs/heads/2_0_X 65a0f14d4 -> a2c5c100d [SYNCOPE-1067] fix to build with Java7 Project: http://git-wip-us.apache.org/repos/asf/syncope/repo Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/a2c5c100 Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/a2c5c100 Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/a2c5c100 Branch: refs/heads/2_0_X Commit: a2c5c100dcde30b5c4b32b644284353e22758aff Parents: 65a0f14 Author: fmartelliAuthored: Wed Jun 14 18:01:25 2017 +0200 Committer: fmartelli Committed: Wed Jun 14 18:01:25 2017 +0200 -- .../org/apache/syncope/client/console/panels/RealmChoicePanel.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- http://git-wip-us.apache.org/repos/asf/syncope/blob/a2c5c100/client/console/src/main/java/org/apache/syncope/client/console/panels/RealmChoicePanel.java -- diff --git a/client/console/src/main/java/org/apache/syncope/client/console/panels/RealmChoicePanel.java b/client/console/src/main/java/org/apache/syncope/client/console/panels/RealmChoicePanel.java index 2204289..4f0bbde 100644 --- a/client/console/src/main/java/org/apache/syncope/client/console/panels/RealmChoicePanel.java +++ b/client/console/src/main/java/org/apache/syncope/client/console/panels/RealmChoicePanel.java @@ -123,7 +123,7 @@ public class RealmChoicePanel extends Panel { @Override protected List load() { final List dynRealms = realmRestClient.listDynReams(); -dynRealms.sort(new Comparator() { +Collections.sort(dynRealms, new Comparator() { @Override public int compare(final DynRealmTO left, final DynRealmTO right) {
Syncope-2_0_X - Build # 382 - Fixed
The Apache Jenkins build system has built Syncope-2_0_X (build #382) Status: Fixed Check console output at https://builds.apache.org/job/Syncope-2_0_X/382/ to view the results.
syncope git commit: [SYNCOPE-1067] provides the possibility to select for a dynamic realms and manage object inside it
Repository: syncope Updated Branches: refs/heads/master a21329eea -> 03d5364b1 [SYNCOPE-1067] provides the possibility to select for a dynamic realms and manage object inside it Project: http://git-wip-us.apache.org/repos/asf/syncope/repo Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/03d5364b Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/03d5364b Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/03d5364b Branch: refs/heads/master Commit: 03d5364b14bb911358f8b468924e304576ff99da Parents: a21329e Author: fmartelliAuthored: Wed Jun 14 17:37:22 2017 +0200 Committer: fmartelli Committed: Wed Jun 14 17:38:08 2017 +0200 -- .../console/panels/AnyDirectoryPanel.java | 6 +- .../console/panels/AnyObjectDirectoryPanel.java | 8 +- .../syncope/client/console/panels/AnyPanel.java | 68 ++--- .../console/panels/GroupDirectoryPanel.java | 11 ++ .../syncope/client/console/panels/Realm.java| 68 - .../client/console/panels/RealmChoicePanel.java | 143 ++- .../console/panels/UserDirectoryPanel.java | 11 +- .../client/console/rest/RealmRestClient.java| 12 ++ .../META-INF/resources/css/syncopeConsole.css | 4 + .../client/console/pages/Realms.properties | 4 + .../client/console/pages/Realms_it.properties | 4 + .../console/pages/Realms_pt_BR.properties | 4 + .../client/console/pages/Realms_ru.properties | 4 + .../client/console/panels/RealmChoicePanel.html | 2 +- .../syncope/fit/console/RealmsITCase.java | 6 +- .../apache/syncope/fit/console/UsersITCase.java | 2 +- 16 files changed, 291 insertions(+), 66 deletions(-) -- http://git-wip-us.apache.org/repos/asf/syncope/blob/03d5364b/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyDirectoryPanel.java -- diff --git a/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyDirectoryPanel.java b/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyDirectoryPanel.java index 64cb0b0..4bc4b7b 100644 --- a/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyDirectoryPanel.java +++ b/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyDirectoryPanel.java @@ -43,6 +43,7 @@ import org.apache.syncope.client.console.wicket.markup.html.bootstrap.dialog.Bas import org.apache.syncope.client.console.wicket.markup.html.form.ActionLink; import org.apache.syncope.client.console.wizards.any.AnyWrapper; import org.apache.syncope.client.console.wizards.any.StatusPanel; +import org.apache.syncope.common.lib.SyncopeConstants; import org.apache.syncope.common.lib.to.AnyTO; import org.apache.syncope.common.lib.to.AnyTypeClassTO; import org.apache.syncope.common.lib.to.ConnObjectTO; @@ -91,7 +92,8 @@ public abstract class AnyDirectoryPanel builder, final boolean wizardInModal) { super(id, builder, wizardInModal); -if (SyncopeConsoleSession.get().owns(String.format("%s_CREATE", builder.type), builder.realm)) { +if (SyncopeConsoleSession.get().owns(String.format("%s_CREATE", builder.type), builder.realm) +&& builder.realm.startsWith(SyncopeConstants.ROOT_REALM)) { MetaDataRoleAuthorizationStrategy.authorizeAll(addAjaxLink, RENDER); } else { MetaDataRoleAuthorizationStrategy.unauthorizeAll(addAjaxLink, RENDER); @@ -176,7 +178,7 @@ public abstract class AnyDirectoryPanelhttp://git-wip-us.apache.org/repos/asf/syncope/blob/03d5364b/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyObjectDirectoryPanel.java -- diff --git a/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyObjectDirectoryPanel.java b/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyObjectDirectoryPanel.java index a8a1207..75803d9 100644 --- a/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyObjectDirectoryPanel.java +++ b/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyObjectDirectoryPanel.java @@ -40,6 +40,7 @@ import org.apache.syncope.client.console.wizards.AjaxWizard; import org.apache.syncope.client.console.wizards.WizardMgtPanel; import org.apache.syncope.client.console.wizards.any.AnyWrapper; import org.apache.syncope.common.lib.SyncopeClientException; +import org.apache.syncope.common.lib.SyncopeConstants; import org.apache.syncope.common.lib.to.AnyObjectTO; import org.apache.syncope.common.lib.to.AnyTypeClassTO; import org.apache.syncope.common.lib.types.AnyEntitlement; @@ -172,7 +173,7 @@ public class AnyObjectDirectoryPanel extends
[2/3] syncope git commit: Formatting curl JWT as AsciiDoctor's sample
Formatting curl JWT as AsciiDoctor's sample Project: http://git-wip-us.apache.org/repos/asf/syncope/repo Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/5545caf0 Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/5545caf0 Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/5545caf0 Branch: refs/heads/2_0_X Commit: 5545caf056b22b8520df508dfef89d9a42f6172b Parents: 12aa89d Author: Francesco ChicchiriccòAuthored: Wed Jun 14 10:28:25 2017 +0200 Committer: Francesco Chicchiriccò Committed: Wed Jun 14 10:28:25 2017 +0200 -- .../workingwithapachesyncope/restfulservices.adoc| 11 +-- 1 file changed, 5 insertions(+), 6 deletions(-) -- http://git-wip-us.apache.org/repos/asf/syncope/blob/5545caf0/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc -- diff --git a/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc b/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc index 32b6247..b16fc71 100644 --- a/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc +++ b/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc @@ -89,11 +89,10 @@ user. The same header with provided value must be included in all subsequent requests, in order for the requester to be checked for authorization. -For example, using http://curl.haxx.se/[curl^]: - +.Obtaining JWT with http://curl.haxx.se/[curl^] + -curl -I -u admin:password -X POST \ - http://localhost:9080/syncope/rest/accessTokens/login +curl -I -u admin:password -X POST http://localhost:9080/syncope/rest/accessTokens/login returns @@ -102,9 +101,9 @@ X-Syncope-Token: eyJ0e.. which can then be used to make a call to the REST API . -curl -I -H "X-Syncope-Token: eyJ0e.." \ - http://localhost:9080/syncope/rest/users/self +curl -I -H "X-Syncope-Token: eyJ0e.." http://localhost:9080/syncope/rest/users/self . + The token duration can be configured via the `jwt.lifetime.minutes` property - see < > for details.
[3/3] syncope git commit: Formatting curl JWT as AsciiDoctor's sample
Formatting curl JWT as AsciiDoctor's sample Project: http://git-wip-us.apache.org/repos/asf/syncope/repo Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/919b32e6 Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/919b32e6 Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/919b32e6 Branch: refs/heads/master Commit: 919b32e6840ae330db944cb1990baccae365a245 Parents: d5a5079 Author: Francesco ChicchiriccòAuthored: Wed Jun 14 10:28:25 2017 +0200 Committer: Francesco Chicchiriccò Committed: Wed Jun 14 10:28:40 2017 +0200 -- .../workingwithapachesyncope/restfulservices.adoc| 11 +-- 1 file changed, 5 insertions(+), 6 deletions(-) -- http://git-wip-us.apache.org/repos/asf/syncope/blob/919b32e6/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc -- diff --git a/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc b/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc index d602a61..544b143 100644 --- a/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc +++ b/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc @@ -89,11 +89,10 @@ user. The same header with provided value must be included in all subsequent requests, in order for the requester to be checked for authorization. -For example, using http://curl.haxx.se/[curl^]: - +.Obtaining JWT with http://curl.haxx.se/[curl^] + -curl -I -u admin:password -X POST \ - http://localhost:9080/syncope/rest/accessTokens/login +curl -I -u admin:password -X POST http://localhost:9080/syncope/rest/accessTokens/login returns @@ -102,9 +101,9 @@ X-Syncope-Token: eyJ0e.. which can then be used to make a call to the REST API . -curl -I -H "X-Syncope-Token: eyJ0e.." \ - http://localhost:9080/syncope/rest/users/self +curl -I -H "X-Syncope-Token: eyJ0e.." http://localhost:9080/syncope/rest/users/self . + The token duration can be configured via the `jwt.lifetime.minutes` property - see < > for details.
[1/3] syncope git commit: Adding an example to show how to obtain a JWT Token using curl and use it to make an invocation
Repository: syncope Updated Branches: refs/heads/2_0_X a1302562e -> 5545caf05 refs/heads/master d5a5079cc -> 919b32e68 Adding an example to show how to obtain a JWT Token using curl and use it to make an invocation Project: http://git-wip-us.apache.org/repos/asf/syncope/repo Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/12aa89d3 Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/12aa89d3 Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/12aa89d3 Branch: refs/heads/2_0_X Commit: 12aa89d31385ed1534dc443d6bff5a6d1626324d Parents: a130256 Author: Colm O hEigeartaighAuthored: Tue Jun 13 17:29:31 2017 +0100 Committer: Francesco Chicchiriccò Committed: Wed Jun 14 10:18:00 2017 +0200 -- .../workingwithapachesyncope/restfulservices.adoc | 17 + 1 file changed, 17 insertions(+) -- http://git-wip-us.apache.org/repos/asf/syncope/blob/12aa89d3/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc -- diff --git a/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc b/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc index 340ebf2..32b6247 100644 --- a/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc +++ b/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc @@ -89,6 +89,23 @@ user. The same header with provided value must be included in all subsequent requests, in order for the requester to be checked for authorization. +For example, using http://curl.haxx.se/[curl^]: + + +curl -I -u admin:password -X POST \ + http://localhost:9080/syncope/rest/accessTokens/login + +returns + +HTTP/1.1 204 +X-Syncope-Token: eyJ0e.. + +which can then be used to make a call to the REST API +. +curl -I -H "X-Syncope-Token: eyJ0e.." \ + http://localhost:9080/syncope/rest/users/self +. + The token duration can be configured via the `jwt.lifetime.minutes` property - see < > for details.
[2/2] syncope git commit: [SYNCOPE-1067] Doc update
[SYNCOPE-1067] Doc update Project: http://git-wip-us.apache.org/repos/asf/syncope/repo Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/a21329ee Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/a21329ee Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/a21329ee Branch: refs/heads/master Commit: a21329eeabb33f5e2690f54ac30a6c34ecfa00c5 Parents: 919b32e Author: Francesco ChicchiriccòAuthored: Wed Jun 14 13:57:16 2017 +0200 Committer: Francesco Chicchiriccò Committed: Wed Jun 14 13:57:24 2017 +0200 -- .../asciidoc/reference-guide/concepts/realms.adoc | 12 .../asciidoc/reference-guide/concepts/roles.adoc | 18 -- 2 files changed, 28 insertions(+), 2 deletions(-) -- http://git-wip-us.apache.org/repos/asf/syncope/blob/a21329ee/src/main/asciidoc/reference-guide/concepts/realms.adoc -- diff --git a/src/main/asciidoc/reference-guide/concepts/realms.adoc b/src/main/asciidoc/reference-guide/concepts/realms.adoc index 9e791e1..188cf07 100644 --- a/src/main/asciidoc/reference-guide/concepts/realms.adoc +++ b/src/main/asciidoc/reference-guide/concepts/realms.adoc @@ -43,6 +43,18 @@ Moreover, this partition allows fine-grained control over policy enforcement and < > and < >, helps to implement < >. +[[dynamic-realms]] +.Dynamic Realms + +Realms provide a mean to model static containment hierarchies. + +Such strategy might not be the ideal fit for situations where the set of Users, Groups and Any Objects to administer +cannot be statically defined by containment. + +Dynamic Realms can be used to identify Users, Groups and Any Objects according to some attributes' value, resource +assignment, group membership or any other condition available, with purpose of granting +< > rights. + + [TIP] .Logic Templates http://git-wip-us.apache.org/repos/asf/syncope/blob/a21329ee/src/main/asciidoc/reference-guide/concepts/roles.adoc -- diff --git a/src/main/asciidoc/reference-guide/concepts/roles.adoc b/src/main/asciidoc/reference-guide/concepts/roles.adoc index 5cfc19e..662febc 100644 --- a/src/main/asciidoc/reference-guide/concepts/roles.adoc +++ b/src/main/asciidoc/reference-guide/concepts/roles.adoc @@ -18,7 +18,8 @@ // === Roles -Roles map a set of < > to a set of < >. +Roles map a set of < > to a set of < > and / or +< >. [TIP] .Static and Dynamic Memberships @@ -31,10 +32,23 @@ role. Delegated Administration -The idea is that any user U assigned to a role R, which provides entitlements E~1~...E~n~ for realms Re~1~...Re~k~, can +The idea is that any user U assigned to a role R, which provides entitlements E~1~...E~n~ for realms Re~1~...Re~m~, can exercise E~i~ on entities (Users, Groups, Any Objects of given types, depending on E~i~) under any Re~j~ or related sub-realms. +Moreover, any user U assigned to a role R, which provides entitlements E~1~...E~n~ for dynamic realms DR~1~..DR~n~, can +exercise E~i~ on entities (Users, Groups, Any Objects of given types, depending on E~i~) matching the conditions defined +for any DR~k~. + +[WARNING] +.Dynamic Realms limitations + +Users to whom administration rights were granted via Dynamic Realms can only *update* Users, Groups and Any Objects, +not create nor delete. + +Moreover, the only accepted changes on a given entity are the ones that do not change any Dynamic Realm's matching +condition for such entity. + + .Authorization Let's suppose that we want to implement the following scenario:
[1/2] syncope git commit: [SYNCOPE-1067] Doc update
Repository: syncope Updated Branches: refs/heads/2_0_X 5545caf05 -> c13f9e626 refs/heads/master 919b32e68 -> a21329eea [SYNCOPE-1067] Doc update Project: http://git-wip-us.apache.org/repos/asf/syncope/repo Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/c13f9e62 Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/c13f9e62 Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/c13f9e62 Branch: refs/heads/2_0_X Commit: c13f9e62653dd12485b22a50831225437a194ed7 Parents: 5545caf Author: Francesco ChicchiriccòAuthored: Wed Jun 14 13:57:16 2017 +0200 Committer: Francesco Chicchiriccò Committed: Wed Jun 14 13:57:16 2017 +0200 -- .../asciidoc/reference-guide/concepts/realms.adoc | 12 .../asciidoc/reference-guide/concepts/roles.adoc | 18 -- 2 files changed, 28 insertions(+), 2 deletions(-) -- http://git-wip-us.apache.org/repos/asf/syncope/blob/c13f9e62/src/main/asciidoc/reference-guide/concepts/realms.adoc -- diff --git a/src/main/asciidoc/reference-guide/concepts/realms.adoc b/src/main/asciidoc/reference-guide/concepts/realms.adoc index 8b4267c..ec9cfbc 100644 --- a/src/main/asciidoc/reference-guide/concepts/realms.adoc +++ b/src/main/asciidoc/reference-guide/concepts/realms.adoc @@ -43,6 +43,18 @@ Moreover, this partition allows fine-grained control over policy enforcement and < > and < >, helps to implement < >. +[[dynamic-realms]] +.Dynamic Realms + +Realms provide a mean to model static containment hierarchies. + +Such strategy might not be the ideal fit for situations where the set of Users, Groups and Any Objects to administer +cannot be statically defined by containment. + +Dynamic Realms can be used to identify Users, Groups and Any Objects according to some attributes' value, resource +assignment, group membership or any other condition available, with purpose of granting +< > rights. + + [TIP] .Logic Templates http://git-wip-us.apache.org/repos/asf/syncope/blob/c13f9e62/src/main/asciidoc/reference-guide/concepts/roles.adoc -- diff --git a/src/main/asciidoc/reference-guide/concepts/roles.adoc b/src/main/asciidoc/reference-guide/concepts/roles.adoc index 5cfc19e..662febc 100644 --- a/src/main/asciidoc/reference-guide/concepts/roles.adoc +++ b/src/main/asciidoc/reference-guide/concepts/roles.adoc @@ -18,7 +18,8 @@ // === Roles -Roles map a set of < > to a set of < >. +Roles map a set of < > to a set of < > and / or +< >. [TIP] .Static and Dynamic Memberships @@ -31,10 +32,23 @@ role. Delegated Administration -The idea is that any user U assigned to a role R, which provides entitlements E~1~...E~n~ for realms Re~1~...Re~k~, can +The idea is that any user U assigned to a role R, which provides entitlements E~1~...E~n~ for realms Re~1~...Re~m~, can exercise E~i~ on entities (Users, Groups, Any Objects of given types, depending on E~i~) under any Re~j~ or related sub-realms. +Moreover, any user U assigned to a role R, which provides entitlements E~1~...E~n~ for dynamic realms DR~1~..DR~n~, can +exercise E~i~ on entities (Users, Groups, Any Objects of given types, depending on E~i~) matching the conditions defined +for any DR~k~. + +[WARNING] +.Dynamic Realms limitations + +Users to whom administration rights were granted via Dynamic Realms can only *update* Users, Groups and Any Objects, +not create nor delete. + +Moreover, the only accepted changes on a given entity are the ones that do not change any Dynamic Realm's matching +condition for such entity. + + .Authorization Let's suppose that we want to implement the following scenario: