Il giorno 17/apr/2012, alle ore 11.58, Colm O hEigeartaigh ha scritto: > Hi all, > > A "resource" in Syncope is a remote directory of some sort where you > can propagate/synchronize attributes to/from. > > I'd like to consider an alternative definition of a "resource" in the > context of web services and if it's feasible or desirable to support > it. > > One can currently use Syncope to authenticate a web service request > (e.g. is the client's username/password valid) or for authorization, > where you can retrieve the authenticated client's roles, and check to > see whether one of these roles is allowed access the local "resource" > the client is attempting to access. > > In other words, the application server must maintain a map of role > names to resources, where the resource could be a combination of WSDL > target namespace, service name and operation, or a URI. There may also > be a permission associated with this mapping such as "read", "write" > or "execute", etc. Many IDM solutions can accept a resource as a > String or URI, so the question is whether this is something we should > add to the roadmap for Syncope or not? > > The advantage of adding this kind of functionality to Syncope is that > all identity and access management is done with the same product, > instead of having to use Syncope for authentication/retrieving-roles, > and use something else to find out whether the authenticated user has > the correct permissions to access the local resource. > > Thoughts? How would this kind of functionality work with Syncope?
Hi Colm, if I well understood, you are suggesting to equip Syncope with some Access Management functionalities, right? IMO this is a good idea and, looking at your proposal, probably not so complicated to be implemented. Actually Syncope is still too much far away to act as complete Access Manager but, for certain scenarios, what you described above cold be sufficient. For example, I was thinking to a web resource protected by something like an agent that interact with Syncope to allow or deny access to its contents. I agree with you, I'd like to extend the roadmap by adding this kind of AM features. F. > Colm. > > IDM can accept resource as String or URI. Permissions can also be > generic: "read", "write", "execute", etc. > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com
