Il giorno 19/apr/2012, alle ore 18.56, Tylor Sampson ha scritto: > Greetings, > > An item, I was thinking that would be useful would be the ability to > manually link/unlink a single user to a resource. This could be very > useful in a situation where a user's username may be > different across resources. > > I suspect this may be tricky, since there would be a username mapping most > likely defined in the schema mapping, but perhaps, store a flag per > user/resource so Syncope knows to ignore the mapping, and use the manually > linked account on the resource? > > > We have a use-case where users have a matching account on a resource. We > have a concept of privileged accounts, that are in addition to your normal > ldap/ad account. So I was thinking I could define the ldap server as two > different resources, one for the matching account, and one for > the privileged account. However I am not sure how link > the privileged account to user's account. I think if > the privileged accounts used a static naming patter, I could create a > schema matching, but alas I am not sure that is an option. > > Thoughts, suggestions?
Hy Tylor, I'm not so sure to have well understood the case. Are you saying that you would be able to perform the following steps? 1. select a certain "privileged" user on Apache Syncope 2. search for account/profile into a specific resource 3. select one of the returned resource account 4. ask for a manually link between the local user and the resource account Is it right? If so, this feature sounds really interesting. BTW, are you sure we cannot do the same by using the current mapping features? I mean, you could create one or more specific attribute schemas to be valued just for your "privileged" users. Then you can use a specific mapping about these attributes (accountId included) during propagation and an ad-hoc SynchronizationPolicy to specify the correlation rule to be used during synchronization (probably the correlation rule could be empowered). Of course, as you say above, these configurations have to be given about a "privileged" resource. Please, let me know if a missed something. Best regards, F. > On Thu, Apr 19, 2012 at 5:25 AM, Fabio Martelli > <[email protected]>wrote: > >> >> Il giorno 19/apr/2012, alle ore 11.20, Bob Lannoy ha scritto: >> >>> Hi guys, >>> >>> this is something I would like to have. A "normal user" that can only >>> create users and assign roles to them doesn't need to see all the tabs >>> like "derived attributes", "virtual attributes", resources, ... >>> Maybe this could be mapped to "UI-entitlements". >>> A simplified console as you like. >> >> That's right but I wouldn't use entitlements; I'd prefer an approach >> template oriented like userTemplates defined for synchronization tasks. >> >>> I would even go as far as limiting the roles a such a user can see. >>> Something like a scope or base (show roles underneath role_XX) . But >>> this is probably something very specific to my use of Syncope since I >>> would like to have several organisations in a role tree. >> >> By using a good template we should be able to apply a restriction on: >> * roles >> * resources >> * memberships and membership attributes (normal, derived and virtual) >> * user attributes >> * user derived attributes >> * user virtual attributes >> >>> As I understand it, for the moment I would have to make a custom >>> UserModalPage to handle this. >>> Can someone give me an example how I do this with the maven overlay? >> >> You have to perform the following steps: >> * create the project [1] >> * add your new UserModalPage using the same package (may be editing a copy >> of the original class) >> * add your UserModalPage.html and UserModalPage[_it | _nl | _de].properties >> * build and deploy >> >> [1] >> https://cwiki.apache.org/confluence/display/SYNCOPE/Create+a+new+Syncope+project >> >> Regards, >> F. >> >>> On 19 April 2012 10:50, Fabio Martelli <[email protected]> wrote: >>>> >>>> Il giorno 19/apr/2012, alle ore 10.12, Marco Di Sabatino Di Diodoro ha >> scritto: >>>> >>>>> Suggest: >>>>> >>>>> Possibility to specify a custom user form with a set of attributes for >> the members of an role. >>>>> The user assigned the role will use this user form when creating or >> editing users. A user form assigned through a role overrides the default >> user form of Apache Syncope. >>>> >>>> You are suggesting to add something to restrict user information to be >> managed by a certain administrator, right? >>>> >>>> In this way you can say that an user, delegated to manage users under >> certain conditions (by adding roles to admin and users), can manage >> attributes, resources, roles and so on in respect of what specified by a >> certain template provided by the core. >>>> The UserModalPage of the administration console should become more >> parametric than now by showing only the fields specified by the core (if >> template is provided). >>>> >>>> This shouldn't be a second level of security but just a presentation >> issue, right? >>>> >>>> Regards, >>>> F. >>>> >>>>> >>>>> WDYT? >>>>> >>>>> Marco >>>>> -- >>>>> >>>>> Dott. Marco Di Sabatino Di Diodoro >>>>> Tel. +39 3939065570 >>>>> >>>>> Tirasa S.r.l. >>>>> Viale D'Annunzio 267 - 65127 Pescara >>>>> Tel +39 0859116307 / FAX +39 0859111173 >>>>> http://www.tirasa.net >>>>> >>>>> Apache Syncope PPMC Member >>>>> http://people.apache.org/~mdisabatino >>>>> >>>>> >>>>> >>>>> >>>> >> >>
