Il giorno 30/mar/2012, alle ore 15.51, Bob Lannoy ha scritto: > Hi, > > Maybe I should try to explain a bit more on what I'm trying to achieve ;) > > - I have an external application that contains some general roles. and > possibly custom roles for specific elements > - several organisations will use that application > > I was thinking that Syncope could manage the users of those > organisations which means: > - an admin user from orgA can create users for orgA and assign > application roles to them > - an admin user from orgB can create users for orgB and assign > application roles to them > The external app would then have to authenticate the user + get the > application roles > > However there is no notion of organisational structure in Syncope so I > tried a role hierarchy to model a basic structure. > orgA (roletype=org) > -users > --user (roletype=user) > --admin (roletype=user) > -applications > --app1 (roletype=app) > OrgB > .... > Applications > --app2 (roletype=app)
I think your design is correct. Syncope roles could be used to simulate a generic organisational structure like yours. > I could use the syncope entitlements so that the admin role in orgA > can only create users in the orgA/users/user role and assign > application roles. This should be possible by default: 1. create entitlement called ROLE_<id of the role orgA/users/user> 2. add entitlement to the role orgA/users/admin > From the application side I would have to get info from Syncope > stating user X from orgA has applicationrole app1 and app2. > In my case I would get the role "user" and need to get the parent with > roletype=org to find the org name. This should be done programmatically. Regards, F. > But maybe I'm looking at it the wrong way. > > Bob > On 30 March 2012 15:09, Colm O hEigeartaigh <[email protected]> wrote: >> Hi Fabio, >> >>> Further, you have the method verifyPassword provided by UserController that >>> could be used to verify userid/password. >>> This method, for security reason can be called only by a user with USER_READ >>> capability. >> >> Consider the use-case as mentioned by Bob, where you have a third >> party application which receives login credentials and wishes to >> authenticate the user, and retrieve the roles associated with that >> user for authorization. If the application logs on with the received >> username/password, then it is assuming that the given user has a >> USER_READ entitlement. IMO the application would log on with its own >> credentials, and wish to authenticate the given username/password via >> some kind of "authenticateUser" method as I mentioned before. >> >> Do you see a use-case for this kind of functionality or am I missing >> something? >> >>> Actually users have only the roles explicitly assigned. >> >> The question is whether it is possible to easily retrieve the >> hierarchy of roles for a particular user (or the authenticated user)? >> >> Thanks, >> >> Colm.
