SYNCOPE-119 is exactly what I was looking for.
Thanks Oliver ________________________________ From: Francesco Chicchiriccò [[email protected]] Sent: 29 April 2013 15:05 To: [email protected] Subject: Re: Assign roles to a user for a specific application On 29/04/2013 13:45, Oliver Wulff wrote: Hi there In our environment each application has its own roles assigned. Which means you might have the ADMIN role for application A but not for application B. Does Syncope already support this functionality? Or might it be supported in the future? To map this to LDAP, global (application/realm independent) roles could be defined in the entry "ou=groups" whereas application specific roles are defined in the entry "ou=<application id>,ou=groups,...". What do you think? Hi Oliver, first of all a disclaimer: realm support is not currently available in Syncope 1.1.X but is scheduled for 1.2.0 (see [1] for more information). You might, however, empower role inheritance for trying to implement something similar; suppose your role tree is as follows: / --application A --/--admin --application B --/--admin e.g. two root roles ("application A" and "application B"), with a child role each, named "admin" for both. You can control where such roles will be created in LDAP by playing with LDAP connectors/resources. For example, you might define a single LDAP connector with no group container information and set this property as overridable. Then you will have to create an external resource with group container at "ou=Groups,...", another at "ou=appA,ou=Groups,..." and a third at "ou=appB,ou=Groups,...". Finally, you will associate such resources to the roles above. No need to implement this so far in the projects I've been deploying, hence I can only tell this *should* work. Regards. [1] https://cwiki.apache.org/confluence/display/SYNCOPE/Roadmap -- Francesco Chicchiriccò ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member http://people.apache.org/~ilgrosso/
