Thanks for clarifying this.
It kinda leaves me stuck though.
I want to have RBAC for my app managed by syncope using REST.
I was assuming the AC part of RBAC is done by "entitlement" assignment
(I'm not sure how this is supposed to work for an app using syncope)
but as you can see from my curl example, I want to create a "role" which
allows access control through a resource (ldap) to my app services.
i.e.
Collaborator (role)
isAuthorized to
- generate
- update
- publish
- migrate
- scan
on appA which is connected by
resource uforge_ldap
How else can I do this? I thought that entitlement is AuthZ! (yes/no)
Maybe, in syncope, we have to define this functionality as nested roles?
Collaborator (role)
withChildren (roles)
- generate
- update
- publish
- migrate
- scan
on appA which is connected by
resource uforge_ldap
Please help me with my confusion here, if you see what I'm trying
to achieve (i'm sure this is due to my ignorance of IDM terminology)
rgds,
Nik
On 30/04/2013 14:00, Nik wrote:
Hi,
I'm trying to find a way to create/delete/update my own entitlement
names not those found in content.xml.
of course the addition of my own entitlements fails (because, I'm
guessing, consistency checking with those entitlements
pre-defined in the content.xml, looking at the source code).
Is there a way to create/delete/update those available in
content.xmlby the syncope REST api?
Hi Nik,
entitlements are not meant to be extended: their primary purpose is to
define security constraints on RESTful methods.
Some more information:
https://cwiki.apache.org/confluence/display/SYNCOPE/Authentication+and+authorization
Regards.
e.g.
[nik@anvil openidm-project]$ curl -u admin:password -X POST
http://10.0.0.123:9080/syncope/cxf/roles --data
"<role><name>Collaborator</name><entitlements><entitlement>generate</entitlement><entitlement>update</entitlement><entitlement>publish</entitlement><entitlement>migrate</entitlement><entitlement>scan</entitlement></entitlements><resources><resource>uforge_ldap</resource></resources></role>"
-H "Content-type: application/xml" -D /tmp/headers
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<role>
<attributes/>
<derivedAttributes/>
<id>217</id>
<propagationStatuses>
<propagationStatus>
<afterObj>
<attributes>
<attribute>
<readonly>false</readonly>
<schema>__UID__</schema>
<value>Collaborator</value>
</attribute>
<attribute>
<readonly>false</readonly>
<schema>__NAME__</schema>
<value>cn=Collaborator,ou=groups,o=usharesoft</value>
</attribute>
<attribute>
<readonly>false</readonly>
<schema>owner</schema>
</attribute>
<attribute>
<readonly>false</readonly>
<schema>__ENABLE__</schema>
</attribute>
</attributes>
</afterObj>
<resource>uforge_ldap</resource>
<status>SUCCESS</status>
</propagationStatus>
</propagationStatuses>
<resources>
<resource>uforge_ldap</resource>
</resources>
<virtualAttributes/>
<entitlements/>
<inheritAccountPolicy>false</inheritAccountPolicy>
<inheritAttributes>false</inheritAttributes>
<inheritDerivedAttributes>false</inheritDerivedAttributes>
<inheritOwner>false</inheritOwner>
<inheritPasswordPolicy>false</inheritPasswordPolicy>
<inheritVirtualAttributes>false</inheritVirtualAttributes>
<name>Collaborator</name>
<parent>0</parent>
</role>
[nik@anvil openidm-project]$
rgds,
Nik
