Thanks Francesco.
You have given me something good to think about over the next few days.
rgds,
Nik
On 30/04/2013 15:46, Nik wrote:
Thanks for clarifying this.
It kinda leaves me stuck though.
I want to have RBAC for my app managed by syncope using REST.
I was assuming the AC part of RBAC is done by "entitlement"
assignment (I'm not sure how this is supposed to work for an app
using syncope)
The point here is that Syncope implements
- role-based provisioning (e.g. you can decide where to provision
users by assigning them roles)
- role-based authorization to REST methods (e.g. you can assign
entitlements to roles and users assigned to those roles will have
entitlements to access REST methods)
e.g. is not (yet!) equipped for general RBAC on external resources
(take a look at the roadmap, it's there).
but as you can see from my curl example, I want to create a "role"
which allows access control through a resource (ldap) to my app
services.
i.e.
Collaborator (role)
isAuthorized to
- generate
- update
- publish
- migrate
- scan
on appA which is connected by
resource uforge_ldap
How else can I do this? I thought that entitlement is AuthZ! (yes/no)
Maybe, in syncope, we have to define this functionality as nested roles?
Collaborator (role)
withChildren (roles)
- generate
- update
- publish
- migrate
- scan
on appA which is connected by
resource uforge_ldap
Please help me with my confusion here, if you see what I'm trying to
achieve (i'm sure this is due to my ignorance of IDM terminology)
IMO there it is not straightforward to implement your requirements in
a general fashion since any solution will heavily depend on how the
external resource interpret such "resource entitlements".
You could, for example, define a role enum multivalue schema named
'ResourceEntitlement' with possible values
- generate
- update
- publish
- migrate
- scan
- ...
then assign some values from this set to the 'ResourceEntitlement'
attribute of 'Collaborator' role.
Supposing to provide a decent mapping on the resource, and supposing
that ResourceEntitlement values are correctly propagated to the
external resource, as said above the biggest problem I see here is how
to make the external resource change its behavior depending on such
values.
In my experience I have solved such problems by integrating Apache
Syncope with an access manager likes as CAS, Apache Shiro or even OpenAM.
Good luck :-)
On 30/04/2013 14:00, Nik wrote:
Hi,
I'm trying to find a way to create/delete/update my own entitlement
names not those found in content.xml.
of course the addition of my own entitlements fails (because, I'm
guessing, consistency checking with those entitlements
pre-defined in the content.xml, looking at the source code).
Is there a way to create/delete/update those available in
content.xmlby the syncope REST api?
Hi Nik,
entitlements are not meant to be extended: their primary purpose is
to define security constraints on RESTful methods.
Some more information:
https://cwiki.apache.org/confluence/display/SYNCOPE/Authentication+and+authorization
Regards.
