Re: Role membership

Fri, 15 Nov 2013 00:54:52 -0800 

On 15/11/2013 09:41, Timo-V Hatakka wrote:

Hi,
there is a nice feature in Syncope that you can include some extra parameters to user -- role connection. This can be achieved by adding new attributes to Membership schema. However you can not connect a single user twice to the same role using two parallel memberships with different membership arguments. This could be used for example to describe the situation that a student u1 has a Student role in two faculties F1 and F2:
membership(user: u1, role: Student, OU: F1, start: 1.1.2013, end: 31.12.2013) membership(user: u1, role: student, OU: F2, start: 1.1.2013, end: 31.12.2014)
Could you change the system to allow this kind of parallel role connections? Or is there something we can do? 



Hi,
you are right, membership is unique, for each (user, role) pair.
In your scenario, I'd suggest to just model each Faculty as a separate role, possibly with a common parent role.
Actually this is just the way we absolutely want to avoid. The result would be cartesian product of roles and OUs (https://wiki.evolveum.com/display/midPoint/Role+Explosion) and would lead to hundreds or even thousands of roles. Your role design is so near to a nice way to do it! Any possibiliest to redesign the model?
I am not sure I was clear: if you have N students and M faculties, you would result with the following number of entries in the internal database: 

 * N SyncopeUser
 * M+1 (for the parent role) SyncopeRole
* ~N Membership (depending on the number of users that are students in more than a faculty) 
 * ~N MAttr + ~N MAttrValue for 'start'
 * ~N MAttr + ~N MAttrValue for 'end'
Syncope has proven to work flawlessly - with thousands memberships and hundred of thousands attribute values.
Redesigning the internal model is an option that - if discussed on dev@ ML and accepted - might happen in one of future major releases since it will likely impact the internal database design. 

If you want to continue this thread, I'd suggest anyway to move it to dev@.

Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
http://people.apache.org/~ilgrosso/

Reply via email to