On 10/04/2015 12:18, Oleksandr Bodriagov (Polystar) wrote:
To whom it may concern,
We have some problems in understanding how to assign permissions to
roles in Apache Syncope. It seems that this topic is not completely
covered in the wiki
(https://cwiki.apache.org/confluence/display/SYNCOPE/Authentication+and+authorization).
We would be extremely grateful if you could help us a little bit.
In a nutshell, we can create our users and roles but not our objects
and permissions.
According to NIST, /“a role is essentially a collection of
permissions”/, and permissions are relationships between operations
and objects.
Syncope has a notion of /Entitlements/, and "/e//ntitlements are
basically strings describing the right to perform an operation/”. As
we understand it, an entitlement is a permission. For example,
an entitlement “RESOURCE_READ” gives a right to READ (operation) some
RESOURCE (object).
Apache Syncope gives ability to define users, roles, and choose
entitlements. It is not clear though how to define objects. Our use
case is as follows. We have a few RESTful web services to which we
would like to control access using Apache Syncope and our own access
control server. Our permissions in this case would be something like:
- read data from https://server1.com/whateever
- modify profile at https://server2.com/profile/whatever
- read profile at https://server2.com/profile/whatever
So, we have operations {read, modify, delete, …} and objects
{https://server1.com/whateever,
https://server2.com/profile/whatever, …}. Our access control server
receives a question if a user is allowed to perform some operation
over some object. To answer this question the server should get user's
permissions from Syncope using its REST API. We have setup a Syncope
server with MySQL internal database. We have added users and roles,
but we have no idea how to add our objects. There is a notion of
/Resource/in Apache Syncope. It seems that resources can only be
external and they are only used “/for synchronization and for
propagation/” of users and roles from external databases/LDAP/AD. If
we go back to entitlement “RESOURCE_READ”, it seems that it means a
right to read user accounts from some external database. Thus, a
resource is not the same as object.
Could you please describe how we can define our own objects. Thank you
very much in advance.
Hi,
Syncope is (at least currently) a pure /provisioning engine/, e.g. a
tool for keeping users and groups synchronized across several resources
(relational databases, LDAP servers, and much more [1] by empowering
ConnId connectors).
The entitlements you refer above are purely used for internal
authentication & authorization [2], hence are not suitable for external
access management.
In my company's experience, you usually need to consider a whole IAM
architecture where every component does its own job (for a quick review
of some open source alternatives: [3]): the more frequent integration
pattern seems to be Syncope + CAS.
Hope this clarifies.
Regards.
[1]
https://github.com/Tirasa/ConnId/blob/master/README.md#available-connectors
[2]
https://cwiki.apache.org/confluence/display/SYNCOPE/Authentication+and+authorization
[3] http://blog.tirasa.net/the-open-source-identity-stack.html
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/
