On 06/05/2015 18:42, Manfredo Hopp wrote:
Hi,
1. why can roles only be mapped through scripted connector? db.table
seems to be cleaner.
Each connector bundle can on its own decide to support ACCOUNT (e.g.
users) and / or GROUP (e.g. roles): to my knowledge, only LDAP, Scripted
SQL and Active Directory connector bundles support GROUP (besides ACCOUNT).
2. why is role mapping panel showing accountid checkbox. Is this an
accounT? or is it group?
"AccountId" refers to the mapping item which refers to the key value
which is used to bind the internal user / role to external entities; I
agree this is misleading, we'll change that in 2.0.0.
3. why is role sync task expecting __UID__ ? is it a user?
__UID__ is the name of a special attribute returned by ConnId, and
generally associated with the key value on the external resource (say
the primary key value on a database table).
It is used both for ACCOUNT and GROUP
4. What use is the field Rolename in mapping panel for, when __UID__
is used for mapping name?
It is the role name, which is not unique (as instead role id, see
below): there could be more roles with the same name, provided that they
don't share the same parent role.
FYI, __UID__ is not used anymore when defining resource mapping in
Syncope (either for users and roles) since Syncope 1.2.0 (which depends
on ConnId 1.4.0.0).
5. what use is the field RoleId in mapping panel?
It is the role unique identifier, e.g. a number.
6. Is it possible to assign more than 1 owner to a scpecific role?
Role owners can either be a (single) user or another role: if you want
to have more owners of a role, just define another role, put such users
into this role and make it owner of the first role.
HTH
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/
