Re: About roles

Thu, 07 May 2015 06:49:43 -0700 

On 07/05/2015 15:37, Manfredo Hopp wrote:
2015-05-07 4:22 GMT-03:00 Francesco Chicchiriccò <[email protected] <mailto:[email protected]>>: 

    On 06/05/2015 18:42, Manfredo Hopp wrote:

        Hi,

        1. why can roles only be mapped through scripted connector?
        db.table seems to be cleaner.


    Each connector bundle can on its own decide to support ACCOUNT
    (e.g. users) and / or GROUP (e.g. roles): to my knowledge, only
    LDAP, Scripted SQL and Active Directory connector bundles support
    GROUP (besides ACCOUNT).

        2. why is role mapping panel showing accountid checkbox. Is
        this an accounT? or is it group?


    "AccountId" refers to the mapping item which refers to the key
    value which is used to bind the internal user / role to external
    entities; I agree this is misleading, we'll change that in 2.0.0.

        3. why is role sync task expecting __UID__ ? is it a user?


    __UID__ is the name of a special attribute returned by ConnId, and
    generally associated with the key value on the external resource
    (say the primary key value on a database table).
    It is used both for ACCOUNT and GROUP

        4. What use is the field Rolename in mapping panel for, when
        __UID__ is used for mapping name?


    It is the role name, which is not unique (as instead role id, see
    below): there could be more roles with the same name, provided
    that they don't share the same parent role.



Unfortunately this is also used as link to resource, so changing 
Rolename looses link. It would be nice this to work independently.


This because of the way how you have defined your mapping.



    FYI, __UID__ is not used anymore when defining resource mapping in
    Syncope (either for users and roles) since Syncope 1.2.0 (which
    depends on ConnId 1.4.0.0).



Its not used on resources mapping definition but has to be returned on 
script!


Correct.



        5. what use is the field RoleId in mapping panel?


    It is the role unique identifier, e.g. a number.


Cannot be assigned. Its automatically generated.


Obviously.



        6. Is it possible to assign more than 1 owner to a scpecific role?


    Role owners can either be a (single) user or another role: if you
    want to have more owners of a role, just define another role, put
    such users into this role and make it owner of the first role.

    HTH
    Regards.


--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/























					Reply via email to