Thanks for the response, And is there any possibility to overwrite authorisation (and security service) in syncope-core in a way when permissions from Role are applied to the User's Realm (user belongs to) BUT not to the Realm of the Role? Now role maps a set of entitlements to a set of realms, BUT we would like to have a role that maps a set of entitlements to a User's realm.
I understand, that such changes could be quite dangerous and lead to some unstable behaviour of syncope. That's why for now we almost decided to create separate "OU Admin" role for every Realm. Best regards, Alexander Tsvetkov On 10 May 2018 at 10:01, Francesco Chicchiriccò <[email protected]> wrote: > On 26/04/2018 23:06, Alexander Tsvetkov wrote: > > Hi all, > In our syncope application we have a lot of OrgUnits (Realms) and we need > to have a possibility to assign "OrgUnit Admin" role to some users. > As I understand I need to create "OrgUnit Admin" role for every OrgUnit > and for every role assign appropriate realm. BUT this doesn't fit us as it > lead to a big amount of roles in our system. > Is there any possibility to create one role "OrgUnit Admin" with some > permissions and assign it to user, so that all permissions from this role > will be applied only to OrgUnit to which belong the user? > Can “Dynamic USER Membership Conditions” or “Dynamic Realms” help with > this? > > > Hi, > I don't think you can do differently than creating as many Roles as the > Realms for which you need to grant delegated administration rights. > > You say above that "this doesn't fit us as it lead to a big amount of > roles in our system": why "big amount"? It would be just the same number of > Realms, no? > > Regards. > > -- > Francesco Chicchiriccò > > Tirasa - Open Source Excellencehttp://www.tirasa.net/ > > Member at The Apache Software Foundation > Syncope, Cocoon, Olingo, CXF, OpenJPA, > PonyMailhttp://home.apache.org/~ilgrosso/ > >
