On 22/08/2018 06:40, Craig Martin wrote:
Hi,
Apologies for the entry level question but I am new to administering
Syncope. I am hoping to use Syncope as an identity store (password
rules, data store, user data, and JWT) and access it via the REST
interface. Users will never access Syncope Directly, they will pass
through custom microservices and my webservices will
create/delete/update users and validate/invalidate JWTs.
As I see it I really need three main types of users (are they realms?
maybe groups?)
* *User Group* - this is the main user group. They should only have
access to their own identity information and should be very
limited in the system
* *Service Account *- A group (maybe only one) service account user
that my microservices will use to create/delete users, update
passwords. I would like to limit the ability of this user/group
to be able to only manage users and not Administer the Syncope system
* *Admin Users* - This is the main users that can create realms,
update workflows, password requirements
What is the recommended way to set this up?
Hi Craig,
there are several ways to configure your needs above with Syncope
concepts; AFAICT the simplest would be:
1. Map "User Group" as plain syncope Users. Do not assign any Role to
them - by which you could be granting Entitlements [1] to them; hence,
plain users
2. Create a "Service Account" Role, assign to it the relevant
entitlements [1] to administer Users and Groups (e.g. USER_* and
GROUP_*), and the / Realm; once done that, create a "Service Account"
user, and give it the "Service Account" Role.
Your microservices will authenticate as such user, and be able to manage
to the extent of the granted entitlements
3. If you don't want to use the default admin user - for which you can
change the default credentials [2], just do as above with an additional
Role and an additional user, and you're set.
The difficult part - especially for 3, when using the Admin Console - is
to define the minimum viable set of entitlements to grant - see [3] for
more information.
HTH
Regards.
[1]
http://syncope.apache.org/docs/2.1/reference-guide.html#delegated-administration
[2]
http://syncope.apache.org/docs/2.1/reference-guide.html#set-admin-credentials
[3]
http://syncope.apache.org/docs/2.1/reference-guide.html#delegated-administration-console
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
