This is very useful and seems like a logical solution. Really appreciate your help. I will give it a go.
Craig On Wed, Aug 22, 2018 at 1:03 AM Francesco Chicchiriccò <[email protected]> wrote: > On 22/08/2018 06:40, Craig Martin wrote: > > Hi, > > Apologies for the entry level question but I am new to administering > Syncope. I am hoping to use Syncope as an identity store (password rules, > data store, user data, and JWT) and access it via the REST interface. > Users will never access Syncope Directly, they will pass through custom > microservices and my webservices will create/delete/update users and > validate/invalidate JWTs. > > As I see it I really need three main types of users (are they realms? > maybe groups?) > > - *User Group* - this is the main user group. They should only have > access to their own identity information and should be very limited in the > system > - *Service Account *- A group (maybe only one) service account user > that my microservices will use to create/delete users, update passwords. I > would like to limit the ability of this user/group to be able to only > manage users and not Administer the Syncope system > - *Admin Users* - This is the main users that can create realms, > update workflows, password requirements > > What is the recommended way to set this up? > > Hi Craig, > there are several ways to configure your needs above with Syncope > concepts; AFAICT the simplest would be: > > 1. Map "User Group" as plain syncope Users. Do not assign any Role to them > - by which you could be granting Entitlements [1] to them; hence, plain > users > > 2. Create a "Service Account" Role, assign to it the relevant entitlements > [1] to administer Users and Groups (e.g. USER_* and GROUP_*), and the / > Realm; once done that, create a "Service Account" user, and give it the > "Service Account" Role. > Your microservices will authenticate as such user, and be able to manage > to the extent of the granted entitlements > > 3. If you don't want to use the default admin user - for which you can > change the default credentials [2], just do as above with an additional > Role and an additional user, and you're set. > > The difficult part - especially for 3, when using the Admin Console - is > to define the minimum viable set of entitlements to grant - see [3] for > more information. > > HTH > Regards. > > [1] > http://syncope.apache.org/docs/2.1/reference-guide.html#delegated-administration > [2] > http://syncope.apache.org/docs/2.1/reference-guide.html#set-admin-credentials > [3] > http://syncope.apache.org/docs/2.1/reference-guide.html#delegated-administration-console > > -- > Francesco Chicchiriccò > > Tirasa - Open Source Excellencehttp://www.tirasa.net/ > > Member at The Apache Software Foundation > Syncope, Cocoon, Olingo, CXF, OpenJPA, > PonyMailhttp://home.apache.org/~ilgrosso/ > >
