Hi Hernâni,
Il 28/08/2018 13:18, Hernâni Borges de Freitas ha scritto:
Hello
I am trying to map an organization composed by the same user base that uses
different applications and have different roles in those applications to Apache
Syncope. We are only using syncope to provide authorisation to the
applications, not authentication. Those applications will consume authorisation
for different members via Syncope REST API.
Syncope has the following realms:
/
/application-a
/application-b
/application-x
- We are using apache syncope to manage membership to groups in different
applications. Those different applications have their own managers who can
define groups and memberships under their realms in syncope.
- All members belong to the same organization and are shared by different
applicatinos. They can be members of different groups in different applications.
- Each application is defined by a realm and managers of those applications
have roles with entitlements in those realms that allow to define groups. They
can only define membership in groups in their realms and not in other realms.
- As far as I understand, objects in syncope can only belong to a realm, so it
is not possible to have them in different realms and have managers able to edit
memberships only for groups in their realm. To avoid this I created a new
AnyObject of a new AnyType which maps our members in different realms. For each
application where our members are, there is an AnyObject in the correspondent
realms. If member A is in Application A and Application B there will be two
AnyObjects for it, one in /application-a realm and another one in
/application-b realm. Managers of those realms can edit AnyObjects in their
realm without problems.
Why you do not use USER to map members into realms? Why did you create a
new ANY_OBJECT?
I would like to know if there simpler ways to map this hierarchy in syncope
specially without the need to replicate the members in different anyobjects
that are editable in the different realms and I would like to understand if
there is a better way to organize realms, groups and objects than the one I am
planning to use.
You can define roles and map the role to a specific realm, for example:
manager-role-application-a -> map it to /application-a realm and assign
entitlements to update users (only in /application-a realm and children).
manager-role-application-b -> map it to /application-b realm and assign
entitlements to update users (only in /application-b realm and children).
manager-role-application-x -> map it to /application-x realm and assign
entitlements to update users (only in /application-x realm and children).
With children I mean inner realms like /application-a/child-a/ or
application-x/child-x
Bear in mind that realms entitlements are applied from the current realm
to the inner ones, please refer to documentation at [1].
HTH,
Andrea
[1] https://syncope.apache.org/docs/2.0/reference-guide.html#realms
Thanks
--
Dott. Andrea Patricelli
Tel. +39 3204524292
Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net
Apache Syncope PMC Member
