Hi Francesco, thank you very much for the precise and concise answers. My idea of segregation is this: an admin of a realm can manage users (CRUD) in that realm and cannot do anything in other realms neither view those. So I think this is the right approach.
I've seen your blog post about performance, great and interesting work, and I've a couple of questions about that: - In the tests you don't consider authentication like "accessTokens/login" or "users/self", is those comparable to "Read Existing User"? - How many concurrent connections there were during the tests? thank you Best regards On Mon, Dec 10, 2018 at 9:13 AM Francesco Chicchiriccò <[email protected]> wrote: > Hi, > please find my replies embedded below. > > Regards. > > On 08/12/18 23:29, Ciusso Hb wrote: > > Hi all, this is my first message and I've got a bunch of questions. > > > > Apache Syncope looks really good and it's my plan to use it to manage > > users of various branches of the same organization. > > > > I don't need different Domains (that I see like "tenant", is this > > correct?), but I would like to be able to logically "segregate" users. > > To achieve that my idea is to use Realms, is this a good choice? > > It depends on what you mean by "segregate": at which level you would > like to separate users? With domains [1] you will end up in storing user > entries onto different tables in different databases; without them, > users will go anyway onto the same table. > > Realms [2] are meant for simplifying the definition of delegated > administration [3]. > > > The number of branches will be 50k, 1 to 10 users each. > > It will be possible the need to have "sub-branches" (max 2 levels). > > > > The number of Realms can be a problem? > No. > > The number of users can be a problem? > 50k * 10 = 500k users; not an issue, especially if you plan to use > Syncope with PostgreSQL JSONB [4]. > > The use of many Realms can make performance worse? > I don't think so: there should be enough indexes in the db to support > such configuraiton. > > A user from a Realm can see all users from all the Realms? > > If by "a user" you mean "a delegated administrator", the answer is no, > there are hierarchy rules (on purpose, as you can read from [3]) to > restrict such scope. > > [1] http://syncope.apache.org/docs/2.1/reference-guide.html#domains > [2] http://syncope.apache.org/docs/2.1/reference-guide.html#realms > [3] > > http://syncope.apache.org/docs/2.1/reference-guide.html#delegated-administration > [4] http://blog.tirasa.net/benchmarking-apache-syncope-on-postgresql.html > > -- > Francesco Chicchiriccò > > Tirasa - Open Source Excellence > http://www.tirasa.net/ > > Member at The Apache Software Foundation > Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail > http://home.apache.org/~ilgrosso/ > >
