On 10/12/18 10:36, Ciusso Hb wrote:
Hi Francesco, thank you very much for the precise and concise answers.
My idea of segregation is this:
an admin of a realm can manage users (CRUD) in that realm and cannot
do anything in other realms neither view those.
So I think this is the right approach.
Correct.
I've seen your blog post about performance, great and interesting
work, and I've a couple of questions about that:
- In the tests you don't consider authentication like
"accessTokens/login" or "users/self", is those comparable to "Read
Existing User"?
No, it's way less.
- How many concurrent connections there were during the tests?
As reported in the article:
"The suite was configured for 10 concurrent threads, each running all
the operations for 30 loops, with ramp-up time of 10 seconds, for a
total duration of 20 minutes."
So, 10 concurrent connections.
Regards.
On Mon, Dec 10, 2018 at 9:13 AM Francesco Chicchiriccò
<[email protected] <mailto:[email protected]>> wrote:
Hi,
please find my replies embedded below.
Regards.
On 08/12/18 23:29, Ciusso Hb wrote:
> Hi all, this is my first message and I've got a bunch of questions.
>
> Apache Syncope looks really good and it's my plan to use it to
manage
> users of various branches of the same organization.
>
> I don't need different Domains (that I see like "tenant", is this
> correct?), but I would like to be able to logically "segregate"
users.
> To achieve that my idea is to use Realms, is this a good choice?
It depends on what you mean by "segregate": at which level you would
like to separate users? With domains [1] you will end up in
storing user
entries onto different tables in different databases; without them,
users will go anyway onto the same table.
Realms [2] are meant for simplifying the definition of delegated
administration [3].
> The number of branches will be 50k, 1 to 10 users each.
> It will be possible the need to have "sub-branches" (max 2 levels).
>
> The number of Realms can be a problem?
No.
> The number of users can be a problem?
50k * 10 = 500k users; not an issue, especially if you plan to use
Syncope with PostgreSQL JSONB [4].
> The use of many Realms can make performance worse?
I don't think so: there should be enough indexes in the db to support
such configuraiton.
> A user from a Realm can see all users from all the Realms?
If by "a user" you mean "a delegated administrator", the answer is
no,
there are hierarchy rules (on purpose, as you can read from [3]) to
restrict such scope.
[1] http://syncope.apache.org/docs/2.1/reference-guide.html#domains
[2] http://syncope.apache.org/docs/2.1/reference-guide.html#realms
[3]
http://syncope.apache.org/docs/2.1/reference-guide.html#delegated-administration
[4]
http://blog.tirasa.net/benchmarking-apache-syncope-on-postgresql.html
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
