Hi Suresh,
sorry for the delayed response.
See my replies embedded below.
Regards.
On 2018-12-28 13:14 Suresh Mali wrote:
I am looking good user/org provisioning system along with ability to
manage entitlement(permissions). I am trying to see how Syncope can be
used for provisioning etc.
requirements
1. The app is in python and node.js requires different roles such as
user, agent, manager etc.
Ok, so such app will deal with Syncope Core via its REST interface.
I would recommend to not expose the full REST endpoints, but to restrict
the ones effectively used by your app somehow (HTTP reverse proxy, API
gateway, ...).
2. each user is assigned an agent(a different user in system with agent
role) for a certain duration. An agent may be changed for for a given
user from time to time. agent assignment is done by manager (another
user with manager role). e.g user1 may have agent1 from time t0 to
t1 and agent2 from time t1 to t2 etc.
3. Fine grained permissions (entitilements) are required a.g agent can
perform a buy operations for the users he is assigned, but no sell
operation for any user. Also he is allowed to read all the transactions
of all users irrespective of his assigned users.
4. An operation can be backdated e.g in above example for given date
between t0 to t1 only agent1 should be allowed to perform buy operation
for user1 and when given date is between t1 to t2 agent2 should be
allowed
I would suggest to model permissions via Privileges [1] (Entitlements
[2] are used for the internal delegated administration process), that,
being general-purpose JSON objects, can be used to represent any
specific domain need; you would also likely need to implement somewhere
- possibly in Syncope Core - a module which calculates if the calling
user is entitled to perform the required action on the given object.
Before Syncope 3.0 - which we have just started working on - there are
no pre-defined features available for access policy definition and
evaluation.
5. external keycloak sso server will be used for authentication (was
able to setup and check this works). However need way to pull all the
users of keycloak into syncope with a job/background
Pulling Keyloack's users into Syncope is surely an option, but why don't
you simply use Syncope's internal storage as identity repository for
Keycloack? Or setup an LDAP server for such a purpose, which is
alimented by Syncope? You would avoid pulling, with such configurations.
6. The apps(python/node.js) can make rest calls to syncope to get
effective permissions to see given agent if he has permission for given
user for given date etc.
Correct, see above.
7. need an ability to audit and find who was the agent for a given user
and its trails
You can leveraged auditing features [3] for this.
How can I make use of Syncope for provisioning, organization creation,
and finding permissions/entitlements of given agent/manager/user with
respect to other user
Regards,
Suresh
[1] http://syncope.apache.org/docs/2.1/reference-guide.html#privileges
[2] http://syncope.apache.org/docs/2.1/reference-guide.html#entitlements
[3] http://syncope.apache.org/docs/2.1/reference-guide.html#audit
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
