Hi Joerg Yes, your observation is correct. Currently group principals cannot be added as impersonators. Quite frankly, I don't recall why exactly we didn't allow for this. The evaluation if impersonation is granted takes a Subject as parameter, which also may contain group principals. So, expensive group membership resolution wouldn't be needed at this point. Maybe JIRA contains the information I don't recall right now.... otherwise feel free to create an improvement request.
Kind regards Angela ________________________________ From: Jörg Hoh <jhoh...@googlemail.com.INVALID> Sent: Tuesday, May 19, 2020 5:50 PM To: users@jackrabbit.apache.org <users@jackrabbit.apache.org> Subject: Specify a group as impersonators Hi, On a test system (Oak 1.8-based) I have a number of users, which are supposed to test my application; in order to do so multiple roles (implemented as a set of JCR groups) are required. I cannot assign them all these roles at once, because many of them would conflict in terms of permissions. Instead of creating a bunch of individual (JCR-) users for each of my testers, I want to have personalized accounts, which then can impersonate into a number of prepared JCR-user accounts (role accounts) to execute the tests. This makes the user-management much easier, as these testers authenticate via an IDP, and I cannot/don't want to provide each tester multiple IDP accounts. Therefor I would like to configure these role accounts with any member of the "testers" group being able to impersonate into such an role account. Based on my experiments this is not possible right now, I can only assign users as impersonators, but not groups. Is my observation correct, or did I miss something? I would like to avoid the iterate through all members of the "testers" group and add them, because the members of my testers group is likely to change every now and then, and I would like to avoid to update the impersonators property all the time. regards, Jörg -- http://cqdump.wordpress.com Twitter: @joerghoh
