On 29/04/2013 13:45, Oliver Wulff wrote:
Hi there
In our environment each application has its own roles assigned. Which
means you might have the ADMIN role for application A but not for
application B. Does Syncope already support this functionality? Or
might it be supported in the future?
To map this to LDAP, global (application/realm independent) roles
could be defined in the entry "ou=groups" whereas application specific
roles are defined in the entry "ou=<application id>,ou=groups,...".
What do you think?
Hi Oliver,
first of all a disclaimer: realm support is not currently available in
Syncope 1.1.X but is scheduled for 1.2.0 (see [1] for more information).
You might, however, empower role inheritance for trying to implement
something similar; suppose your role tree is as follows:
/
--application A
--/--admin
--application B
--/--admin
e.g. two root roles ("application A" and "application B"), with a child
role each, named "admin" for both.
You can control where such roles will be created in LDAP by playing with
LDAP connectors/resources.
For example, you might define a single LDAP connector with no group
container information and set this property as overridable.
Then you will have to create an external resource with group container
at "ou=Groups,...", another at "ou=appA,ou=Groups,..." and a third at
"ou=appB,ou=Groups,...".
Finally, you will associate such resources to the roles above.
No need to implement this so far in the projects I've been deploying,
hence I can only tell this *should* work.
Regards.
[1] https://cwiki.apache.org/confluence/display/SYNCOPE/Roadmap
--
Francesco Chicchiriccò
ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
http://people.apache.org/~ilgrosso/
