[SYNCOPE-1189] Clarifying about additional entitlements needed for delegated administration via Admin Console
Project: http://git-wip-us.apache.org/repos/asf/syncope/repo Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/b7458d07 Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/b7458d07 Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/b7458d07 Branch: refs/heads/master Commit: b7458d070f88a18ea098dc0196177a502f0623ac Parents: 0d93a3a Author: Francesco Chicchiriccò <ilgro...@apache.org> Authored: Tue Aug 8 12:40:22 2017 +0200 Committer: Francesco Chicchiriccò <ilgro...@apache.org> Committed: Tue Aug 8 12:40:45 2017 +0200 ---------------------------------------------------------------------- pom.xml | 4 ++-- .../reference-guide/concepts/roles.adoc | 22 ++++++++++++++++++++ 2 files changed, 24 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/syncope/blob/b7458d07/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index 3c23485..6c7bb02 100644 --- a/pom.xml +++ b/pom.xml @@ -2257,7 +2257,7 @@ under the License. <plugin> <groupId>org.asciidoctor</groupId> <artifactId>asciidoctor-maven-plugin</artifactId> - <version>1.5.6</version> + <version>1.5.5</version> <dependencies> <dependency> <groupId>org.asciidoctor</groupId> @@ -2267,7 +2267,7 @@ under the License. <dependency> <groupId>org.asciidoctor</groupId> <artifactId>asciidoctorj</artifactId> - <version>1.5.5</version> + <version>1.5.6</version> </dependency> </dependencies> <configuration> http://git-wip-us.apache.org/repos/asf/syncope/blob/b7458d07/src/main/asciidoc/reference-guide/concepts/roles.adoc ---------------------------------------------------------------------- diff --git a/src/main/asciidoc/reference-guide/concepts/roles.adoc b/src/main/asciidoc/reference-guide/concepts/roles.adoc index 662febc..63949f4 100644 --- a/src/main/asciidoc/reference-guide/concepts/roles.adoc +++ b/src/main/asciidoc/reference-guide/concepts/roles.adoc @@ -81,3 +81,25 @@ The practical consequence of this setting is that Users owning a Group (either b or members of the owning group) is that they are entitled to perform all operations (create, update, delete, ...) on the owned group, regardless of the Realm. ==== + +[[delegated-administration-console]] +[TIP] +.Delegated Administration via Admin Console +==== +When administering via <<REST>>, the entitlements to be granted to delegated administrators are straightforward: +`USER_CREATE` for certain <<Realms>> will allow to create users under such Realms. + +When using the <<Admin Console>>, instead, more entitlements are generally required: this because the underlying +implementation takes care of simplifying the UX as much as possible. + +For example, the following entitlements are normally required to be granted for user administration, besides the actual +`USER_CREATE`, `USER_UPDATE` and `USER_DELETE`: + +. `USER_SEARCH` +. `USER_LIST` +. `ANYTYPECLASS_READ` +. `ANYTYPE_LIST` +. `ANYTYPECLASS_LIST` +. `USER_READ` +. `ANYTYPE_READ` +. `REALM_LIST` +====