Hi Supun,
You can try XACML. But XACML is for fine grained authorisation. But in
gateways we expect there will be well defined roles and well defined
authorization points. Therefore, IMO, we don't need XACML authorisation.
(At least for now).
Thanks
-Thejaka Amila
On Mon, Jun 30, 2014 at 3:29 PM, Supun Nakandala <supun.nakand...@gmail.com>
wrote:
> Hi Amila,
>
> With a quick research on the functionality of WSO2 IS, I found that with
> XACML based entitlement management and roles the expected behavior is
> attainable. I am looking into this in more detail now.
>
> Thank you
>
>
> On Mon, Jun 30, 2014 at 1:23 PM, Amila Jayasekara <thejaka.am...@gmail.com
> > wrote:
>
>> Hi Supun,
>>
>> I would expect following; (others please correct me if I am wrong)
>>
>> We need to control access to API functions through roles. Also IS has a
>> notion of permissions and resources. So the resources are mapped to
>> functions defined in thrift API. So a permission would look like follows
>> (hypothetically);
>>
>> permission = ("execute", /scigap/thrift/executeExperiment);
>>
>> We should be able to attach such permissions to roles. So when user
>> invokes an API function we need to do following;
>> 1. find user's role
>> 2. examine role's permissions
>> 3. check whether any role has permission relevant to invoking function
>>
>> AFAIK IS provided a way to define permissions and attach them to roles.
>> You may need to check how those can be used through APIs and how achieve
>> above described functionality.
>>
>>
> Thanks
>> Regards
>> -Thejaka Amila
>>
>>
>>
>>
>> On Sun, Jun 29, 2014 at 2:19 PM, Supun Nakandala <
>> supun.nakand...@gmail.com> wrote:
>>
>>> Hi all,
>>>
>>> I am in the process of incorporating the notion of roles to the PHP
>>> Reference Gateway using the proxy user api that I am developing. WSO2 IS
>>> enables the tenant admin (gateway admin) to create roles and assign users
>>> to roles (many to many mapping). From the gateway side we can consume these
>>> services and implement role based user functionality. The roles defined
>>> will only be visible to that particular gateway(tenant).
>>>
>>> I would like to know what type of role based functionality is required
>>> in the context of the PHP Reference Gateway.
>>>
>>> Thank you.
>>> Supun
>>>
>>
>>
>
>
> --
> Thank you
> Supun Nakandala
> Dept. Computer Science and Engineering
> University of Moratuwa
>
