[ https://issues.apache.org/jira/browse/SYNCOPE-249?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Francesco Chicchiriccò reassigned SYNCOPE-249: ---------------------------------------------- Assignee: Francesco Chicchiriccò > Implement RoleOwnerSchema for role propagation and synchronization > ------------------------------------------------------------------ > > Key: SYNCOPE-249 > URL: https://issues.apache.org/jira/browse/SYNCOPE-249 > Project: Syncope > Issue Type: Improvement > Affects Versions: 1.1.0 > Reporter: Francesco Chicchiriccò > Assignee: Francesco Chicchiriccò > Fix For: 1.1.0 > > > SYNCOPE-225 introduced the concept of role owner, than could be either a user > or another role (not both at the same time). > Test content provides an example of how role owner can be propagated by > empowering a derived attribute (ownerDN): this approach is working only for > propagation and makes the AccountLink expression duplicated. > A more complete approach is to define a new type of internal mapping, > RoleOwnerSchema. > During role propagation (in MappingUtil.getIntValues()): > * if userOwner != null and the propagating resource has UMapping defined > * if roleOwner != null (the propagating resource has RMapping because of the > ongoing propagation) > the AccountLink (or AccountId if no AccountLink is defined) is generated and > given as value for the external attribute mapped to RoleOwnerSchema > During role synchronization (in > ConnObjectUtil.getAttributableTOFromConnObject()), if a value is present in > the ConnectorObject for the role being synchronized, this value must be used > for searching the same connector for either ObjectClass.ACCOUNT and > ObjectClass.GROUP; if a unique match is found, the matching ConnectorObject > can be used to find the corresponding Syncope entity (user or role); now > userOwner or roleOwner of the role being synchronized can be set. > Especially in case of roleOwner, precedence issues must be taken into > account: it might happen, in fact, that the owned role is being synchronized > before the owner role synchronization takes place. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira