On 08/02/2013 17:10, Colm O hEigeartaigh wrote:
Hi all,
I'm experimenting with synchronizing roles into Syncope on trunk.
Firstly, what is the difference between a User mapping in a Resource where
you select "ROLE" as the entity, and the Role Mapping tab where you can
only select "ROLE"?
When you add a mapping item for users with ROLE entities, you are
propagating the value(s) of a role attribute as part of the user data.
Here you are managing an user (i.e. ObjectClass.ACCOUNT for ConnId).
When you add a mapping item for roles (only ROLE entities allowed), you
are propagating the role data. Here you are managing a role (i.e.
ObjectClass.GROUP for ConnId).
Let's say I have a database table with a Username, Password, some
attributes, and a Role name. I want to import this Role into Syncope and
also see that the User has this Role when I edit the User in the Console.
Is this possible?
The basic idea is that for propagating / synchronizing users you need a
ConnId connector supporting ObjectClass.ACCOUNT (all available connector
bundle) while for propagating / synchronizing roles you need a ConnId
connector supporting ObjectClass.GROUP (only the LDAP connector bundle,
currently).
Moreover, the use case you report above is for propagating memberships
(i.e. the fact that a user belongs to a role), not the role itself.
Propagating memberships is not supported by the ConnId framework;
however, I've developed some simple actions for achieving this goal, at
least for LDAP as part of SYNCOPE-26.
Hope this clarifies a bit.
Regards.
--
Francesco Chicchiriccò
ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
http://people.apache.org/~ilgrosso/
