Hi Colm,
thanks for starting this discussion, it something that has been popping
out several times in the past ([1][2][3][4][5] just to say some).
With "dynamic entitlements", I think you are referring to privilege
management, e.g. the ability to discover, define and map the rights that
users own on external resources.
I would not confuse this, however, with Syncope entitlements: starting
with 2.0, in fact, we now finally have a stable mechanism for which
entitlements are defined as constants in Java classes (and extensions
might add their own, as shown by the Camel Provisioning Manager), with
positive effects on code organization both for Core's Spring Security
configuration and Admin Console's delegated administration.
I think that privilege management is a great addition to Syncope; here
are few items coming to my mind:
1. privileges must be represented as (JPA) entities, have their own TO,
REST endpoint, Admin Console management, etc. (as all other entities)
2. privileges should be defined / discovered in external resource(s):
resource R1 defines privileges P1, P2, P3; resource R2 defines
privileges P4,P5; about discovery, ConnId does not provide (yet?) any
primitive
3. privileges should be grouped somehow and finally assigned to users,
but depend on each external resource
4. privileges are not really for users (in the way Syncope defines them)
but rather for accounts, e.g. the mapped counterpart of a Syncope user
onto a given external resource.
I think we could take the chance to add both privilege management and
multi-account management (see SYNCOPE-957): both features require in
fact a new concept to be introduced in Syncope: accounts.
Naturally, I don't see any chance to land all above in 2.0 (considerable
changes involved, even for internal storage); it will be 2.1 at least.
Regards.
[1]
https://lists.apache.org/thread.html/5e6936a1a9e7fef1f42e7e2261e5fd5dd3ab6aaee669cc82f16284c6@%3Cuser.syncope.apache.org%3E
[2]
https://lists.apache.org/thread.html/947d7261a242cb729aafb551b28fa9bad6c81c2e02eb6f2ec98b7a0a@1428995050@%3Cuser.syncope.apache.org%3E
[3]
https://lists.apache.org/thread.html/4662efa8948fc9bba944d8d85ddf902d6c900530ccf78d50df9adb90@1386320489@%3Cuser.syncope.apache.org%3E
[4]
https://lists.apache.org/thread.html/be01e1d26de4f7b9ce38026364566dc606496d19eba7e008efa227a0@1375945339@%3Cuser.syncope.apache.org%3E
[5]
https://lists.apache.org/thread.html/e4b5727f8506cdca10cf2a6e4332ed23e9c6f73679fa397bb277abe4@1367333293@%3Cuser.syncope.apache.org%3E
On 19/01/2017 17:53, Colm O hEigeartaigh wrote:
Hi all,
I'd like to discuss the possibility of supporting dynamic entitlements in
Apache Syncope. The goals being to explore if the Apache Syncope community
feels that this is a good idea, and if so to try to break the various work
items down and start creating JIRAs etc.
Entitlements in Apache Syncope are currently statically defined and are
used for internal authorization purposes only. The problem arises when you
start considering things like integrating SCIM with Syncope, as the
concepts of roles/entitlements in SCIM do not map naturally to groups in
Syncope.
So it would be great to be able to map roles/entitlements associated with
users directly to the same concepts in Syncope. I don't know whether it
might be desirable to have different types of entitlements, e.g. whether we
want to maintain a separation between "internal" entitlements used for
authorization in Syncope, and general entitlements meant for external
consumption.
The task would involve some UI work to be able to create entitlements. I'm
not sure off-hand if we require REST changes, as we can get the
entitlements of a User by getting the roles of the user, and then querying
the entitlements associated with the role etc.
Is it possible to associate roles with a group and then have members of
that group inherit the entitlements?
WDYT?
Colm.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
