Hi Francesco, On Wed, Feb 1, 2017 at 10:54 AM, Francesco Chicchiriccò <ilgro...@apache.org > wrote:
> I agree that the existing Roles in Syncope are fine to map that concept; > the problem I see to assimilate the existing Entitlements with the new > entities being discussed so far in this thread, e.g. Privileges and > Applications. > > Entitlements are a pre-defined set of strings (which can also be extended, > as we see in the Camel Provisioning Manager), specifically targeted to > implement delegated administration, e.g. only for internal purpose. > > Privileges could be instead used to model the rights on a given > Application; please note that the former might depend on the latter, e.g. > "POST on /a/b/c" but also "Administer printers". > > Summarizing: while Roles currently have only Entitlements associated, in > the future we might also associate Privileges (which in turn are related to > Applications) to them. As a result, user U with role R will own both > Entitlements and Privileges. > > If "privilege" is not suitable as name, let's then rename the existing > Entitlements to something else and use the word "entitlement" to model the > new concept instead. > OK this all sounds fine to me. Hopefully we are nearing agreement :-) <SNIP from other email> I don't see the point in associating Groups to Roles: the former are both > for Users and Any Objects, the latter only for Users. > > Moreover, you can always define dynamic Group memberships based on Role > assignment and vice-versa [1][2], e.g. User U is dynamically assigned role > R because he is member of Group G or U is dynamically member of G because > he has R assigned. I agree that dynamic role association due to group membership models the scenario of "every user in Group X should have role Y". There's probably nothing too objectionable about supporting being able to statically configure it though. Are there potential performance problems with dynamic membership I wonder if you're dealing with large amounts of entities? Colm. > > Regards. > > -- > Francesco Chicchiriccò > > Tirasa - Open Source Excellence > http://www.tirasa.net/ > > Member at The Apache Software Foundation > Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail > http://home.apache.org/~ilgrosso/ > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
