[
https://issues.apache.org/jira/browse/SYNCOPE-1067?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16044226#comment-16044226
]
ASF subversion and git services commented on SYNCOPE-1067:
----------------------------------------------------------
Commit 1ad3055802d6195dbaaeee186e512d38defdcaad in syncope's branch
refs/heads/2_0_X from [~ilgrosso]
[ https://git-wip-us.apache.org/repos/asf?p=syncope.git;h=1ad3055 ]
[SYNCOPE-1067] Check that any USER / GROUP / ANYOBJECT UPDATE under DynRealm
authorization cannot alter the set of DynRealms
> More flexible delegated administration model
> --------------------------------------------
>
> Key: SYNCOPE-1067
> URL: https://issues.apache.org/jira/browse/SYNCOPE-1067
> Project: Syncope
> Issue Type: Improvement
> Components: console, core
> Reporter: Francesco Chicchiriccò
> Assignee: Francesco Chicchiriccò
> Fix For: 2.0.4, 2.1.0
>
>
> The current implementation of [delegated
> administration|https://syncope.apache.org/docs/reference-guide.html#delegated-administration]
> relies on Roles, where each Role associates a set of Entitlements (e.g.
> administrative actions) to a set of Realms (e.g. containers for Users /
> Groups / Any Objects).
> This requires, however, that the set of Users / Groups / Any Objects to
> administer is somehow statically defined by containment: "administrators with
> role R can manage users under realms /a and /b" works as long as users to
> administer are fully contained by the Realms /a and /b; but what if the set
> of Users that R can administer needs to be dynamically defined, say by the
> value of a 'department' attribute?
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
