[ 
https://issues.apache.org/jira/browse/SYNCOPE-1067?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16044227#comment-16044227
 ] 

ASF subversion and git services commented on SYNCOPE-1067:
----------------------------------------------------------

Commit f74ce5dee37f7e5157a3c84f00119d2ffa422e6f in syncope's branch 
refs/heads/master from [~ilgrosso]
[ https://git-wip-us.apache.org/repos/asf?p=syncope.git;h=f74ce5d ]

[SYNCOPE-1067] Check that any USER / GROUP / ANYOBJECT UPDATE under DynRealm 
authorization cannot alter the set of DynRealms


> More flexible delegated administration model
> --------------------------------------------
>
>                 Key: SYNCOPE-1067
>                 URL: https://issues.apache.org/jira/browse/SYNCOPE-1067
>             Project: Syncope
>          Issue Type: Improvement
>          Components: console, core
>            Reporter: Francesco Chicchiriccò
>            Assignee: Francesco Chicchiriccò
>             Fix For: 2.0.4, 2.1.0
>
>
> The current implementation of [delegated 
> administration|https://syncope.apache.org/docs/reference-guide.html#delegated-administration]
>  relies on Roles, where each Role associates a set of Entitlements (e.g. 
> administrative actions) to a set of Realms (e.g. containers for Users / 
> Groups / Any Objects).
> This requires, however, that the set of Users / Groups / Any Objects to 
> administer is somehow statically defined by containment: "administrators with 
> role R can manage users under realms /a and /b" works as long as users to 
> administer are fully contained by the Realms /a and /b; but what if the set 
> of Users that R can administer needs to be dynamically defined, say by the 
> value of a 'department' attribute?



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to