On 30/03/2012 15:13, Colm O hEigeartaigh wrote: > Hi Francesco, > >> let me clarify one point: if role A (with entitlement E) has child role >> B, and user U has role B assigned, this DOES NOT IMPLY that user U has >> role A assigned as well. >> When defining roles, you can choose whether a role will inherit some >> information (entitlements, for example) from its parent. > Are you referring to the "inherit attributes" checkbox when creating a > child role? What is the exact meaning of this - that the child role > does not inherit any attributes or entitlements from the parent role? > Or is it stronger as you seem to be implying in the example, that no > hierarchy exists (i.e. a user in the child role does not inherit the > parent role at all when this box is ticket)?
Ops, I now realize that my sample was bound to an old version: you are right: entitlements are ALWAYS inherited, but there are many things that a role can inherit from its parent: * attributes (the checkbox you are referring above, under tab "Attributes") * derived attributes (under tab "Derived Attributes") * virtual attributes (under tab "Virtual Attributes") * password policies * account policies Role hierarchy exists because each role might have a parent role and child roles can inherit from parent roles. But, as I've said before, user U is member of B, not A. In this sense, one can say that roles are hierarchical but role assignments (a.k.a. memberships) are not hierarchical. Regards. > 2012/3/30 Francesco Chicchiriccò <[email protected]>: >> On 30/03/2012 14:48, Bob Lannoy wrote: >>> On 30 March 2012 14:29, Colm O hEigeartaigh <[email protected]> wrote: >>>> Hi Bob, >>>> >>>> I've been running into similar issues. >>>> >>>>> - /auth/getentitlements doesn't give me the roles of the connected user >>>> It gives you the list of entitlements associated with the roles of the >>>> connected user. Perhaps this controller should also have a similar >>>> method for returning a list of role names of the connected user as >>>> well? >>> Through the console both are mixed so I confused entitlements with the >>> roles. >>> A "getroles" method for the connected user would indeed be handy. >>> Ideally it could return the child with its parents >>> >>> I could try to have a go at it although I'm not a hard core developer ;) >> Hi, >> let me clarify one point: if role A (with entitlement E) has child role >> B, and user U has role B assigned, this DOES NOT IMPLY that user U has >> role A assigned as well. >> >> When defining roles, you can choose whether a role will inherit some >> information (entitlements, for example) from its parent. >> >> This means, referring to example above, that if B is configured to >> inherit entitlements from A, user U will have entitlement E. >> >> Hence, a method like the one above proposed by Colm will not be needed: >> when using the self-read REST method (as indicated by Fabio in another >> e-mail), you will find such information in UserTO.getRoles(). -- Francesco Chicchiriccò Apache Cocoon PMC and Apache Syncope PPMC Member http://people.apache.org/~ilgrosso/
