Hi, Maybe I should try to explain a bit more on what I'm trying to achieve ;)
- I have an external application that contains some general roles. and possibly custom roles for specific elements - several organisations will use that application I was thinking that Syncope could manage the users of those organisations which means: - an admin user from orgA can create users for orgA and assign application roles to them - an admin user from orgB can create users for orgB and assign application roles to them The external app would then have to authenticate the user + get the application roles However there is no notion of organisational structure in Syncope so I tried a role hierarchy to model a basic structure. orgA (roletype=org) -users --user (roletype=user) --admin (roletype=user) -applications --app1 (roletype=app) OrgB .... Applications --app2 (roletype=app) I could use the syncope entitlements so that the admin role in orgA can only create users in the orgA/users/user role and assign application roles. >From the application side I would have to get info from Syncope stating user X from orgA has applicationrole app1 and app2. In my case I would get the role "user" and need to get the parent with roletype=org to find the org name. But maybe I'm looking at it the wrong way. Bob On 30 March 2012 15:09, Colm O hEigeartaigh <[email protected]> wrote: > Hi Fabio, > >> Further, you have the method verifyPassword provided by UserController that >> could be used to verify userid/password. >> This method, for security reason can be called only by a user with USER_READ >> capability. > > Consider the use-case as mentioned by Bob, where you have a third > party application which receives login credentials and wishes to > authenticate the user, and retrieve the roles associated with that > user for authorization. If the application logs on with the received > username/password, then it is assuming that the given user has a > USER_READ entitlement. IMO the application would log on with its own > credentials, and wish to authenticate the given username/password via > some kind of "authenticateUser" method as I mentioned before. > > Do you see a use-case for this kind of functionality or am I missing > something? > >> Actually users have only the roles explicitly assigned. > > The question is whether it is possible to easily retrieve the > hierarchy of roles for a particular user (or the authenticated user)? > > Thanks, > > Colm.
