On 04/04/2012 11:22, Bob Lannoy wrote:
Hi,as I've explained I have a hierarchical role structure: orgA /- Users /- Internal User /- External User /- Admin /- Apps /- App1 /- App2 I created a loginmodule in tomcat to authenticate the user credentials (not an admin connection) and get the user object (user/request/read/self) From that object I can get the memberships, however I cannot get the roles themselves since the user needs Role_read on the roles that were assigned, which is not very handy if subroles are added. I could got about it another way by having a special connection to core but how do you specify that a special user only has read permissions on users& roles? I want to avoid using the default admin user. Any thoughts?
If I understood correctly, you want to give to a "plain" admin user - i.e. not the default admin user - the ability to read some roles, actually the roles owned by other users.
You need to give to such "plain" admin user the ROLE_READ entitlement (for this you will need to give this entitlement to one of roles owned by the plain admin user). At this point, this plain admin user will be able to read all roles for which he owns a ROLE_XXX entitlement.
Does it sound? Regards. -- Francesco Chicchiriccò Apache Cocoon PMC and Apache Syncope PPMC Member http://people.apache.org/~ilgrosso/
