On 04/04/2012 12:13, Bob Lannoy wrote:
I want to be able to use some delegation mechanism so that orgA can
create its own roles and orgB as well.
So for every role that will be added by some user from orgA or orgB,
my role_read user will have to add that role to its entitlements?
Currently, yes.
As discussed in the past [1], we need to refactor our approach to
authorization: since this is a quite heavy task, I guess this is another
step to include in the roadmap.
Incidentely, there's something strange.
I can call /rest/role/list.json without being authenticated to core.
(which is handy in my case but probably isn't what you want)
This happens because, in order to allow self-registration, some RESTful
methods are intentionally left unauthenticated: as discussed earlier in
other mail threads, this should be improved, so don't rely upon this.
Regards.
[1] https://groups.google.com/d/topic/syncope-dev/NU02F0nrrFY/discussion
2012/4/4 Francesco Chicchiriccò<[email protected]>:
If I understood correctly, you want to give to a "plain" admin user - i.e.
not the default admin user - the ability to read some roles, actually the
roles owned by other users.
You need to give to such "plain" admin user the ROLE_READ entitlement (for
this you will need to give this entitlement to one of roles owned by the
plain admin user).
At this point, this plain admin user will be able to read all roles for
which he owns a ROLE_XXX entitlement.
Does it sound?
Regards.
--
Francesco Chicchiriccò
Apache Cocoon PMC and Apache Syncope PPMC Member
http://people.apache.org/~ilgrosso/
