OK thanks for the clarification Seems that my options are limited.
What I was trying to do was to put a role in context. The membership only returns the role name (e.g. App1) but not from which organisation which is higher in the tree. I want to avoid naming the roles with a prefix (e.g. orgA_App1) I tried putting an attribute on the top role and inheriting that attribute which works, but the I bumped into the user not being able to read a role that's assigned to him. I think it would be a good idea to have standard read on the role itself if this role is assigned to a user. But that's because I need it of course ;) Would this be possible by modifying the read-method the RoleController? regards Bob 2012/4/4 Francesco Chicchiriccò <[email protected]>: > On 04/04/2012 12:13, Bob Lannoy wrote: >> >> I want to be able to use some delegation mechanism so that orgA can >> create its own roles and orgB as well. >> >> So for every role that will be added by some user from orgA or orgB, >> my role_read user will have to add that role to its entitlements? > > > Currently, yes. > As discussed in the past [1], we need to refactor our approach to > authorization: since this is a quite heavy task, I guess this is another > step to include in the roadmap. > > >> Incidentely, there's something strange. >> I can call /rest/role/list.json without being authenticated to core. >> (which is handy in my case but probably isn't what you want) > > > This happens because, in order to allow self-registration, some RESTful > methods are intentionally left unauthenticated: as discussed earlier in > other mail threads, this should be improved, so don't rely upon this. > > Regards. > > [1] https://groups.google.com/d/topic/syncope-dev/NU02F0nrrFY/discussion > >> 2012/4/4 Francesco Chicchiriccò<[email protected]>: >>> >>> If I understood correctly, you want to give to a "plain" admin user - >>> i.e. >>> not the default admin user - the ability to read some roles, actually the >>> roles owned by other users. >>> >>> You need to give to such "plain" admin user the ROLE_READ entitlement >>> (for >>> this you will need to give this entitlement to one of roles owned by the >>> plain admin user). >>> At this point, this plain admin user will be able to read all roles for >>> which he owns a ROLE_XXX entitlement. >>> >>> Does it sound? >>> >>> Regards. > > -- > Francesco Chicchiriccò > > Apache Cocoon PMC and Apache Syncope PPMC Member > http://people.apache.org/~ilgrosso/ >
