Hi Francesco, Tried with positive result, thanks a lot.
But the display is confusing, the add user button is available in all realms, and only display error when I am at the last step on create user. Here is my comments: 1. Better to display the realms where the user have access only, in some situation I may not want the non-delegated sub-group visible especially they are individual companies 2. Some console display should reflect user access to avoid confusion Regards, Vincent From: Francesco Chicchiriccò [mailto:ilgro...@apache.org] Sent: Thursday, May 04, 2017 4:57 PM To: user@syncope.apache.org Subject: Re: Delegate admin for realms On 04/05/2017 04:59, Kwong,Vincent wrote: Hi All, I am new to syncope and going to evaulate the syncope functionality for my coming project. I am trying to setup a organization like this, but I cannot figure out how I can achieve the delegated administration. Sample Structure: Parent Company (e.g. /) -> Multiple Sub-Group (e.g. /Group1) -> Multiple Teams (e.g. /Group1/Team1) 1. Each team will have a admin to mange the user under that realm 2. Each sub-group will have another admin to look after all teams 3. Each admin have the control for their own sub-group / team only I tried to createa role with some user/realm related access under particular realm, but after I tried to login with the account with that role, I can see/update the parent realm or other sub realm. Is it possible for syncope to achieve what I want? Or anyone have simialr experience?ù Hi Vincent, glad of your interest in Apache Syncope. To be sure, I have created some sample data in an attempt to replicate your use case. First, the realms: [1] where g1 and g2 are 'sub-groups' as you name them above (please beware that groups are a different concept in Syncope) and t11 / t12 / t21 / t22 / t23 are 'teams'. Then I have created some roles: [2], one for each of the realms above, with full entitlements about users, and REALM_LIST which is only required if you are planning to operate via Admin Console (as it seems). Finally I have created some users in several realms, /g1/t11 [3], /g1/t12 [4] (which are all reported in /g1 [5]) and /g2 [6]: as you can see, there are plain users and admin users, where the username of the latter is given to show which realm they are actually managing, e.g. * admi...@syncope.apache.org<mailto:admi...@syncope.apache.org> which is granted the role 'Managing g1' and thus is allowed to manage users in /g1 [5] * admin...@syncope.apache.org<mailto:admin...@syncope.apache.org> which is granted the role 'Managing t11' and thus is allowed to manager users in /g1/t11 [3] * admin...@syncope.apache.org<mailto:admin...@syncope.apache.org> which is granted the role 'Managing t12' and thus is allowed to manager users in /g1/t12 [4] * admi...@syncope.apache.org<mailto:admi...@syncope.apache.org> which is granted the role 'Managing g2' and thus is allowed to manage users in /g2 [6] Given such setup, everything is working as expected and every admin user can only see and manage the users contained by the realms he / she is granted by role. The only quirk I could find is that the realms view always starts from /, but even in this case the only users shown are the expected. HTH Regards. [1] http://pasteboard.co/29sHsujiu.png [2] http://pasteboard.co/29sWCF785.png [3] http://pasteboard.co/29tBRMtxQ.png [4] http://pasteboard.co/29tMu5CWi.png [5] http://pasteboard.co/dlwgYicg.png [6] http://pasteboard.co/29tnvwPlb.png -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/