On 05/05/2017 06:06, Kwong,Vincent wrote:
Hi Francesco,
Tried with positive result, thanks a lot.
That's good to hear.
But the display is confusing, the add user button is available in all
realms, and only display error when I am at the last step on create user.
I have now created
https://issues.apache.org/jira/browse/SYNCOPE-1072
https://issues.apache.org/jira/browse/SYNCOPE-1073
Here is my comments:
1.Better to display the realms where the user have access only, in
some situation I may not want the non-delegated sub-group visible
especially they are individual companies
I have also created
https://issues.apache.org/jira/browse/SYNCOPE-1074
2.Some console display should reflect user access to avoid confusion
Please give more details, this is not clear.
Regards.
*From:*Francesco Chicchiriccò [mailto:ilgro...@apache.org]
*Sent:* Thursday, May 04, 2017 4:57 PM
*To:* user@syncope.apache.org
*Subject:* Re: Delegate admin for realms
On 04/05/2017 04:59, Kwong,Vincent wrote:
Hi All,
I am new to syncope and going to evaulate the syncope
functionality for my coming project.
I am trying to setup a organization like this, but I cannot figure
out how I can achieve the delegated administration.
Sample Structure:
Parent Company (e.g. /) -> Multiple Sub-Group (e.g. /Group1) ->
Multiple Teams (e.g. /Group1/Team1)
1.Each team will have a admin to mange the user under that realm
2.Each sub-group will have another admin to look after all teams
3.Each admin have the control for their own sub-group / team only
I tried to createa role with some user/realm related access under
particular realm, but after I tried to login with the account with
that role, I can see/update the parent realm or other sub realm.
Is it possible for syncope to achieve what I want? Or anyone have
simialr experience?ù
Hi Vincent, glad of your interest in Apache Syncope.
To be sure, I have created some sample data in an attempt to replicate
your use case.
First, the realms: [1] where g1 and g2 are 'sub-groups' as you name
them above (please beware that groups are a different concept in
Syncope) and t11 / t12 / t21 / t22 / t23 are 'teams'.
Then I have created some roles: [2], one for each of the realms above,
with full entitlements about users, and REALM_LIST which is only
required if you are planning to operate via Admin Console (as it seems).
Finally I have created some users in several realms, /g1/t11 [3],
/g1/t12 [4] (which are all reported in /g1 [5]) and /g2 [6]: as you
can see, there are plain users and admin users, where the username of
the latter is given to show which realm they are actually managing, e.g.
* admi...@syncope.apache.org <mailto:admi...@syncope.apache.org> which
is granted the role 'Managing g1' and thus is allowed to manage users
in /g1 [5]
* admin...@syncope.apache.org <mailto:admin...@syncope.apache.org>
which is granted the role 'Managing t11' and thus is allowed to
manager users in /g1/t11 [3]
* admin...@syncope.apache.org <mailto:admin...@syncope.apache.org>
which is granted the role 'Managing t12' and thus is allowed to
manager users in /g1/t12 [4]
* admi...@syncope.apache.org <mailto:admi...@syncope.apache.org> which
is granted the role 'Managing g2' and thus is allowed to manage users
in /g2 [6]
Given such setup, everything is working as expected and every admin
user can only see and manage the users contained by the realms he /
she is granted by role.
The only quirk I could find is that the realms view always starts from
/, but even in this case the only users shown are the expected.
HTH
Regards.
[1] http://pasteboard.co/29sHsujiu.png
[2] http://pasteboard.co/29sWCF785.png
[3] http://pasteboard.co/29tBRMtxQ.png
[4] http://pasteboard.co/29tMu5CWi.png
[5] http://pasteboard.co/dlwgYicg.png
[6] http://pasteboard.co/29tnvwPlb.png
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
