Re: Delegate admin for realms

Fri, 05 May 2017 00:22:15 -0700 

On 05/05/2017 09:13, Kwong,Vincent wrote:



It would be good if extend to those menu items in the console like 
Reports, Topology, Configuration, etc… as well.





I see: the relevant menu entries are already disabled, but this is not 
very much visible without attempting to click.


Please comment SYNCOPE-1072.
Regards.


*From:*Kwong,Vincent [mailto:vincent_kw...@pactera.com]
*Sent:* Friday, May 05, 2017 3:10 PM
*To:* user@syncope.apache.org
*Subject:* RE: Delegate admin for realms


The case 1072 covered my point 2. Same as your understanding, those 
non-relevant button should be hidden or disabled to avoid confusion.


Thanks.

Regards,

Vincent

*From:*Francesco Chicchiriccò [mailto:ilgro...@apache.org]
*Sent:* Friday, May 05, 2017 2:58 PM
*To:* user@syncope.apache.org <mailto:user@syncope.apache.org>
*Subject:* Re: Delegate admin for realms

On 05/05/2017 06:06, Kwong,Vincent wrote:

    Hi Francesco,

    Tried with positive result, thanks a lot.


That's good to hear.

    But the display is confusing, the add user button is available in
    all realms, and only display error when I am at the last step on
    create user.


I have now created

https://issues.apache.org/jira/browse/SYNCOPE-1072
https://issues.apache.org/jira/browse/SYNCOPE-1073

    Here is my comments:

    1.Better to display the realms where the user have access only, in
    some situation I may not want the non-delegated sub-group visible
    especially they are individual companies


I have also created

https://issues.apache.org/jira/browse/SYNCOPE-1074

    2.Some console display should reflect user access to avoid confusion


Please give more details, this is not clear.

Regards.

    *From:*Francesco Chicchiriccò [mailto:ilgro...@apache.org]

    *Sent:*Thursday, May 04, 2017 4:57 PM
    *To:* user@syncope.apache.org <mailto:user@syncope.apache.org>
    *Subject:* Re: Delegate admin for realms

    On 04/05/2017 04:59, Kwong,Vincent wrote:

        Hi All,

        I am new to syncope and going to evaulate the syncope
        functionality for my coming project.

        I am trying to setup a organization like this, but I cannot
        figure out how I can achieve the delegated administration.

        Sample Structure:

        Parent Company (e.g. /) -> Multiple Sub-Group (e.g. /Group1)
        -> Multiple Teams (e.g. /Group1/Team1)

        1.Each team will have a admin to mange the user under that realm

        2.Each sub-group will have another admin to look after all teams

        3.Each admin have the control for their own sub-group / team only

        I tried to createa role with some user/realm related access
        under particular realm, but after I tried to login with the
        account with that role, I can see/update the parent realm or
        other sub realm.

        Is it possible for syncope to achieve what I want? Or anyone
        have simialr experience?ù


    Hi Vincent, glad of your interest in Apache Syncope.

    To be sure, I have created some sample data in an attempt to
    replicate your use case.

    First, the realms: [1] where g1 and g2 are 'sub-groups' as you
    name them above (please beware that groups are a different concept
    in Syncope) and t11 / t12 / t21 / t22 / t23 are 'teams'.

    Then I have created some roles: [2], one for each of the realms
    above, with full entitlements about users, and REALM_LIST which is
    only required if you are planning to operate via Admin Console (as
    it seems).

    Finally I have created some users in several realms, /g1/t11 [3],
    /g1/t12 [4] (which are all reported in /g1 [5]) and /g2 [6]: as
    you can see, there are plain users and admin users, where the
    username of the latter is given to show which realm they are
    actually managing, e.g.

    * admi...@syncope.apache.org <mailto:admi...@syncope.apache.org>
    which is granted the role 'Managing g1' and thus is allowed to
    manage users in /g1 [5]
    * admin...@syncope.apache.org <mailto:admin...@syncope.apache.org>
    which is granted the role 'Managing t11' and thus is allowed to
    manager users in /g1/t11 [3]
    * admin...@syncope.apache.org <mailto:admin...@syncope.apache.org>
    which is granted the role 'Managing t12' and thus is allowed to
    manager users in /g1/t12 [4]
    * admi...@syncope.apache.org <mailto:admi...@syncope.apache.org>
    which is granted the role 'Managing g2' and thus is allowed to
    manage users in /g2 [6]

    Given such setup, everything is working as expected and every
    admin user can only see and manage the users contained by the
    realms he / she is granted by role.
    The only quirk I could find is that the realms view always starts
    from /, but even in this case the only users shown are the expected.

    HTH
    Regards.

    [1] http://pasteboard.co/29sHsujiu.png
    [2] http://pasteboard.co/29sWCF785.png
    [3] http://pasteboard.co/29tBRMtxQ.png
    [4] http://pasteboard.co/29tMu5CWi.png
    [5] http://pasteboard.co/dlwgYicg.png
    [6] http://pasteboard.co/29tnvwPlb.png


--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/























					Reply via email to