Hello I am trying to map an organization composed by the same user base that uses different applications and have different roles in those applications to Apache Syncope. We are only using syncope to provide authorisation to the applications, not authentication. Those applications will consume authorisation for different members via Syncope REST API.
Syncope has the following realms: / /application-a /application-b /application-x - We are using apache syncope to manage membership to groups in different applications. Those different applications have their own managers who can define groups and memberships under their realms in syncope. - All members belong to the same organization and are shared by different applicatinos. They can be members of different groups in different applications. - Each application is defined by a realm and managers of those applications have roles with entitlements in those realms that allow to define groups. They can only define membership in groups in their realms and not in other realms. - As far as I understand, objects in syncope can only belong to a realm, so it is not possible to have them in different realms and have managers able to edit memberships only for groups in their realm. To avoid this I created a new AnyObject of a new AnyType which maps our members in different realms. For each application where our members are, there is an AnyObject in the correspondent realms. If member A is in Application A and Application B there will be two AnyObjects for it, one in /application-a realm and another one in /application-b realm. Managers of those realms can edit AnyObjects in their realm without problems. I would like to know if there simpler ways to map this hierarchy in syncope specially without the need to replicate the members in different anyobjects that are editable in the different realms and I would like to understand if there is a better way to organize realms, groups and objects than the one I am planning to use. Thanks
