roles and objects in Apache Syncope

["Oleksandr Bodriagov (Polystar)" <ol...@polystar.com>]

To whom it may concern,

We have some problems in understanding how to assign permissions to roles in Apache Syncope. It seems that this topic is not completely covered in the wiki (https://cwiki.apache.org/confluence/display/SYNCOPE/Authentication+and+authorization). We would be extremely grateful if you could help us a little bit.
In a nutshell, we can create our users and roles but not our objects and permissions.

According to NIST, "a role is essentially a collection of permissions", and permissions are relationships between operations and objects.
Syncope has a notion of Entitlements, and "entitlements are basically strings describing the right to perform an operation". As we understand it, an entitlement is a permission. For example, an entitlement "RESOURCE_READ" gives a right to READ (operation) some RESOURCE (object).
Apache Syncope gives ability to define users, roles, and choose entitlements. It is not clear though how to define objects. Our use case is as follows. We have a few RESTful web services to which we would like to control access using Apache Syncope and our own access control server. Our permissions in this case would be something like:
  - read data from https://server1.com/whateever
  - modify profile at https://server2.com/profile/whatever
  - read profile at https://server2.com/profile/whatever

So, we have operations {read, modify, delete, ...} and objects {https://server1.com/whateever, https://server2.com/profile/whatever, ...}. Our access control server receives a question if a user is allowed to perform some operation over some object. To answer this question the server should get user's permissions from Syncope using its REST API. We have setup a Syncope server with MySQL internal database. We have added users and roles, but we have no idea how to add our objects.  There is a notion of Resource in Apache Syncope. It seems that resources can only be external and they are only used "for synchronization and for propagation" of users and roles from external databases/LDAP/AD. If we go back to entitlement "RESOURCE_READ", it seems that it means a right to read user accounts from some external database. Thus, a resource is not the same as object.

Could you please describe how we can define our own objects. Thank you very much in advance.


Best regards,
Oleksandr

Re: roles and objects in Apache Syncope

[Francesco Chicchiriccò <il...@apache.org>]

On 10/04/2015 12:18, Oleksandr Bodriagov (Polystar) wrote:
> To whom it may concern,
>
> We have some problems in understanding how to assign permissions to 
> roles in Apache Syncope. It seems that this topic is not completely 
> covered in the wiki 
> (https://cwiki.apache.org/confluence/display/SYNCOPE/Authentication+and+authorization). 
> We would be extremely grateful if you could help us a little bit.
> In a nutshell, we can create our users and roles but not our objects 
> and permissions.
>
> According to NIST, /“a role is essentially a collection of 
> permissions”/, and permissions are relationships between operations 
> and objects.
> Syncope has a notion of /Entitlements/, and "/e//ntitlements are 
> basically strings describing the right to perform an operation/”. As 
> we understand it, an entitlement is a permission. For example, 
> an entitlement “RESOURCE_READ” gives a right to READ (operation) some 
> RESOURCE (object).
> Apache Syncope gives ability to define users, roles, and choose 
> entitlements. It is not clear though how to define objects. Our use 
> case is as follows. We have a few RESTful web services to which we 
> would like to control access using Apache Syncope and our own access 
> control server. Our permissions in this case would be something like:
>   - read data from https://server1.com/whateever
>   - modify profile at https://server2.com/profile/whatever
>   - read profile at https://server2.com/profile/whatever
>
> So, we have operations {read, modify, delete, …} and objects 
> {https://server1.com/whateever, 
> https://server2.com/profile/whatever, …}. Our access control server 
> receives a question if a user is allowed to perform some operation 
> over some object. To answer this question the server should get user's 
> permissions from Syncope using its REST API. We have setup a Syncope 
> server with MySQL internal database. We have added users and roles, 
> but we have no idea how to add our objects.  There is a notion of 
> /Resource/in Apache Syncope. It seems that resources can only be 
> external and they are only used “/for synchronization and for 
> propagation/” of users and roles from external databases/LDAP/AD. If 
> we go back to entitlement “RESOURCE_READ”, it seems that it means a 
> right to read user accounts from some external database. Thus, a 
> resource is not the same as object.
>
> Could you please describe how we can define our own objects. Thank you 
> very much in advance.

Hi,
Syncope is (at least currently) a pure /provisioning engine/, e.g. a 
tool for keeping users and groups synchronized across several resources 
(relational databases, LDAP servers, and much more [1] by empowering 
ConnId connectors).

The entitlements you refer above are purely used for internal 
authentication & authorization [2], hence are not suitable for external 
access management.

In my company's experience, you usually need to consider a whole IAM 
architecture where every component does its own job (for a quick review 
of some open source alternatives: [3]): the more frequent integration 
pattern seems to be Syncope + CAS.

Hope this clarifies.
Regards.

[1] 
https://github.com/Tirasa/ConnId/blob/master/README.md#available-connectors
[2] 
https://cwiki.apache.org/confluence/display/SYNCOPE/Authentication+and+authorization
[3] http://blog.tirasa.net/the-open-source-identity-stack.html

-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/