You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@syncope.apache.org by te...@net-c.com on 2020/09/25 09:48:47 UTC
User group membership in Realm / sub-realm
Hi all,
I'm actually trying to setup a simple apache syncope environment with hierarchy realms tree.
I use groups in each realm in order to manages roles. Then I would be able, using group membership, to apply the right privileges easily for each realm specifically.
I created a bunch of users in root realm thinking that it would be possible to set them in groups of different sub-realm. But no way to see the realms group when I try give them membership.
For exemple, I have two branches like : /A/B1 and /A/B2
For each of these realms, I have a group "Support"
I would like my user John@Doe.com to be the support guy of both realm (of course applying for those member of the group a bunch of entitlements, roles, etc. for the realm)
How ? I thought first that to create the user in /A or in / would be enough... but nope, I cannot create membership for sub-realm on user panel.
The question is, is it possible for a User in realm / to be member of groups in /sub-realms ?
Indeed, I see that a user in /A/B/C can be part of any group of parent realms (And this is written this way in the doc). I'am a bit confused, maybe thinking too much in an "ldap" way... but as /A/B belongs to /A which belongs to / I would think the opposite way (A user can belong to any sub-realm group).
Do you an an Idea of how should I do this kind of scenario ?
Thanks a lot.
An.
Re: User group membership in Realm / sub-realm
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 25/09/20 11:48, tempo@net-c.com wrote:
> Hi all,
>
> I'm actually trying to setup a simple apache syncope environment with hierarchy realms tree.
>
> I use groups in each realm in order to manages roles. Then I would be able, using group membership, to apply the right privileges easily for each realm specifically.
>
> I created a bunch of users in root realm thinking that it would be possible to set them in groups of different sub-realm. But no way to see the realms group when I try give them membership.
>
> For exemple, I have two branches like : /A/B1 and /A/B2
> For each of these realms, I have a group "Support"
> I would like my user John@Doe.com to be the support guy of both realm (of course applying for those member of the group a bunch of entitlements, roles, etc. for the realm)
> How ? I thought first that to create the user in /A or in / would be enough... but nope, I cannot create membership for sub-real m on user panel.
>
> The question is, is it possible for a User in realm / to be member of groups in /sub-realms ?
>
> Indeed, I see that a user in /A/B/C can be part of any group of parent realms (And this is written this way in the doc). I'am a bit confused, maybe thinking too much in an "ldap" way... but as /A/B belongs to /A which belongs to / I would think the opposite way (A user can belong to any sub-realm group).
>
> Do you an an Idea of how should I do this kind of scenario ?
Hi,
you might want to have a look at
http://syncope.apache.org/docs/2.1/reference-guide.html#realms
More specifically:
A User or an Any Object can be members of Groups in the same realm or in one of the parent realms.
Hope this clarifies.
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/