User group membership in Realm / sub-realm

[te...@net-c.com]

Hi all,


I'm actually trying to setup a simple apache syncope environment with hierarchy realms tree.



I use groups in each realm in order to manages roles. Then I would be able, using group membership, to apply the right privileges easily for each realm specifically.



I created a bunch of users in root realm thinking that it would be possible to set them in groups of different sub-realm. But no way to see the realms group when I try give them membership.



For exemple, I have two branches like : /A/B1 and /A/B2

For each of these realms, I have a group "Support"

I would like my user John@Doe.com to be the support guy of both realm (of course applying for those member of the group a bunch of entitlements, roles, etc. for the realm)

How ? I thought first that to create the user in /A or in / would be enough... but nope, I cannot create membership for sub-realm on user panel.



The question is, is it possible for a User in realm / to be member of groups in /sub-realms ?



Indeed, I see that a user in /A/B/C can be part of any group of parent realms (And this is written this way in the doc). I'am a bit confused, maybe thinking too much in an "ldap" way... but as /A/B belongs to /A which belongs to / I would think the opposite way (A user can belong to any sub-realm group).



Do you an an Idea of how should I do this kind of scenario ?



Thanks a lot.

An.

Re: User group membership in Realm / sub-realm

[Francesco Chicchiriccò <il...@apache.org>]

On 25/09/20 11:48, tempo@net-c.com wrote:
> Hi all,
>
> I'm actually trying to setup a simple apache syncope environment with hierarchy realms tree.
>
> I use groups in each realm in order to manages roles. Then I would be able, using group membership, to apply the right privileges easily for each realm specifically.
>
> I created a bunch of users in root realm thinking that it would be possible to set them in groups of different sub-realm. But no way to see the realms group when I try give them membership.
>
> For exemple, I have two branches like : /A/B1 and /A/B2
> For each of these realms, I have a group "Support"
> I would like my user John@Doe.com to be the support guy of both realm (of course applying for those member of the group a bunch of entitlements, roles, etc. for the realm)
> How ? I thought first that to create the user in /A or in / would be enough... but nope, I cannot create membership for sub-real m on user panel.
>
> The question is, is it possible for a User in realm / to be member of groups in /sub-realms ?
>
> Indeed, I see that a user in /A/B/C can be part of any group of parent realms (And this is written this way in the doc). I'am a bit confused, maybe thinking too much in an "ldap" way... but as /A/B belongs to /A which belongs to / I would think the opposite way (A user can belong to any sub-realm group).
>
> Do you an an Idea of how should I do this kind of scenario ?
Hi,
you might want to have a look at

http://syncope.apache.org/docs/2.1/reference-guide.html#realms

More specifically:

A User or an Any Object can be members of Groups in the same realm or in one of the parent realms.

Hope this clarifies.
Regards.

-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/