Application hierarchy mapping in Syncope

[Hernâni Borges de Freitas <he...@gmail.com>]

Hello

I am  trying to map an organization composed by the same user base that uses different applications and have different roles in those applications to Apache Syncope. We are only using syncope to provide authorisation to the applications, not authentication. Those applications will consume authorisation for different members via Syncope REST API.

Syncope has the following realms:
/
/application-a
/application-b
/application-x

- We are using apache syncope to manage membership to groups in different applications. Those different applications have their own managers who can define groups and memberships under their realms in syncope.
- All members belong to the same organization and are shared by different applicatinos. They can be members of different groups in different applications. 
- Each application is defined by a realm and managers of those applications have roles with entitlements in those realms that allow to define groups. They can only define membership in groups in their realms and not in other realms.
- As far as I understand, objects in syncope can only belong to a realm, so it is not possible to have them in different realms and have managers able to edit memberships only for groups in their realm. To avoid this I created a new AnyObject of a new AnyType which maps our members in different realms. For each application where our members are, there is an AnyObject in the correspondent realms. If member A is in Application A and Application B there will be two AnyObjects for it, one in /application-a realm and another one in /application-b realm. Managers of those realms can edit AnyObjects in their realm without problems. 

I would like to know if there simpler ways to map this hierarchy in syncope specially without the need to replicate the members in different anyobjects that are editable in the different realms and I would like to understand if there is a better way to organize realms, groups and objects than the one I am planning to use.

Thanks

Re: Application hierarchy mapping in Syncope

[Andrea Patricelli <an...@apache.org>]

Hi


Il 28/08/2018 17:22, Hernâni Borges de Freitas ha scritto:
> Assuming that I have a structure of
> /
>   /application-a
>   /application-b
>
> With roles and managers assigned to realms /application-a and /application-b and several AnyObjects defined in /.
>
> Would it be possible for a user manager in /application-a to assign the AnyObject X defined in / to a group that only exists in /application-a ? Would be possible for another user manager in /application-b to the same for the same AnyObject defined in / ? Bear in mind that we are talking about the same AnyObject and it only exists in the parent realm not in the realm of any of the applications.

Yes, it is possible to assign groups in /application-a to objects in /. 
According to documentation "/A User or an Any Object can be members of 
Groups in the same realm or in one of the parent realms./"

But, _if the manager user has assigned a role on realm /application-a_, 
*no* is not possible for that user a to manage objects in /. You should 
assign to the manager a role that gives entitlements on realm /.
Or use delegated administration through dynamic realms, describe here 
[1]. But I think ou should use delegation only if there isn't any other 
chance to implement your scenario.
> Thanks so much again
>
> Hernani

Best regards,
Andrea

[1] 
https://syncope.apache.org/docs/2.0/reference-guide.html#delegated-administration

>> On 28 Aug 2018, at 15:43, Andrea Patricelli <an...@apache.org> wrote:
>>
>>
>>
>> Il 28/08/2018 16:34, Hernâni Borges de Freitas ha scritto:
>>> Hi Andrea,
>>>
>>> Thanks for you fast answer.
>>>
>>> I thought about using a new AnyObject instead of the user directly because our usage for users will be somehow special without having passwords for them for instance, but just some metadata associated which we can leave not associated with users but to this new anyObject.
>> Only a tip about this: password propagation and storing is optional, so you can create users without managing their passwords.
>>
>>> About the mapping you are suggesting: what is still confusing me is how to allow a user to be present in more than one realm and still only allow managers of those realms to assign the users to the groups they can control. For user X I need that managers of realm /a are able to assign it to groups inside /a and managers of /b to assign it to groups inside /b.
>> Ok, now I got.
>> If you assign to USER with, for example, username "manager-a" the role "manager-role-application-a" (assigned to realm /a) with entitlements to update user or anyobject, you can manage groups of anyobjects in realm /a and all its children.
>>
>> Best regards,
>> Andrea
>>
>>> Hernani
>>>
>>>> On 28 Aug 2018, at 15:21, Andrea Patricelli <an...@apache.org> wrote:
>>>>
>>>> Hi Hernâni,
>>>>
>>>>
>>>> Il 28/08/2018 13:18, Hernâni Borges de Freitas ha scritto:
>>>>> Hello
>>>>>
>>>>> I am  trying to map an organization composed by the same user base that uses different applications and have different roles in those applications to Apache Syncope. We are only using syncope to provide authorisation to the applications, not authentication. Those applications will consume authorisation for different members via Syncope REST API.
>>>>>
>>>>> Syncope has the following realms:
>>>>> /
>>>>> /application-a
>>>>> /application-b
>>>>> /application-x
>>>>>
>>>>> - We are using apache syncope to manage membership to groups in different applications. Those different applications have their own managers who can define groups and memberships under their realms in syncope.
>>>>> - All members belong to the same organization and are shared by different applicatinos. They can be members of different groups in different applications.
>>>>> - Each application is defined by a realm and managers of those applications have roles with entitlements in those realms that allow to define groups. They can only define membership in groups in their realms and not in other realms.
>>>>> - As far as I understand, objects in syncope can only belong to a realm, so it is not possible to have them in different realms and have managers able to edit memberships only for groups in their realm. To avoid this I created a new AnyObject of a new AnyType which maps our members in different realms. For each application where our members are, there is an AnyObject in the correspondent realms. If member A is in Application A and Application B there will be two AnyObjects for it, one in /application-a realm and another one in /application-b realm. Managers of those realms can edit AnyObjects in their realm without problems.
>>>> Why you do not use USER to map members into realms? Why did you create a new ANY_OBJECT?
>>>>> I would like to know if there simpler ways to map this hierarchy in syncope specially without the need to replicate the members in different anyobjects that are editable in the different realms and I would like to understand if there is a better way to organize realms, groups and objects than the one I am planning to use.
>>>> You can define roles and map the role to a specific realm, for example:
>>>>
>>>> manager-role-application-a -> map it to /application-a realm and assign entitlements to update users (only in /application-a realm and children).
>>>> manager-role-application-b -> map it to /application-b realm and assign entitlements to update users (only in /application-b realm and children).
>>>> manager-role-application-x -> map it to /application-x realm and assign entitlements to update users (only in /application-x realm and children).
>>>>
>>>> With children I mean inner realms like /application-a/child-a/ or application-x/child-x
>>>>
>>>> Bear in mind that realms entitlements are applied from the current realm to the inner ones, please refer to documentation at [1].
>>>>
>>>> HTH,
>>>> Andrea
>>>>
>>>> [1] https://syncope.apache.org/docs/2.0/reference-guide.html#realms
>>>>
>>>>> Thanks
>>>> -- 
>>>> Dott. Andrea Patricelli
>>>> Tel. +39 3204524292
>>>>
>>>> Developer @ Tirasa S.r.l.
>>>> Viale D'Annunzio 267 - 65127 Pescara
>>>> Tel +39 0859116307 / FAX +39 0859111173
>>>> http://www.tirasa.net
>>>>
>>>> Apache Syncope PMC Member
>>>>
>> -- 
>> Dott. Andrea Patricelli
>> Tel. +39 3204524292
>>
>> Developer @ Tirasa S.r.l.
>> Viale D'Annunzio 267 - 65127 Pescara
>> Tel +39 0859116307 / FAX +39 0859111173
>> http://www.tirasa.net
>>
>> Apache Syncope PMC Member
>>
-- 
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net

Apache Syncope PMC Member

Re: Application hierarchy mapping in Syncope

[Hernâni Borges de Freitas <he...@gmail.com>]

Assuming that I have a structure of 
/
 /application-a
 /application-b 

With roles and managers assigned to realms /application-a and /application-b and several AnyObjects defined in /. 

Would it be possible for a user manager in /application-a to assign the AnyObject X defined in / to a group that only exists in /application-a ? Would be possible for another user manager in /application-b to the same for the same AnyObject defined in / ? Bear in mind that we are talking about the same AnyObject and it only exists in the parent realm not in the realm of any of the applications.

Thanks so much again

Hernani

> On 28 Aug 2018, at 15:43, Andrea Patricelli <an...@apache.org> wrote:
> 
> 
> 
> Il 28/08/2018 16:34, Hernâni Borges de Freitas ha scritto:
>> Hi Andrea,
>> 
>> Thanks for you fast answer.
>> 
>> I thought about using a new AnyObject instead of the user directly because our usage for users will be somehow special without having passwords for them for instance, but just some metadata associated which we can leave not associated with users but to this new anyObject.
> 
> Only a tip about this: password propagation and storing is optional, so you can create users without managing their passwords.
> 
>> 
>> About the mapping you are suggesting: what is still confusing me is how to allow a user to be present in more than one realm and still only allow managers of those realms to assign the users to the groups they can control. For user X I need that managers of realm /a are able to assign it to groups inside /a and managers of /b to assign it to groups inside /b.
> 
> Ok, now I got.
> If you assign to USER with, for example, username "manager-a" the role "manager-role-application-a" (assigned to realm /a) with entitlements to update user or anyobject, you can manage groups of anyobjects in realm /a and all its children.
> 
> Best regards,
> Andrea
> 
>> 
>> Hernani
>> 
>>> On 28 Aug 2018, at 15:21, Andrea Patricelli <an...@apache.org> wrote:
>>> 
>>> Hi Hernâni,
>>> 
>>> 
>>> Il 28/08/2018 13:18, Hernâni Borges de Freitas ha scritto:
>>>> Hello
>>>> 
>>>> I am  trying to map an organization composed by the same user base that uses different applications and have different roles in those applications to Apache Syncope. We are only using syncope to provide authorisation to the applications, not authentication. Those applications will consume authorisation for different members via Syncope REST API.
>>>> 
>>>> Syncope has the following realms:
>>>> /
>>>> /application-a
>>>> /application-b
>>>> /application-x
>>>> 
>>>> - We are using apache syncope to manage membership to groups in different applications. Those different applications have their own managers who can define groups and memberships under their realms in syncope.
>>>> - All members belong to the same organization and are shared by different applicatinos. They can be members of different groups in different applications.
>>>> - Each application is defined by a realm and managers of those applications have roles with entitlements in those realms that allow to define groups. They can only define membership in groups in their realms and not in other realms.
>>>> - As far as I understand, objects in syncope can only belong to a realm, so it is not possible to have them in different realms and have managers able to edit memberships only for groups in their realm. To avoid this I created a new AnyObject of a new AnyType which maps our members in different realms. For each application where our members are, there is an AnyObject in the correspondent realms. If member A is in Application A and Application B there will be two AnyObjects for it, one in /application-a realm and another one in /application-b realm. Managers of those realms can edit AnyObjects in their realm without problems.
>>> Why you do not use USER to map members into realms? Why did you create a new ANY_OBJECT?
>>>> I would like to know if there simpler ways to map this hierarchy in syncope specially without the need to replicate the members in different anyobjects that are editable in the different realms and I would like to understand if there is a better way to organize realms, groups and objects than the one I am planning to use.
>>> You can define roles and map the role to a specific realm, for example:
>>> 
>>> manager-role-application-a -> map it to /application-a realm and assign entitlements to update users (only in /application-a realm and children).
>>> manager-role-application-b -> map it to /application-b realm and assign entitlements to update users (only in /application-b realm and children).
>>> manager-role-application-x -> map it to /application-x realm and assign entitlements to update users (only in /application-x realm and children).
>>> 
>>> With children I mean inner realms like /application-a/child-a/ or application-x/child-x
>>> 
>>> Bear in mind that realms entitlements are applied from the current realm to the inner ones, please refer to documentation at [1].
>>> 
>>> HTH,
>>> Andrea
>>> 
>>> [1] https://syncope.apache.org/docs/2.0/reference-guide.html#realms
>>> 
>>>> Thanks
>>> -- 
>>> Dott. Andrea Patricelli
>>> Tel. +39 3204524292
>>> 
>>> Developer @ Tirasa S.r.l.
>>> Viale D'Annunzio 267 - 65127 Pescara
>>> Tel +39 0859116307 / FAX +39 0859111173
>>> http://www.tirasa.net
>>> 
>>> Apache Syncope PMC Member
>>> 
> -- 
> Dott. Andrea Patricelli
> Tel. +39 3204524292
> 
> Developer @ Tirasa S.r.l.
> Viale D'Annunzio 267 - 65127 Pescara
> Tel +39 0859116307 / FAX +39 0859111173
> http://www.tirasa.net
> 
> Apache Syncope PMC Member
> 

Re: Application hierarchy mapping in Syncope

[Andrea Patricelli <an...@apache.org>]

Il 28/08/2018 16:34, Hernâni Borges de Freitas ha scritto:
> Hi Andrea,
>
> Thanks for you fast answer.
>
> I thought about using a new AnyObject instead of the user directly because our usage for users will be somehow special without having passwords for them for instance, but just some metadata associated which we can leave not associated with users but to this new anyObject.

Only a tip about this: password propagation and storing is optional, so 
you can create users without managing their passwords.

>
> About the mapping you are suggesting: what is still confusing me is how to allow a user to be present in more than one realm and still only allow managers of those realms to assign the users to the groups they can control. For user X I need that managers of realm /a are able to assign it to groups inside /a and managers of /b to assign it to groups inside /b.

Ok, now I got.
If you assign to USER with, for example, username "manager-a" the role 
"manager-role-application-a" (assigned to realm /a) with entitlements to 
update user or anyobject, you can manage groups of anyobjects in realm 
/a and all its children.

Best regards,
Andrea

>
> Hernani
>
>> On 28 Aug 2018, at 15:21, Andrea Patricelli <an...@apache.org> wrote:
>>
>> Hi Hernâni,
>>
>>
>> Il 28/08/2018 13:18, Hernâni Borges de Freitas ha scritto:
>>> Hello
>>>
>>> I am  trying to map an organization composed by the same user base that uses different applications and have different roles in those applications to Apache Syncope. We are only using syncope to provide authorisation to the applications, not authentication. Those applications will consume authorisation for different members via Syncope REST API.
>>>
>>> Syncope has the following realms:
>>> /
>>> /application-a
>>> /application-b
>>> /application-x
>>>
>>> - We are using apache syncope to manage membership to groups in different applications. Those different applications have their own managers who can define groups and memberships under their realms in syncope.
>>> - All members belong to the same organization and are shared by different applicatinos. They can be members of different groups in different applications.
>>> - Each application is defined by a realm and managers of those applications have roles with entitlements in those realms that allow to define groups. They can only define membership in groups in their realms and not in other realms.
>>> - As far as I understand, objects in syncope can only belong to a realm, so it is not possible to have them in different realms and have managers able to edit memberships only for groups in their realm. To avoid this I created a new AnyObject of a new AnyType which maps our members in different realms. For each application where our members are, there is an AnyObject in the correspondent realms. If member A is in Application A and Application B there will be two AnyObjects for it, one in /application-a realm and another one in /application-b realm. Managers of those realms can edit AnyObjects in their realm without problems.
>> Why you do not use USER to map members into realms? Why did you create a new ANY_OBJECT?
>>> I would like to know if there simpler ways to map this hierarchy in syncope specially without the need to replicate the members in different anyobjects that are editable in the different realms and I would like to understand if there is a better way to organize realms, groups and objects than the one I am planning to use.
>> You can define roles and map the role to a specific realm, for example:
>>
>> manager-role-application-a -> map it to /application-a realm and assign entitlements to update users (only in /application-a realm and children).
>> manager-role-application-b -> map it to /application-b realm and assign entitlements to update users (only in /application-b realm and children).
>> manager-role-application-x -> map it to /application-x realm and assign entitlements to update users (only in /application-x realm and children).
>>
>> With children I mean inner realms like /application-a/child-a/ or application-x/child-x
>>
>> Bear in mind that realms entitlements are applied from the current realm to the inner ones, please refer to documentation at [1].
>>
>> HTH,
>> Andrea
>>
>> [1] https://syncope.apache.org/docs/2.0/reference-guide.html#realms
>>
>>> Thanks
>> -- 
>> Dott. Andrea Patricelli
>> Tel. +39 3204524292
>>
>> Developer @ Tirasa S.r.l.
>> Viale D'Annunzio 267 - 65127 Pescara
>> Tel +39 0859116307 / FAX +39 0859111173
>> http://www.tirasa.net
>>
>> Apache Syncope PMC Member
>>
-- 
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net

Apache Syncope PMC Member

Re: Application hierarchy mapping in Syncope

[Hernâni Borges de Freitas <he...@gmail.com>]

Hi Andrea,

Thanks for you fast answer.

I thought about using a new AnyObject instead of the user directly because our usage for users will be somehow special without having passwords for them for instance, but just some metadata associated which we can leave not associated with users but to this new anyObject.

About the mapping you are suggesting: what is still confusing me is how to allow a user to be present in more than one realm and still only allow managers of those realms to assign the users to the groups they can control. For user X I need that managers of realm /a are able to assign it to groups inside /a and managers of /b to assign it to groups inside /b. 

Hernani

> On 28 Aug 2018, at 15:21, Andrea Patricelli <an...@apache.org> wrote:
> 
> Hi Hernâni,
> 
> 
> Il 28/08/2018 13:18, Hernâni Borges de Freitas ha scritto:
>> Hello
>> 
>> I am  trying to map an organization composed by the same user base that uses different applications and have different roles in those applications to Apache Syncope. We are only using syncope to provide authorisation to the applications, not authentication. Those applications will consume authorisation for different members via Syncope REST API.
>> 
>> Syncope has the following realms:
>> /
>> /application-a
>> /application-b
>> /application-x
>> 
>> - We are using apache syncope to manage membership to groups in different applications. Those different applications have their own managers who can define groups and memberships under their realms in syncope.
>> - All members belong to the same organization and are shared by different applicatinos. They can be members of different groups in different applications.
>> - Each application is defined by a realm and managers of those applications have roles with entitlements in those realms that allow to define groups. They can only define membership in groups in their realms and not in other realms.
>> - As far as I understand, objects in syncope can only belong to a realm, so it is not possible to have them in different realms and have managers able to edit memberships only for groups in their realm. To avoid this I created a new AnyObject of a new AnyType which maps our members in different realms. For each application where our members are, there is an AnyObject in the correspondent realms. If member A is in Application A and Application B there will be two AnyObjects for it, one in /application-a realm and another one in /application-b realm. Managers of those realms can edit AnyObjects in their realm without problems.
> Why you do not use USER to map members into realms? Why did you create a new ANY_OBJECT?
>> 
>> I would like to know if there simpler ways to map this hierarchy in syncope specially without the need to replicate the members in different anyobjects that are editable in the different realms and I would like to understand if there is a better way to organize realms, groups and objects than the one I am planning to use.
> You can define roles and map the role to a specific realm, for example:
> 
> manager-role-application-a -> map it to /application-a realm and assign entitlements to update users (only in /application-a realm and children).
> manager-role-application-b -> map it to /application-b realm and assign entitlements to update users (only in /application-b realm and children).
> manager-role-application-x -> map it to /application-x realm and assign entitlements to update users (only in /application-x realm and children).
> 
> With children I mean inner realms like /application-a/child-a/ or application-x/child-x
> 
> Bear in mind that realms entitlements are applied from the current realm to the inner ones, please refer to documentation at [1].
> 
> HTH,
> Andrea
> 
> [1] https://syncope.apache.org/docs/2.0/reference-guide.html#realms
> 
>> Thanks
> 
> -- 
> Dott. Andrea Patricelli
> Tel. +39 3204524292
> 
> Developer @ Tirasa S.r.l.
> Viale D'Annunzio 267 - 65127 Pescara
> Tel +39 0859116307 / FAX +39 0859111173
> http://www.tirasa.net
> 
> Apache Syncope PMC Member
> 

Re: Application hierarchy mapping in Syncope

[Andrea Patricelli <an...@apache.org>]

Hi Hernâni,


Il 28/08/2018 13:18, Hernâni Borges de Freitas ha scritto:
> Hello
>
> I am  trying to map an organization composed by the same user base that uses different applications and have different roles in those applications to Apache Syncope. We are only using syncope to provide authorisation to the applications, not authentication. Those applications will consume authorisation for different members via Syncope REST API.
>
> Syncope has the following realms:
> /
> /application-a
> /application-b
> /application-x
>
> - We are using apache syncope to manage membership to groups in different applications. Those different applications have their own managers who can define groups and memberships under their realms in syncope.
> - All members belong to the same organization and are shared by different applicatinos. They can be members of different groups in different applications.
> - Each application is defined by a realm and managers of those applications have roles with entitlements in those realms that allow to define groups. They can only define membership in groups in their realms and not in other realms.
> - As far as I understand, objects in syncope can only belong to a realm, so it is not possible to have them in different realms and have managers able to edit memberships only for groups in their realm. To avoid this I created a new AnyObject of a new AnyType which maps our members in different realms. For each application where our members are, there is an AnyObject in the correspondent realms. If member A is in Application A and Application B there will be two AnyObjects for it, one in /application-a realm and another one in /application-b realm. Managers of those realms can edit AnyObjects in their realm without problems.
Why you do not use USER to map members into realms? Why did you create a 
new ANY_OBJECT?
>
> I would like to know if there simpler ways to map this hierarchy in syncope specially without the need to replicate the members in different anyobjects that are editable in the different realms and I would like to understand if there is a better way to organize realms, groups and objects than the one I am planning to use.
You can define roles and map the role to a specific realm, for example:

manager-role-application-a -> map it to /application-a realm and assign 
entitlements to update users (only in /application-a realm and children).
manager-role-application-b -> map it to /application-b realm and assign 
entitlements to update users (only in /application-b realm and children).
manager-role-application-x -> map it to /application-x realm and assign 
entitlements to update users (only in /application-x realm and children).

With children I mean inner realms like /application-a/child-a/ or 
application-x/child-x

Bear in mind that realms entitlements are applied from the current realm 
to the inner ones, please refer to documentation at [1].

HTH,
Andrea

[1] https://syncope.apache.org/docs/2.0/reference-guide.html#realms

> Thanks

-- 
Dott. Andrea Patricelli
Tel. +39 3204524292

Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net

Apache Syncope PMC Member