You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@syncope.apache.org by Maria Barth <mb...@cad-schroer.de> on 2018/09/10 10:03:16 UTC
Syncope administrator create realms
Hello,
I am evalueting Syncope as a possible IDM-system for integrating in a new
product.
One of the requirements is to have an administrator role allowing to perform
all actions with all realms, users, groups, roles and able to view access
tokens.
I have configured a role as following:
"entitlements":[
"ACCESS_TOKEN_LIST",
"ANYTYPE_LIST",
"ANYTYPE_READ",
"ANYTYPECLASS_LIST",
"ANYTYPECLASS_READ",
"DOMAIN_READ",
"GROUP_DELETE",
"GROUP_UPDATE",
"GROUP_CREATE",
"GROUP_LIST",
"GROUP_READ",
"GROUP_SEARCH",
"MEMBERSHIP_DELETE",
"MEMBERSHIP_UPDATE",
"MEMBERSHIP_CREATE",
"MEMBERSHIP_LIST",
"MEMBERSHIP_READ",
"POLICY_READ",
"REALM_LIST",
"REALM_CREATE",
"REALM_DELETE",
"REALM_UPDATE",
"RELATIONSHIPTYPE_LIST",
"RELATIONSHIPTYPE_READ",
"RESOURCE_LIST",
"RESOURCE_READ",
"ROLE_DELETE",
"ROLE_UPDATE",
"ROLE_CREATE",
"ROLE_LIST",
"ROLE_READ",
"USER_SEARCH",
"USER_DELETE",
"USER_CREATE",
"USER_UPDATE",
"USER_READ" ],
"realms":["/"],
It seems I am still missing some entitlements, because the user needs to
login again as soon as he hits
- the "Realms" item on the left
- the "Details" tab after hitting "Dashboard" - "Users" (see the
attachment)
- one of the leaves of the realm tree in the right corner after
hitting "Dashboard" - "Users".
Thank you and regards,
Maria Barth
Unsere neusten Aktionen rund um unsere Produkte finden Sie unter:
http://www.cad-schroer.de/emailaction/
------------------------------------------------------------------------------
CAD Schroer GmbH, Fritz-Peters-Strasse 11, D - 47447 Moers
Geschaeftsfuehrer: Michael Schroer, Thomas Schubert. Amtsgericht Kleve HRB 5339
Tel.: +49 2841-9184-0 Fax: +49 2841-9184-44
------------------------------------------------------------------------------
Website: http://www.cad-schroer.de
AW: Syncope administrator create realms
Posted by Maria Barth <mb...@cad-schroer.de>.
Hello Andrea,
thank you very much!
It would be very helpful to know exactly which entitlements are responsible
for which functionality in the Syncope console J It is a kind of guessing
game at the moment.
Regards,
Maria
Von: Andrea Patricelli [mailto:andreapatricelli@apache.org]
Gesendet: Montag, 10. September 2018 15:17
An: user@syncope.apache.org
Betreff: Re: Syncope administrator create realms
Hi Maria,
Your problem is related to entitlements REALM_DELETE, REALM_UPDATE and
REALM_CREATE. If you want to enable realm read/editing you need to add also
other entitlements, otherwise remove those three entitlements.
This set for example should work:
RESOURCE_READ, RELATIONSHIPTYPE_READ, IMPLEMENTATION_READ, REMEDIATION_LIST,
TASK_LIST, RELATIONSHIPTYPE_LIST, IMPLEMENTATION_LIST, USER_CREATE,
GROUP_SEARCH, RESOURCE_LIST, ANYTYPE_READ, USER_SEARCH, ACCESS_TOKEN_LIST,
CONFIGURATION_LIST, ANYTYPECLASS_READ, ROLE_LIST, ANYTYPECLASS_LIST,
USER_READ, ROLE_READ, REALM_DELETE, SCHEMA_LIST, USER_DELETE, REALM_UPDATE,
SECURITY_QUESTION_READ, REALM_CREATE, ANYTYPE_LIST, USER_UPDATE,
POLICY_READ, GROUP_READ, POLICY_LIST, REALM_LIST, TASK_READ, DOMAIN_READ,
DYNREALM_READ
Best regards,
Andrea
Il 10/09/2018 12:03, Maria Barth ha scritto:
Hello,
I am evalueting Syncope as a possible IDM-system for integrating in a new
product.
One of the requirements is to have an administrator role allowing to perform
all actions with all realms, users, groups, roles and able to view access
tokens.
I have configured a role as following:
"entitlements":[
"ACCESS_TOKEN_LIST",
"ANYTYPE_LIST",
"ANYTYPE_READ",
"ANYTYPECLASS_LIST",
"ANYTYPECLASS_READ",
"DOMAIN_READ",
"GROUP_DELETE",
"GROUP_UPDATE",
"GROUP_CREATE",
"GROUP_LIST",
"GROUP_READ",
"GROUP_SEARCH",
"MEMBERSHIP_DELETE",
"MEMBERSHIP_UPDATE",
"MEMBERSHIP_CREATE",
"MEMBERSHIP_LIST",
"MEMBERSHIP_READ",
"POLICY_READ",
"REALM_LIST",
"REALM_CREATE",
"REALM_DELETE",
"REALM_UPDATE",
"RELATIONSHIPTYPE_LIST",
"RELATIONSHIPTYPE_READ",
"RESOURCE_LIST",
"RESOURCE_READ",
"ROLE_DELETE",
"ROLE_UPDATE",
"ROLE_CREATE",
"ROLE_LIST",
"ROLE_READ",
"USER_SEARCH",
"USER_DELETE",
"USER_CREATE",
"USER_UPDATE",
"USER_READ" ],
"realms":["/"],
It seems I am still missing some entitlements, because the user needs to
login again as soon as he hits
- the "Realms" item on the left
- the "Details" tab after hitting "Dashboard" - "Users" (see the
attachment)
- one of the leaves of the realm tree in the right corner after
hitting "Dashboard" - "Users".
Thank you and regards,
Maria Barth
Unsere neusten Aktionen rund um unsere Produkte finden Sie unter:
http://www.cad-schroer.de/emailaction/
----------------------------------------------------------------------------
-- CAD Schroer GmbH, Fritz-Peters-Strasse 11, D - 47447 Moers
Geschaeftsfuehrer: Michael Schroer, Thomas Schubert. Amtsgericht Kleve HRB
5339 Tel.: +49 2841-9184-0 Fax: +49 2841-9184-44
----------------------------------------------------------------------------
--Website: http://www.cad-schroer.de
--
Dott. Andrea Patricelli
Tel. +39 3204524292
Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net
Apache Syncope PMC Member
Re: Syncope administrator create realms
Posted by Andrea Patricelli <an...@apache.org>.
Hi Maria,
Your problem is related to entitlements REALM_DELETE, REALM_UPDATE and
REALM_CREATE. If you want to enable realm read/editing you need to add
also other entitlements, otherwise remove those three entitlements.
This set for example should work:
RESOURCE_READ, RELATIONSHIPTYPE_READ, IMPLEMENTATION_READ,
REMEDIATION_LIST, TASK_LIST, RELATIONSHIPTYPE_LIST, IMPLEMENTATION_LIST,
USER_CREATE, GROUP_SEARCH, RESOURCE_LIST, ANYTYPE_READ, USER_SEARCH,
ACCESS_TOKEN_LIST, CONFIGURATION_LIST, ANYTYPECLASS_READ, ROLE_LIST,
ANYTYPECLASS_LIST, USER_READ, ROLE_READ, REALM_DELETE, SCHEMA_LIST,
USER_DELETE, REALM_UPDATE, SECURITY_QUESTION_READ, REALM_CREATE,
ANYTYPE_LIST, USER_UPDATE, POLICY_READ, GROUP_READ, POLICY_LIST,
REALM_LIST, TASK_READ, DOMAIN_READ, DYNREALM_READ
Best regards,
Andrea
Il 10/09/2018 12:03, Maria Barth ha scritto:
>
> Hello,
>
> I am evalueting Syncope as a possible IDM-system for integrating in a
> new product.
>
> One of the requirements is to have an administrator role allowing to
> perform all actions with all realms, users, groups, roles and able to
> view access tokens.
>
> I have configured a role as following:
>
> "entitlements":[
>
> "ACCESS_TOKEN_LIST",
>
> "ANYTYPE_LIST",
>
> "ANYTYPE_READ",
>
> "ANYTYPECLASS_LIST",
>
> "ANYTYPECLASS_READ",
>
> "DOMAIN_READ",
>
> "GROUP_DELETE",
>
> "GROUP_UPDATE",
>
> "GROUP_CREATE",
>
> "GROUP_LIST",
>
> "GROUP_READ",
>
> "GROUP_SEARCH",
>
> "MEMBERSHIP_DELETE",
>
> "MEMBERSHIP_UPDATE",
>
> "MEMBERSHIP_CREATE",
>
> "MEMBERSHIP_LIST",
>
> "MEMBERSHIP_READ",
>
> "POLICY_READ",
>
> "REALM_LIST",
>
> "REALM_CREATE",
>
> "REALM_DELETE",
>
> "REALM_UPDATE",
>
> "RELATIONSHIPTYPE_LIST",
>
> "RELATIONSHIPTYPE_READ",
>
> "RESOURCE_LIST",
>
> "RESOURCE_READ",
>
> "ROLE_DELETE",
>
> "ROLE_UPDATE",
>
> "ROLE_CREATE",
>
> "ROLE_LIST",
>
> "ROLE_READ",
>
> "USER_SEARCH",
>
> "USER_DELETE",
>
> "USER_CREATE",
>
> "USER_UPDATE",
>
> "USER_READ" ],
>
> "realms":["/"],
>
> It seems I am still missing some entitlements, because the user needs
> to login again as soon as he hits
>
> -the „Realms“ item on the left
>
> -the „Details“ tab after hitting „Dashboard“ – „Users“ (see the
> attachment)
>
> -one of the leaves of the realm tree in the right corner after hitting
> „Dashboard“ – „Users“.
>
> Thank you and regards,
>
> Maria Barth
>
>
> Unsere neusten Aktionen rund um unsere Produkte finden Sie unter:
> http://www.cad-schroer.de/emailaction/
> ------------------------------------------------------------------------------
> CAD Schroer GmbH, Fritz-Peters-Strasse 11, D - 47447 Moers
> Geschaeftsfuehrer: Michael Schroer, Thomas Schubert. Amtsgericht Kleve
> HRB 5339 Tel.: +49 2841-9184-0 Fax: +49 2841-9184-44
> ------------------------------------------------------------------------------Website:
> http://www.cad-schroer.de
--
Dott. Andrea Patricelli
Tel. +39 3204524292
Developer @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net
Apache Syncope PMC Member