You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@syncope.apache.org by Colm O hEigeartaigh <co...@apache.org> on 2012/08/13 18:04:59 UTC
Syncope Role propagation/synchronization
Hi all,
I am trying to get a handle on what is currently supported in Syncope with
respect to roles stored in an LDAP resource.
One way of working with roles is given here in a previous thread:
http://syncope-dev.1063484.n5.nabble.com/Role-membership-attributes-synchronization-td5512256.html
So you can map a role attribute to an LDAP memberOf attribute (for
example). I have the following questions:
a) This works for propagation, but does it also work for synchronization?
So if the memberOf attribute changes in the backend, will the Role have the
updated attribute value? I think this doesn't work, but just want to check.
b) Must the Role (Group) pointed to already exist in LDAP or is there any
way of creating it from Syncope?
c) Is there any way of importing roles from an LDAP backend via search? So
for example, your users do not have a "memberOf" attribute, but instead you
have some "ou=groups" with a "member" attribute pointing back to the
relevant users in the group. Is there any way of importing this group
information into Syncope?
Thanks,
Colm.
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Syncope Role propagation/synchronization
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 14/08/2012 08.46, Fabio Martelli wrote:
> Hi Colm,
> please, find my comments/answers inline.
>
> Il giorno 13/ago/2012, alle ore 18.04, Colm O hEigeartaigh ha scritto:
>
>> Hi all,
>>
>> I am trying to get a handle on what is currently supported in Syncope
>> with respect to roles stored in an LDAP resource.
>>
>> One way of working with roles is given here in a previous thread:
>>
>> http://syncope-dev.1063484.n5.nabble.com/Role-membership-attributes-synchronization-td5512256.html
>>
>> So you can map a role attribute to an LDAP memberOf attribute (for
>> example). I have the following questions:
>>
>> a) This works for propagation, but does it also work for
>> synchronization? So if the memberOf attribute changes in the backend,
>> will the Role have the updated attribute value? I think this doesn't
>> work, but just want to check.
>
> No, role attributes won't be synchronized: if memberOf attribute
> change Syncope won't execute any update about the role attributes.
> However, this shouldn't be the right behavior. We expect to
> synchronize role and membership attributes also.
> The related issue is https://issues.apache.org/jira/browse/SYNCOPE-26.
In the meanwhile, you could implement your own logic to be performed
during synchronization (see
https://cwiki.apache.org/confluence/display/SYNCOPE/SynchronizationActionsClass).
An idea could be to extend beforeUpdate() and add the code for
interpreting LDAP's memberOf values as Syncope memberships. we did
something similar for a customer.
>> b) Must the Role (Group) pointed to already exist in LDAP or is
>> there any way of creating it from Syncope?
>
> There isn't any way to create group or role on external resource. At
> the moment Syncope provides only user provisioning features.
> Role propagation/synchronization is in roadmap. See
> https://issues.apache.org/jira/browse/SYNCOPE-172.
>
>> c) Is there any way of importing roles from an LDAP backend via
>> search? So for example, your users do not have a "memberOf"
>> attribute, but instead you have some "ou=groups" with a "member"
>> attribute pointing back to the relevant users in the group. Is there
>> any way of importing this group information into Syncope?
>
> No it isn't. This feature is really close to role mining. We expect to
> have this soon, with role propagation/synchronization feature (see above).
> At the moment, if you want to import role information from ldap you
> have to implement a custom solution.
--
Francesco Chicchiriccò
ASF Member, Apache Cocoon PMC and Apache Syncope PPMC Member
http://people.apache.org/~ilgrosso/
Re: Syncope Role propagation/synchronization
Posted by Colm O hEigeartaigh <co...@apache.org>.
Great, thanks for the feedback!
Colm.
On Mon, Sep 17, 2012 at 1:36 PM, Fabio Martelli <fa...@gmail.com>wrote:
>
> Il giorno 17/set/2012, alle ore 12.59, Colm O hEigeartaigh ha scritto:
>
>
> Any comments on this?
>
> Hi Colm,
> sorry for my no reaction. Please find my comments in-line.
>
>
> Colm.
>
> ---------- Forwarded message ----------
> From: Colm O hEigeartaigh <co...@apache.org>
> Date: Mon, Sep 3, 2012 at 4:13 PM
> Subject: Re: Syncope Role propagation/synchronization
> To: syncope-user@incubator.apache.org
>
>
>
> Thanks again for your reply. I'd like to summarize my understanding of
> this issue, by listing the following tasks that are required in relation to
> supporting role synchronization/propagation (amongst others):
>
> a) Role propagation. There is no way to create a group or role on an
> external resource. It should be possible to map a role in Syncope to an
> LDAP group for example. Covered by SYNCOPE-172.
>
>
> Right!
>
> b) Role sychronization. We should be able to map LDAP groups to Roles in
> Syncope. We should also be able to reflect LDAP "member" attributes of
> Groups by updating the users in Syncope with the corresponding roles. Also
> covered by SYNCOPE-172.
>
>
> Exactly.
>
> c) Add workflow support for Roles. Covered by SYNCOPE-173.
>
>
> Exactly.
>
> d) Support dynamic role memberships. For example if a user in the LDAP
> backend has a "memberOf" attribute, the synchronized User in Syncope is
> assigned a Role(s) that has an attribute that matches the updated resource
> attribute (if one exists). Covered by SYNCOPE-140. Also see SYNCOPE-26.
>
>
> Yes but indirectly. I mean, from my point of view the matching should be
> done on a syncope/local attribute.
> For example: all the users with attribute "employee_number" valued with a
> non empty string have to be assigned to the role 'employee' because they
> are are employees.
> Now, if the value of the "employee_number" attribute comes from an
> external resource or has been given via syncope administration console the
> result must be the same: user is an employee.
>
> Regards,
> F.
>
> Am I leaving anything out, or are there any errors in the above?
>
>
> Thanks,
>
> Colm.
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Syncope Role propagation/synchronization
Posted by Fabio Martelli <fa...@gmail.com>.
Il giorno 17/set/2012, alle ore 12.59, Colm O hEigeartaigh ha scritto:
>
> Any comments on this?
Hi Colm,
sorry for my no reaction. Please find my comments in-line.
>
> Colm.
>
> ---------- Forwarded message ----------
> From: Colm O hEigeartaigh <co...@apache.org>
> Date: Mon, Sep 3, 2012 at 4:13 PM
> Subject: Re: Syncope Role propagation/synchronization
> To: syncope-user@incubator.apache.org
>
>
>
> Thanks again for your reply. I'd like to summarize my understanding of this issue, by listing the following tasks that are required in relation to supporting role synchronization/propagation (amongst others):
>
> a) Role propagation. There is no way to create a group or role on an external resource. It should be possible to map a role in Syncope to an LDAP group for example. Covered by SYNCOPE-172.
Right!
> b) Role sychronization. We should be able to map LDAP groups to Roles in Syncope. We should also be able to reflect LDAP "member" attributes of Groups by updating the users in Syncope with the corresponding roles. Also covered by SYNCOPE-172.
Exactly.
> c) Add workflow support for Roles. Covered by SYNCOPE-173.
Exactly.
> d) Support dynamic role memberships. For example if a user in the LDAP backend has a "memberOf" attribute, the synchronized User in Syncope is assigned a Role(s) that has an attribute that matches the updated resource attribute (if one exists). Covered by SYNCOPE-140. Also see SYNCOPE-26.
Yes but indirectly. I mean, from my point of view the matching should be done on a syncope/local attribute.
For example: all the users with attribute "employee_number" valued with a non empty string have to be assigned to the role 'employee' because they are are employees.
Now, if the value of the "employee_number" attribute comes from an external resource or has been given via syncope administration console the result must be the same: user is an employee.
Regards,
F.
> Am I leaving anything out, or are there any errors in the above?
>
>
> Thanks,
>
> Colm.
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
Fwd: Syncope Role propagation/synchronization
Posted by Colm O hEigeartaigh <co...@apache.org>.
Any comments on this?
Colm.
---------- Forwarded message ----------
From: Colm O hEigeartaigh <co...@apache.org>
Date: Mon, Sep 3, 2012 at 4:13 PM
Subject: Re: Syncope Role propagation/synchronization
To: syncope-user@incubator.apache.org
Thanks again for your reply. I'd like to summarize my understanding of this
issue, by listing the following tasks that are required in relation to
supporting role synchronization/propagation (amongst others):
a) Role propagation. There is no way to create a group or role on an
external resource. It should be possible to map a role in Syncope to an
LDAP group for example. Covered by SYNCOPE-172.
b) Role sychronization. We should be able to map LDAP groups to Roles in
Syncope. We should also be able to reflect LDAP "member" attributes of
Groups by updating the users in Syncope with the corresponding roles. Also
covered by SYNCOPE-172.
c) Add workflow support for Roles. Covered by SYNCOPE-173.
d) Support dynamic role memberships. For example if a user in the LDAP
backend has a "memberOf" attribute, the synchronized User in Syncope is
assigned a Role(s) that has an attribute that matches the updated resource
attribute (if one exists). Covered by SYNCOPE-140. Also see SYNCOPE-26.
Am I leaving anything out, or are there any errors in the above?
Thanks,
Colm.
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Syncope Role propagation/synchronization
Posted by Colm O hEigeartaigh <co...@apache.org>.
Thanks again for your reply. I'd like to summarize my understanding of this
issue, by listing the following tasks that are required in relation to
supporting role synchronization/propagation (amongst others):
a) Role propagation. There is no way to create a group or role on an
external resource. It should be possible to map a role in Syncope to an
LDAP group for example. Covered by SYNCOPE-172.
b) Role sychronization. We should be able to map LDAP groups to Roles in
Syncope. We should also be able to reflect LDAP "member" attributes of
Groups by updating the users in Syncope with the corresponding roles. Also
covered by SYNCOPE-172.
c) Add workflow support for Roles. Covered by SYNCOPE-173.
d) Support dynamic role memberships. For example if a user in the LDAP
backend has a "memberOf" attribute, the synchronized User in Syncope is
assigned a Role(s) that has an attribute that matches the updated resource
attribute (if one exists). Covered by SYNCOPE-140. Also see SYNCOPE-26.
Am I leaving anything out, or are there any errors in the above?
Thanks,
Colm.
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Syncope Role propagation/synchronization
Posted by Fabio Martelli <fa...@gmail.com>.
Hi Colm, please find my comments/answers inline.
Il giorno 27/ago/2012, alle ore 18.04, Colm O hEigeartaigh ha scritto:
> Hi Fabio,
>
> Thanks for your response. I have another question relating to:
>
> http://syncope-dev.1063484.n5.nabble.com/Role-membership-attributes-synchronization-td5512256.html
>
> Let's say we create a User in Syncope and assign a Role to it, which has an attribute that gets mapped to a User Attribute in the resource (e.g. "memberOf"). The question is what the converse behaviour should be in the context of Syncope supporting Role synchronization properly. Let's say the memberOf attribute changes in the backend and a synchronization task takes effect in Syncope. Which of the following behaviours should apply?
>
> a) The Role attribute gets updated to the new value.
From my point of view syncope role attribute shouldn't be update.
I do think that users provisioning shouldn't influence role [provisioning]: things should be kept separately.
> b) The User gets assigned to a new Role that has an attribute that matches the updated resource attribute (if one exists).
Sounds good!
This could be the right behavior. Probably wold be better if configurable (ignore change or change role).
This kind of implementation seems to be a little bit complicated: a lot of things should be modified and a lot of side effects (related to role assign/unassign) must be considered.
I think this implementation have to be considered with SYNCOPE-140 and some role mining functionalities.
Regards,
F.
> Thanks,
>
> Colm.
>
> On Tue, Aug 14, 2012 at 7:46 AM, Fabio Martelli <fa...@gmail.com> wrote:
> Hi Colm,
> please, find my comments/answers inline.
>
> Il giorno 13/ago/2012, alle ore 18.04, Colm O hEigeartaigh ha scritto:
>
>> Hi all,
>>
>> I am trying to get a handle on what is currently supported in Syncope with respect to roles stored in an LDAP resource.
>>
>> One way of working with roles is given here in a previous thread:
>>
>> http://syncope-dev.1063484.n5.nabble.com/Role-membership-attributes-synchronization-td5512256.html
>>
>> So you can map a role attribute to an LDAP memberOf attribute (for example). I have the following questions:
>>
>> a) This works for propagation, but does it also work for synchronization? So if the memberOf attribute changes in the backend, will the Role have the updated attribute value? I think this doesn't work, but just want to check.
>
> No, role attributes won't be synchronized: if memberOf attribute change Syncope won't execute any update about the role attributes.
> However, this shouldn't be the right behavior. We expect to synchronize role and membership attributes also.
> The related issue is https://issues.apache.org/jira/browse/SYNCOPE-26.
>
>> b) Must the Role (Group) pointed to already exist in LDAP or is there any way of creating it from Syncope?
>
> There isn't any way to create group or role on external resource. At the moment Syncope provides only user provisioning features.
> Role propagation/synchronization is in roadmap. See https://issues.apache.org/jira/browse/SYNCOPE-172.
>
>> c) Is there any way of importing roles from an LDAP backend via search? So for example, your users do not have a "memberOf" attribute, but instead you have some "ou=groups" with a "member" attribute pointing back to the relevant users in the group. Is there any way of importing this group information into Syncope?
>
> No it isn't. This feature is really close to role mining. We expect to have this soon, with role propagation/synchronization feature (see above).
> At the moment, if you want to import role information from ldap you have to implement a custom solution.
>
> Best regards,
> F.
>
>> Thanks,
>>
>> Colm.
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
Re: Syncope Role propagation/synchronization
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Fabio,
Thanks for your response. I have another question relating to:
http://syncope-dev.1063484.n5.nabble.com/Role-membership-attributes-synchronization-td5512256.html
Let's say we create a User in Syncope and assign a Role to it, which has an
attribute that gets mapped to a User Attribute in the resource (e.g.
"memberOf"). The question is what the converse behaviour should be in the
context of Syncope supporting Role synchronization properly. Let's say the
memberOf attribute changes in the backend and a synchronization task takes
effect in Syncope. Which of the following behaviours should apply?
a) The Role attribute gets updated to the new value.
b) The User gets assigned to a new Role that has an attribute that matches
the updated resource attribute (if one exists).
Thanks,
Colm.
On Tue, Aug 14, 2012 at 7:46 AM, Fabio Martelli <fa...@gmail.com>wrote:
> Hi Colm,
> please, find my comments/answers inline.
>
> Il giorno 13/ago/2012, alle ore 18.04, Colm O hEigeartaigh ha scritto:
>
> Hi all,
>
> I am trying to get a handle on what is currently supported in Syncope with
> respect to roles stored in an LDAP resource.
>
> One way of working with roles is given here in a previous thread:
>
>
> http://syncope-dev.1063484.n5.nabble.com/Role-membership-attributes-synchronization-td5512256.html
>
> So you can map a role attribute to an LDAP memberOf attribute (for
> example). I have the following questions:
>
> a) This works for propagation, but does it also work for synchronization?
> So if the memberOf attribute changes in the backend, will the Role have the
> updated attribute value? I think this doesn't work, but just want to check.
>
>
> No, role attributes won't be synchronized: if memberOf attribute change
> Syncope won't execute any update about the role attributes.
> However, this shouldn't be the right behavior. We expect to synchronize
> role and membership attributes also.
> The related issue is https://issues.apache.org/jira/browse/SYNCOPE-26.
>
> b) Must the Role (Group) pointed to already exist in LDAP or is there any
> way of creating it from Syncope?
>
>
> There isn't any way to create group or role on external resource. At the
> moment Syncope provides only user provisioning features.
> Role propagation/synchronization is in roadmap. See
> https://issues.apache.org/jira/browse/SYNCOPE-172.
>
> c) Is there any way of importing roles from an LDAP backend via search?
> So for example, your users do not have a "memberOf" attribute, but instead
> you have some "ou=groups" with a "member" attribute pointing back to the
> relevant users in the group. Is there any way of importing this group
> information into Syncope?
>
>
> No it isn't. This feature is really close to role mining. We expect to
> have this soon, with role propagation/synchronization feature (see above).
> At the moment, if you want to import role information from ldap you have
> to implement a custom solution.
>
> Best regards,
> F.
>
> Thanks,
>
> Colm.
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Syncope Role propagation/synchronization
Posted by Fabio Martelli <fa...@gmail.com>.
Hi Colm,
please, find my comments/answers inline.
Il giorno 13/ago/2012, alle ore 18.04, Colm O hEigeartaigh ha scritto:
> Hi all,
>
> I am trying to get a handle on what is currently supported in Syncope with respect to roles stored in an LDAP resource.
>
> One way of working with roles is given here in a previous thread:
>
> http://syncope-dev.1063484.n5.nabble.com/Role-membership-attributes-synchronization-td5512256.html
>
> So you can map a role attribute to an LDAP memberOf attribute (for example). I have the following questions:
>
> a) This works for propagation, but does it also work for synchronization? So if the memberOf attribute changes in the backend, will the Role have the updated attribute value? I think this doesn't work, but just want to check.
No, role attributes won't be synchronized: if memberOf attribute change Syncope won't execute any update about the role attributes.
However, this shouldn't be the right behavior. We expect to synchronize role and membership attributes also.
The related issue is https://issues.apache.org/jira/browse/SYNCOPE-26.
> b) Must the Role (Group) pointed to already exist in LDAP or is there any way of creating it from Syncope?
There isn't any way to create group or role on external resource. At the moment Syncope provides only user provisioning features.
Role propagation/synchronization is in roadmap. See https://issues.apache.org/jira/browse/SYNCOPE-172.
> c) Is there any way of importing roles from an LDAP backend via search? So for example, your users do not have a "memberOf" attribute, but instead you have some "ou=groups" with a "member" attribute pointing back to the relevant users in the group. Is there any way of importing this group information into Syncope?
No it isn't. This feature is really close to role mining. We expect to have this soon, with role propagation/synchronization feature (see above).
At the moment, if you want to import role information from ldap you have to implement a custom solution.
Best regards,
F.
> Thanks,
>
> Colm.
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>