You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@syncope.apache.org by Francesco Chicchiriccò <il...@apache.org> on 2019/01/05 11:46:27 UTC
Re: Syncope use case in conjunction with external SSO and
python/node.js apps
Hi Suresh,
sorry for the delayed response.
See my replies embedded below.
Regards.
On 2018-12-28 13:14 Suresh Mali wrote:
> I am looking good user/org provisioning system along with ability to
> manage entitlement(permissions). I am trying to see how Syncope can be
> used for provisioning etc.
>
> requirements
>
> 1. The app is in python and node.js requires different roles such as
> user, agent, manager etc.
Ok, so such app will deal with Syncope Core via its REST interface.
I would recommend to not expose the full REST endpoints, but to restrict
the ones effectively used by your app somehow (HTTP reverse proxy, API
gateway, ...).
> 2. each user is assigned an agent(a different user in system with agent
> role) for a certain duration. An agent may be changed for for a given
> user from time to time. agent assignment is done by manager (another
> user with manager role). e.g user1 may have agent1 from time t0 to
> t1 and agent2 from time t1 to t2 etc.
>
> 3. Fine grained permissions (entitilements) are required a.g agent can
> perform a buy operations for the users he is assigned, but no sell
> operation for any user. Also he is allowed to read all the transactions
> of all users irrespective of his assigned users.
>
> 4. An operation can be backdated e.g in above example for given date
> between t0 to t1 only agent1 should be allowed to perform buy operation
> for user1 and when given date is between t1 to t2 agent2 should be
> allowed
I would suggest to model permissions via Privileges [1] (Entitlements
[2] are used for the internal delegated administration process), that,
being general-purpose JSON objects, can be used to represent any
specific domain need; you would also likely need to implement somewhere
- possibly in Syncope Core - a module which calculates if the calling
user is entitled to perform the required action on the given object.
Before Syncope 3.0 - which we have just started working on - there are
no pre-defined features available for access policy definition and
evaluation.
> 5. external keycloak sso server will be used for authentication (was
> able to setup and check this works). However need way to pull all the
> users of keycloak into syncope with a job/background
Pulling Keyloack's users into Syncope is surely an option, but why don't
you simply use Syncope's internal storage as identity repository for
Keycloack? Or setup an LDAP server for such a purpose, which is
alimented by Syncope? You would avoid pulling, with such configurations.
> 6. The apps(python/node.js) can make rest calls to syncope to get
> effective permissions to see given agent if he has permission for given
> user for given date etc.
Correct, see above.
> 7. need an ability to audit and find who was the agent for a given user
> and its trails
You can leveraged auditing features [3] for this.
> How can I make use of Syncope for provisioning, organization creation,
> and finding permissions/entitlements of given agent/manager/user with
> respect to other user
>
> Regards,
> Suresh
[1] http://syncope.apache.org/docs/2.1/reference-guide.html#privileges
[2] http://syncope.apache.org/docs/2.1/reference-guide.html#entitlements
[3] http://syncope.apache.org/docs/2.1/reference-guide.html#audit
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Re: Syncope use case in conjunction with external SSO and
python/node.js apps
Posted by Suresh Mali <su...@yahoo.com>.
Many thanks Francesco for detailed inputs, this helps
-Suresh
On Saturday, January 5, 2019, 5:16:31 PM GMT+5:30, Francesco Chicchiriccò <il...@apache.org> wrote:
Hi Suresh,
sorry for the delayed response.
See my replies embedded below.
Regards.
On 2018-12-28 13:14 Suresh Mali wrote:
> I am looking good user/org provisioning system along with ability to
> manage entitlement(permissions). I am trying to see how Syncope can be
> used for provisioning etc.
>
> requirements
>
> 1. The app is in python and node.js requires different roles such as
> user, agent, manager etc.
Ok, so such app will deal with Syncope Core via its REST interface.
I would recommend to not expose the full REST endpoints, but to restrict
the ones effectively used by your app somehow (HTTP reverse proxy, API
gateway, ...).
> 2. each user is assigned an agent(a different user in system with agent
> role) for a certain duration. An agent may be changed for for a given
> user from time to time. agent assignment is done by manager (another
> user with manager role). e.g user1 may have agent1 from time t0 to
> t1 and agent2 from time t1 to t2 etc.
>
> 3. Fine grained permissions (entitilements) are required a.g agent can
> perform a buy operations for the users he is assigned, but no sell
> operation for any user. Also he is allowed to read all the transactions
> of all users irrespective of his assigned users.
>
> 4. An operation can be backdated e.g in above example for given date
> between t0 to t1 only agent1 should be allowed to perform buy operation
> for user1 and when given date is between t1 to t2 agent2 should be
> allowed
I would suggest to model permissions via Privileges [1] (Entitlements
[2] are used for the internal delegated administration process), that,
being general-purpose JSON objects, can be used to represent any
specific domain need; you would also likely need to implement somewhere
- possibly in Syncope Core - a module which calculates if the calling
user is entitled to perform the required action on the given object.
Before Syncope 3.0 - which we have just started working on - there are
no pre-defined features available for access policy definition and
evaluation.
> 5. external keycloak sso server will be used for authentication (was
> able to setup and check this works). However need way to pull all the
> users of keycloak into syncope with a job/background
Pulling Keyloack's users into Syncope is surely an option, but why don't
you simply use Syncope's internal storage as identity repository for
Keycloack? Or setup an LDAP server for such a purpose, which is
alimented by Syncope? You would avoid pulling, with such configurations.
> 6. The apps(python/node.js) can make rest calls to syncope to get
> effective permissions to see given agent if he has permission for given
> user for given date etc.
Correct, see above.
> 7. need an ability to audit and find who was the agent for a given user
> and its trails
You can leveraged auditing features [3] for this.
> How can I make use of Syncope for provisioning, organization creation,
> and finding permissions/entitlements of given agent/manager/user with
> respect to other user
>
> Regards,
> Suresh
[1] http://syncope.apache.org/docs/2.1/reference-guide.html#privileges
[2] http://syncope.apache.org/docs/2.1/reference-guide.html#entitlements
[3] http://syncope.apache.org/docs/2.1/reference-guide.html#audit
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/