You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@syncope.apache.org by Craig Martin <cr...@gmail.com> on 2018/08/22 04:40:14 UTC

Setup Question

Hi,

Apologies for the entry level question but I am new to administering
Syncope.   I am hoping to use Syncope as an identity store (password rules,
data store, user data, and JWT) and access it via the REST interface.
Users will never access Syncope Directly, they will pass through custom
microservices and my webservices will create/delete/update users and
validate/invalidate JWTs.

As I see it I really need three main types of users (are they realms? maybe
groups?)

   - *User Group* - this is the main user group.  They should only have
   access to their own identity information and should be very limited in the
   system
   - *Service Account *- A group (maybe only one) service account user that
   my microservices will use to create/delete users, update passwords.  I
   would like to limit the ability of this user/group to be able to only
   manage users and not Administer the Syncope system
   - *Admin Users* - This is the main users that can create realms, update
   workflows, password requirements

What is the recommended way to set this up?

Thank you in advance.

Craig

Re: Setup Question

Posted by Craig Martin <cr...@gmail.com>.

This is very useful and seems like a logical solution.   Really appreciate
your help.  I will give it a go.

Craig

On Wed, Aug 22, 2018 at 1:03 AM Francesco Chicchiriccò <il...@apache.org>
wrote:

> On 22/08/2018 06:40, Craig Martin wrote:
>
> Hi,
>
> Apologies for the entry level question but I am new to administering
> Syncope.   I am hoping to use Syncope as an identity store (password rules,
> data store, user data, and JWT) and access it via the REST interface.
> Users will never access Syncope Directly, they will pass through custom
> microservices and my webservices will create/delete/update users and
> validate/invalidate JWTs.
>
> As I see it I really need three main types of users (are they realms?
> maybe groups?)
>
>    - *User Group* - this is the main user group.  They should only have
>    access to their own identity information and should be very limited in the
>    system
>    - *Service Account *- A group (maybe only one) service account user
>    that my microservices will use to create/delete users, update passwords.  I
>    would like to limit the ability of this user/group to be able to only
>    manage users and not Administer the Syncope system
>    - *Admin Users* - This is the main users that can create realms,
>    update workflows, password requirements
>
> What is the recommended way to set this up?
>
> Hi Craig,
> there are several ways to configure your needs above with Syncope
> concepts; AFAICT the simplest would be:
>
> 1. Map "User Group" as plain syncope Users. Do not assign any Role to them
> - by which you could be granting Entitlements [1] to them; hence, plain
> users
>
> 2. Create a "Service Account" Role, assign to it the relevant entitlements
> [1] to administer Users and Groups (e.g. USER_* and GROUP_*), and the /
> Realm; once done that, create a "Service Account" user, and give it the
> "Service Account" Role.
> Your microservices will authenticate as such user, and be able to manage
> to the extent of the granted entitlements
>
> 3. If you don't want to use the default admin user - for which you can
> change the default credentials [2], just do as above with an additional
> Role and an additional user, and you're set.
>
> The difficult part - especially for 3, when using the Admin Console - is
> to define the minimum viable set of entitlements to grant - see [3] for
> more information.
>
> HTH
> Regards.
>
> [1]
> http://syncope.apache.org/docs/2.1/reference-guide.html#delegated-administration
> [2]
> http://syncope.apache.org/docs/2.1/reference-guide.html#set-admin-credentials
> [3]
> http://syncope.apache.org/docs/2.1/reference-guide.html#delegated-administration-console
>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellencehttp://www.tirasa.net/
>
> Member at The Apache Software Foundation
> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMailhttp://home.apache.org/~ilgrosso/
>
>

Re: Setup Question

Posted by Francesco Chicchiriccò <il...@apache.org>.

On 22/08/2018 06:40, Craig Martin wrote:
> Hi,
>
> Apologies for the entry level question but I am new to administering 
> Syncope.   I am hoping to use Syncope as an identity store (password 
> rules, data store, user data, and JWT) and access it via the REST 
> interface.  Users will never access Syncope Directly, they will pass 
> through custom microservices and my webservices will 
> create/delete/update users and validate/invalidate JWTs.
>
> As I see it I really need three main types of users (are they realms? 
> maybe groups?)
>
>   * *User Group* - this is the main user group.  They should only have
>     access to their own identity information and should be very
>     limited in the system
>   * *Service Account *- A group (maybe only one) service account user
>     that my microservices will use to create/delete users, update
>     passwords.  I would like to limit the ability of this user/group
>     to be able to only manage users and not Administer the Syncope system
>   * *Admin Users* - This is the main users that can create realms,
>     update workflows, password requirements
>
> What is the recommended way to set this up?

Hi Craig,
there are several ways to configure your needs above with Syncope 
concepts; AFAICT the simplest would be:

1. Map "User Group" as plain syncope Users. Do not assign any Role to 
them - by which you could be granting Entitlements [1] to them; hence, 
plain users

2. Create a "Service Account" Role, assign to it the relevant 
entitlements [1] to administer Users and Groups (e.g. USER_* and 
GROUP_*), and the / Realm; once done that, create a "Service Account" 
user, and give it the "Service Account" Role.
Your microservices will authenticate as such user, and be able to manage 
to the extent of the granted entitlements

3. If you don't want to use the default admin user - for which you can 
change the default credentials [2], just do as above with an additional 
Role and an additional user, and you're set.

The difficult part - especially for 3, when using the Admin Console - is 
to define the minimum viable set of entitlements to grant - see [3] for 
more information.

HTH
Regards.

[1] 
http://syncope.apache.org/docs/2.1/reference-guide.html#delegated-administration
[2] 
http://syncope.apache.org/docs/2.1/reference-guide.html#set-admin-credentials
[3] 
http://syncope.apache.org/docs/2.1/reference-guide.html#delegated-administration-console

-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/