You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@syncope.apache.org by Craig Martin <cr...@gmail.com> on 2018/08/22 04:40:14 UTC
Setup Question
Hi,
Apologies for the entry level question but I am new to administering
Syncope. I am hoping to use Syncope as an identity store (password rules,
data store, user data, and JWT) and access it via the REST interface.
Users will never access Syncope Directly, they will pass through custom
microservices and my webservices will create/delete/update users and
validate/invalidate JWTs.
As I see it I really need three main types of users (are they realms? maybe
groups?)
- *User Group* - this is the main user group. They should only have
access to their own identity information and should be very limited in the
system
- *Service Account *- A group (maybe only one) service account user that
my microservices will use to create/delete users, update passwords. I
would like to limit the ability of this user/group to be able to only
manage users and not Administer the Syncope system
- *Admin Users* - This is the main users that can create realms, update
workflows, password requirements
What is the recommended way to set this up?
Thank you in advance.
Craig
Re: Setup Question
Posted by Craig Martin <cr...@gmail.com>.
This is very useful and seems like a logical solution. Really appreciate
your help. I will give it a go.
Craig
On Wed, Aug 22, 2018 at 1:03 AM Francesco Chicchiriccò <il...@apache.org>
wrote:
> On 22/08/2018 06:40, Craig Martin wrote:
>
> Hi,
>
> Apologies for the entry level question but I am new to administering
> Syncope. I am hoping to use Syncope as an identity store (password rules,
> data store, user data, and JWT) and access it via the REST interface.
> Users will never access Syncope Directly, they will pass through custom
> microservices and my webservices will create/delete/update users and
> validate/invalidate JWTs.
>
> As I see it I really need three main types of users (are they realms?
> maybe groups?)
>
> - *User Group* - this is the main user group. They should only have
> access to their own identity information and should be very limited in the
> system
> - *Service Account *- A group (maybe only one) service account user
> that my microservices will use to create/delete users, update passwords. I
> would like to limit the ability of this user/group to be able to only
> manage users and not Administer the Syncope system
> - *Admin Users* - This is the main users that can create realms,
> update workflows, password requirements
>
> What is the recommended way to set this up?
>
> Hi Craig,
> there are several ways to configure your needs above with Syncope
> concepts; AFAICT the simplest would be:
>
> 1. Map "User Group" as plain syncope Users. Do not assign any Role to them
> - by which you could be granting Entitlements [1] to them; hence, plain
> users
>
> 2. Create a "Service Account" Role, assign to it the relevant entitlements
> [1] to administer Users and Groups (e.g. USER_* and GROUP_*), and the /
> Realm; once done that, create a "Service Account" user, and give it the
> "Service Account" Role.
> Your microservices will authenticate as such user, and be able to manage
> to the extent of the granted entitlements
>
> 3. If you don't want to use the default admin user - for which you can
> change the default credentials [2], just do as above with an additional
> Role and an additional user, and you're set.
>
> The difficult part - especially for 3, when using the Admin Console - is
> to define the minimum viable set of entitlements to grant - see [3] for
> more information.
>
> HTH
> Regards.
>
> [1]
> http://syncope.apache.org/docs/2.1/reference-guide.html#delegated-administration
> [2]
> http://syncope.apache.org/docs/2.1/reference-guide.html#set-admin-credentials
> [3]
> http://syncope.apache.org/docs/2.1/reference-guide.html#delegated-administration-console
>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellencehttp://www.tirasa.net/
>
> Member at The Apache Software Foundation
> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMailhttp://home.apache.org/~ilgrosso/
>
>
Re: Setup Question
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 22/08/2018 06:40, Craig Martin wrote:
> Hi,
>
> Apologies for the entry level question but I am new to administering
> Syncope. I am hoping to use Syncope as an identity store (password
> rules, data store, user data, and JWT) and access it via the REST
> interface. Users will never access Syncope Directly, they will pass
> through custom microservices and my webservices will
> create/delete/update users and validate/invalidate JWTs.
>
> As I see it I really need three main types of users (are they realms?
> maybe groups?)
>
> * *User Group* - this is the main user group. They should only have
> access to their own identity information and should be very
> limited in the system
> * *Service Account *- A group (maybe only one) service account user
> that my microservices will use to create/delete users, update
> passwords. I would like to limit the ability of this user/group
> to be able to only manage users and not Administer the Syncope system
> * *Admin Users* - This is the main users that can create realms,
> update workflows, password requirements
>
> What is the recommended way to set this up?
Hi Craig,
there are several ways to configure your needs above with Syncope
concepts; AFAICT the simplest would be:
1. Map "User Group" as plain syncope Users. Do not assign any Role to
them - by which you could be granting Entitlements [1] to them; hence,
plain users
2. Create a "Service Account" Role, assign to it the relevant
entitlements [1] to administer Users and Groups (e.g. USER_* and
GROUP_*), and the / Realm; once done that, create a "Service Account"
user, and give it the "Service Account" Role.
Your microservices will authenticate as such user, and be able to manage
to the extent of the granted entitlements
3. If you don't want to use the default admin user - for which you can
change the default credentials [2], just do as above with an additional
Role and an additional user, and you're set.
The difficult part - especially for 3, when using the Admin Console - is
to define the minimum viable set of entitlements to grant - see [3] for
more information.
HTH
Regards.
[1]
http://syncope.apache.org/docs/2.1/reference-guide.html#delegated-administration
[2]
http://syncope.apache.org/docs/2.1/reference-guide.html#set-admin-credentials
[3]
http://syncope.apache.org/docs/2.1/reference-guide.html#delegated-administration-console
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/