You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@syncope.apache.org by Timo Hatakka <ti...@helsinki.fi> on 2013/11/15 08:25:41 UTC
Role membership
Hi,
there is a nice feature in Syncope that you can include some extra
parameters to user - role connection. This can be achieved by adding new
attributes to Membership schema. However you can not connect a single user
twice to the same role using two parallel memberships with different
membership arguments. This could be used for example to describe the
situation that a student u1 has a Student role in two faculties F1 and F2:
membership(user: u1, role: Student, OU: F1, start: 1.1.2013, end:
31.12.2013)
membership(user: u1, role: student, OU: F2, start: 1.1.2013, end:
31.12.2014)
Could you change the system to allow this kind of parallel role connections?
Or is there something we can do?
Best regards,
Timo
Re: Role membership
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 15/11/2013 09:41, Timo-V Hatakka wrote:
> Hi,
>
>>> there is a nice feature in Syncope that you can include some extra
>>> parameters to user -- role connection. This can be achieved by
>>> adding new attributes to Membership schema. However you can not
>>> connect a single user twice to the same role using two parallel
>>> memberships with different membership arguments. This could be used
>>> for example to describe the situation that a student u1 has a
>>> Student role in two faculties F1 and F2:
>>>
>>> membership(user: u1, role: Student, OU: F1, start: 1.1.2013, end:
>>> 31.12.2013)
>>> membership(user: u1, role: student, OU: F2, start: 1.1.2013, end:
>>> 31.12.2014)
>>>
>>> Could you change the system to allow this kind of parallel role
>>> connections? Or is there something we can do?
>>>
>>
>> Hi,
>> you are right, membership is unique, for each (user, role) pair.
>>
>> In your scenario, I'd suggest to just model each Faculty as a
>> separate role, possibly with a common parent role.
>
> Actually this is just the way we absolutely want to avoid. The result
> would be cartesian product of roles and OUs
> (https://wiki.evolveum.com/display/midPoint/Role+Explosion) and would
> lead to hundreds or even thousands of roles. Your role design is so
> near to a nice way to do it! Any possibiliest to redesign the model?
I am not sure I was clear: if you have N students and M faculties, you
would result with the following number of entries in the internal database:
* N SyncopeUser
* M+1 (for the parent role) SyncopeRole
* ~N Membership (depending on the number of users that are students in
more than a faculty)
* ~N MAttr + ~N MAttrValue for 'start'
* ~N MAttr + ~N MAttrValue for 'end'
Syncope has proven to work flawlessly - with thousands memberships and
hundred of thousands attribute values.
Redesigning the internal model is an option that - if discussed on dev@
ML and accepted - might happen in one of future major releases since it
will likely impact the internal database design.
If you want to continue this thread, I'd suggest anyway to move it to dev@.
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
http://people.apache.org/~ilgrosso/
Re: Role membership
Posted by Timo-V Hatakka <ti...@helsinki.fi>.
Hi,
>> there is a nice feature in Syncope that you can include some extra
>> parameters to user -- role connection. This can be achieved by
>> adding new attributes to Membership schema. However you can not
>> connect a single user twice to the same role using two parallel
>> memberships with different membership arguments. This could be used
>> for example to describe the situation that a student u1 has a
>> Student role in two faculties F1 and F2:
>>
>> membership(user: u1, role: Student, OU: F1, start: 1.1.2013, end:
>> 31.12.2013)
>> membership(user: u1, role: student, OU: F2, start: 1.1.2013, end:
>> 31.12.2014)
>>
>> Could you change the system to allow this kind of parallel role
>> connections? Or is there something we can do?
>>
>
> Hi,
> you are right, membership is unique, for each (user, role) pair.
>
> In your scenario, I'd suggest to just model each Faculty as a
> separate role, possibly with a common parent role.
Actually this is just the way we absolutely want to avoid. The result
would be cartesian product of roles and OUs
(https://wiki.evolveum.com/display/midPoint/Role+Explosion) and would
lead to hundreds or even thousands of roles. Your role design is so
near to a nice way to do it! Any possibiliest to redesign the model?
Regards,
Timo
Re: Role membership
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 15/11/2013 08:25, Timo Hatakka wrote:
>
> Hi,
>
> there is a nice feature in Syncope that you can include some extra
> parameters to user -- role connection. This can be achieved by adding
> new attributes to Membership schema. However you can not connect a
> single user twice to the same role using two parallel memberships with
> different membership arguments. This could be used for example to
> describe the situation that a student u1 has a Student role in two
> faculties F1 and F2:
>
> membership(user: u1, role: Student, OU: F1, start: 1.1.2013, end:
> 31.12.2013)
> membership(user: u1, role: student, OU: F2, start: 1.1.2013, end:
> 31.12.2014)
>
> Could you change the system to allow this kind of parallel role
> connections? Or is there something we can do?
>
Hi,
you are right, membership is unique, for each (user, role) pair.
In your scenario, I'd suggest to just model each Faculty as a separate
role, possibly with a common parent role.
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
http://people.apache.org/~ilgrosso/