You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@syncope.apache.org by "Francesco Chicchiriccò (JIRA)" <ji...@apache.org> on 2013/01/21 12:32:12 UTC

[jira] [Assigned] (SYNCOPE-249) Implement RoleOwnerSchema for role propagation and synchronization

     [ https://issues.apache.org/jira/browse/SYNCOPE-249?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Francesco Chicchiriccò reassigned SYNCOPE-249:
----------------------------------------------

    Assignee: Francesco Chicchiriccò
    
> Implement RoleOwnerSchema for role propagation and synchronization
> ------------------------------------------------------------------
>
>                 Key: SYNCOPE-249
>                 URL: https://issues.apache.org/jira/browse/SYNCOPE-249
>             Project: Syncope
>          Issue Type: Improvement
>    Affects Versions: 1.1.0
>            Reporter: Francesco Chicchiriccò
>            Assignee: Francesco Chicchiriccò
>             Fix For: 1.1.0
>
>
> SYNCOPE-225 introduced the concept of role owner, than could be either a user or another role (not both at the same time).
> Test content provides an example of how role owner can be propagated by empowering a derived attribute (ownerDN): this approach is working only for propagation and makes the AccountLink expression duplicated.
> A more complete approach is to define a new type of internal mapping, RoleOwnerSchema.
> During role propagation (in MappingUtil.getIntValues()):
>  * if userOwner != null and the propagating resource has UMapping defined
>  * if roleOwner != null (the propagating resource has RMapping because of the ongoing propagation)
> the AccountLink (or AccountId if no AccountLink is defined) is generated and given as value for the external attribute mapped to RoleOwnerSchema
> During role synchronization (in ConnObjectUtil.getAttributableTOFromConnObject()), if a value is present in the ConnectorObject for the role being synchronized, this value must be used for searching the same connector for either ObjectClass.ACCOUNT and ObjectClass.GROUP; if a unique match is found, the matching ConnectorObject can be used to find the corresponding Syncope entity (user or role); now userOwner or roleOwner of the role being synchronized can be set.
> Especially in case of roleOwner, precedence issues must be taken into account: it might happen, in fact, that the owned role is being synchronized before the owner role synchronization takes place.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira