You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@syncope.apache.org by "Francesco Chicchiriccò (JIRA)" <ji...@apache.org> on 2013/01/21 12:32:12 UTC
[jira] [Assigned] (SYNCOPE-249) Implement RoleOwnerSchema for role
propagation and synchronization
[ https://issues.apache.org/jira/browse/SYNCOPE-249?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Francesco Chicchiriccò reassigned SYNCOPE-249:
----------------------------------------------
Assignee: Francesco Chicchiriccò
> Implement RoleOwnerSchema for role propagation and synchronization
> ------------------------------------------------------------------
>
> Key: SYNCOPE-249
> URL: https://issues.apache.org/jira/browse/SYNCOPE-249
> Project: Syncope
> Issue Type: Improvement
> Affects Versions: 1.1.0
> Reporter: Francesco Chicchiriccò
> Assignee: Francesco Chicchiriccò
> Fix For: 1.1.0
>
>
> SYNCOPE-225 introduced the concept of role owner, than could be either a user or another role (not both at the same time).
> Test content provides an example of how role owner can be propagated by empowering a derived attribute (ownerDN): this approach is working only for propagation and makes the AccountLink expression duplicated.
> A more complete approach is to define a new type of internal mapping, RoleOwnerSchema.
> During role propagation (in MappingUtil.getIntValues()):
> * if userOwner != null and the propagating resource has UMapping defined
> * if roleOwner != null (the propagating resource has RMapping because of the ongoing propagation)
> the AccountLink (or AccountId if no AccountLink is defined) is generated and given as value for the external attribute mapped to RoleOwnerSchema
> During role synchronization (in ConnObjectUtil.getAttributableTOFromConnObject()), if a value is present in the ConnectorObject for the role being synchronized, this value must be used for searching the same connector for either ObjectClass.ACCOUNT and ObjectClass.GROUP; if a unique match is found, the matching ConnectorObject can be used to find the corresponding Syncope entity (user or role); now userOwner or roleOwner of the role being synchronized can be set.
> Especially in case of roleOwner, precedence issues must be taken into account: it might happen, in fact, that the owned role is being synchronized before the owner role synchronization takes place.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira