Delegate admin for realms

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Delegate admin for realms

Kwong,Vincent

Hi All,

 

I am new to syncope and going to evaulate the syncope functionality for my coming project.

 

I am trying to setup a organization like this, but I cannot figure out how I can achieve the delegated administration.

 

Sample Structure:

Parent Company (e.g. /) -> Multiple Sub-Group (e.g. /Group1) -> Multiple Teams (e.g. /Group1/Team1)

 

1.       Each team will have a admin to mange the user under that realm

2.       Each sub-group will have another admin to look after all teams

3.       Each admin have the control for their own sub-group / team only

 

I tried to createa role with some user/realm related access under particular realm, but after I tried to login with the account with that role, I can see/update the parent realm or other sub realm.

 

Is it possible for syncope to achieve what I want? Or anyone have simialr experience?

 

Regards,

Vincent

 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Delegate admin for realms

ilgrosso
Administrator
On 04/05/2017 04:59, Kwong,Vincent wrote:

Hi All,

 

I am new to syncope and going to evaulate the syncope functionality for my coming project.

 

I am trying to setup a organization like this, but I cannot figure out how I can achieve the delegated administration.

 

Sample Structure:

Parent Company (e.g. /) -> Multiple Sub-Group (e.g. /Group1) -> Multiple Teams (e.g. /Group1/Team1)

 

1.       Each team will have a admin to mange the user under that realm

2.       Each sub-group will have another admin to look after all teams

3.       Each admin have the control for their own sub-group / team only

 

I tried to createa role with some user/realm related access under particular realm, but after I tried to login with the account with that role, I can see/update the parent realm or other sub realm.

 

Is it possible for syncope to achieve what I want? Or anyone have simialr experience?ù


Hi Vincent, glad of your interest in Apache Syncope.

To be sure, I have created some sample data in an attempt to replicate your use case.

First, the realms: [1] where g1 and g2 are 'sub-groups' as you name them above (please beware that groups are a different concept in Syncope) and t11 / t12 / t21 / t22 / t23 are 'teams'.

Then I have created some roles: [2], one for each of the realms above, with full entitlements about users, and REALM_LIST which is only required if you are planning to operate via Admin Console (as it seems).

Finally I have created some users in several realms, /g1/t11 [3], /g1/t12 [4] (which are all reported in /g1 [5]) and /g2 [6]: as you can see, there are plain users and admin users, where the username of the latter is given to show which realm they are actually managing, e.g.

* [hidden email] which is granted the role 'Managing g1' and thus is allowed to manage users in /g1 [5]
* [hidden email] which is granted the role 'Managing t11' and thus is allowed to manager users in /g1/t11 [3]
* [hidden email] which is granted the role 'Managing t12' and thus is allowed to manager users in /g1/t12 [4]
* [hidden email] which is granted the role 'Managing g2' and thus is allowed to manage users in /g2 [6]

Given such setup, everything is working as expected and every admin user can only see and manage the users contained by the realms he / she is granted by role.
The only quirk I could find is that the realms view always starts from /, but even in this case the only users shown are the expected.

HTH
Regards.

[1] http://pasteboard.co/29sHsujiu.png
[2] http://pasteboard.co/29sWCF785.png
[3] http://pasteboard.co/29tBRMtxQ.png
[4] http://pasteboard.co/29tMu5CWi.png
[5] http://pasteboard.co/dlwgYicg.png
[6] http://pasteboard.co/29tnvwPlb.png
-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Delegate admin for realms

Kwong,Vincent
In reply to this post by Kwong,Vincent

Hi Francesco,

 

Thanks for your quick and details response, I will try again with your suggestion and evaluate again.

 

Will post again if I have any problem.

 

Regards,

Vincent

 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Delegate admin for realms

Kwong,Vincent
In reply to this post by ilgrosso

Hi Francesco,

 

Tried with positive result, thanks a lot.

 

But the display is confusing, the add user button is available in all realms, and only display error when I am at the last step on create user.

 

Here is my comments:

1.       Better to display the realms where the user have access only, in some situation I may not want the non-delegated sub-group visible especially they are individual companies

2.       Some console display should reflect user access to avoid confusion

 

Regards,

Vincent

 

From: Francesco Chicchiriccò [mailto:[hidden email]]
Sent: Thursday, May 04, 2017 4:57 PM
To: [hidden email]
Subject: Re: Delegate admin for realms

 

On 04/05/2017 04:59, Kwong,Vincent wrote:

Hi All,

 

I am new to syncope and going to evaulate the syncope functionality for my coming project.

 

I am trying to setup a organization like this, but I cannot figure out how I can achieve the delegated administration.

 

Sample Structure:

Parent Company (e.g. /) -> Multiple Sub-Group (e.g. /Group1) -> Multiple Teams (e.g. /Group1/Team1)

 

1.       Each team will have a admin to mange the user under that realm

2.       Each sub-group will have another admin to look after all teams

3.       Each admin have the control for their own sub-group / team only

 

I tried to createa role with some user/realm related access under particular realm, but after I tried to login with the account with that role, I can see/update the parent realm or other sub realm.

 

Is it possible for syncope to achieve what I want? Or anyone have simialr experience?ù


Hi Vincent, glad of your interest in Apache Syncope.

To be sure, I have created some sample data in an attempt to replicate your use case.

First, the realms: [1] where g1 and g2 are 'sub-groups' as you name them above (please beware that groups are a different concept in Syncope) and t11 / t12 / t21 / t22 / t23 are 'teams'.

Then I have created some roles: [2], one for each of the realms above, with full entitlements about users, and REALM_LIST which is only required if you are planning to operate via Admin Console (as it seems).

Finally I have created some users in several realms, /g1/t11 [3], /g1/t12 [4] (which are all reported in /g1 [5]) and /g2 [6]: as you can see, there are plain users and admin users, where the username of the latter is given to show which realm they are actually managing, e.g.

* [hidden email] which is granted the role 'Managing g1' and thus is allowed to manage users in /g1 [5]
* [hidden email] which is granted the role 'Managing t11' and thus is allowed to manager users in /g1/t11 [3]
* [hidden email] which is granted the role 'Managing t12' and thus is allowed to manager users in /g1/t12 [4]
* [hidden email] which is granted the role 'Managing g2' and thus is allowed to manage users in /g2 [6]

Given such setup, everything is working as expected and every admin user can only see and manage the users contained by the realms he / she is granted by role.
The only quirk I could find is that the realms view always starts from /, but even in this case the only users shown are the expected.

HTH
Regards.

[1] http://pasteboard.co/29sHsujiu.png
[2] http://pasteboard.co/29sWCF785.png
[3] http://pasteboard.co/29tBRMtxQ.png
[4] http://pasteboard.co/29tMu5CWi.png
[5] http://pasteboard.co/dlwgYicg.png
[6] http://pasteboard.co/29tnvwPlb.png

-- 
Francesco Chicchiriccò
 
Tirasa - Open Source Excellence
http://www.tirasa.net/
 
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Delegate admin for realms

ilgrosso
Administrator
On 05/05/2017 06:06, Kwong,Vincent wrote:

Hi Francesco,

 

Tried with positive result, thanks a lot.


That's good to hear.

But the display is confusing, the add user button is available in all realms, and only display error when I am at the last step on create user.


I have now created

https://issues.apache.org/jira/browse/SYNCOPE-1072
https://issues.apache.org/jira/browse/SYNCOPE-1073

 

Here is my comments:

1.       Better to display the realms where the user have access only, in some situation I may not want the non-delegated sub-group visible especially they are individual companies


I have also created

https://issues.apache.org/jira/browse/SYNCOPE-1074

2.       Some console display should reflect user access to avoid confusion


Please give more details, this is not clear.

Regards.

From: Francesco Chicchiriccò [[hidden email]]

Sent: Thursday, May 04, 2017 4:57 PM
To: [hidden email]
Subject: Re: Delegate admin for realms

 

On 04/05/2017 04:59, Kwong,Vincent wrote:

Hi All,

 

I am new to syncope and going to evaulate the syncope functionality for my coming project.

 

I am trying to setup a organization like this, but I cannot figure out how I can achieve the delegated administration.

 

Sample Structure:

Parent Company (e.g. /) -> Multiple Sub-Group (e.g. /Group1) -> Multiple Teams (e.g. /Group1/Team1)

 

1.       Each team will have a admin to mange the user under that realm

2.       Each sub-group will have another admin to look after all teams

3.       Each admin have the control for their own sub-group / team only

 

I tried to createa role with some user/realm related access under particular realm, but after I tried to login with the account with that role, I can see/update the parent realm or other sub realm.

 

Is it possible for syncope to achieve what I want? Or anyone have simialr experience?ù


Hi Vincent, glad of your interest in Apache Syncope.

To be sure, I have created some sample data in an attempt to replicate your use case.

First, the realms: [1] where g1 and g2 are 'sub-groups' as you name them above (please beware that groups are a different concept in Syncope) and t11 / t12 / t21 / t22 / t23 are 'teams'.

Then I have created some roles: [2], one for each of the realms above, with full entitlements about users, and REALM_LIST which is only required if you are planning to operate via Admin Console (as it seems).

Finally I have created some users in several realms, /g1/t11 [3], /g1/t12 [4] (which are all reported in /g1 [5]) and /g2 [6]: as you can see, there are plain users and admin users, where the username of the latter is given to show which realm they are actually managing, e.g.

* [hidden email] which is granted the role 'Managing g1' and thus is allowed to manage users in /g1 [5]
* [hidden email] which is granted the role 'Managing t11' and thus is allowed to manager users in /g1/t11 [3]
* [hidden email] which is granted the role 'Managing t12' and thus is allowed to manager users in /g1/t12 [4]
* [hidden email] which is granted the role 'Managing g2' and thus is allowed to manage users in /g2 [6]

Given such setup, everything is working as expected and every admin user can only see and manage the users contained by the realms he / she is granted by role.
The only quirk I could find is that the realms view always starts from /, but even in this case the only users shown are the expected.

HTH
Regards.

[1] http://pasteboard.co/29sHsujiu.png
[2] http://pasteboard.co/29sWCF785.png
[3] http://pasteboard.co/29tBRMtxQ.png
[4] http://pasteboard.co/29tMu5CWi.png
[5] http://pasteboard.co/dlwgYicg.png
[6] http://pasteboard.co/29tnvwPlb.png

-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Delegate admin for realms

Kwong,Vincent

The case 1072 covered my point 2. Same as your understanding, those non-relevant button should be hidden or disabled to avoid confusion.

 

Thanks.

 

Regards,

Vincent

 

From: Francesco Chicchiriccò [mailto:[hidden email]]
Sent: Friday, May 05, 2017 2:58 PM
To: [hidden email]
Subject: Re: Delegate admin for realms

 

On 05/05/2017 06:06, Kwong,Vincent wrote:

Hi Francesco,

 

Tried with positive result, thanks a lot.


That's good to hear.


But the display is confusing, the add user button is available in all realms, and only display error when I am at the last step on create user.


I have now created

https://issues.apache.org/jira/browse/SYNCOPE-1072
https://issues.apache.org/jira/browse/SYNCOPE-1073


 

Here is my comments:

1.       Better to display the realms where the user have access only, in some situation I may not want the non-delegated sub-group visible especially they are individual companies


I have also created

https://issues.apache.org/jira/browse/SYNCOPE-1074


2.       Some console display should reflect user access to avoid confusion


Please give more details, this is not clear.

Regards.


From: Francesco Chicchiriccò [[hidden email]]

Sent: Thursday, May 04, 2017 4:57 PM
To: [hidden email]
Subject: Re: Delegate admin for realms

 

On 04/05/2017 04:59, Kwong,Vincent wrote:

Hi All,

 

I am new to syncope and going to evaulate the syncope functionality for my coming project.

 

I am trying to setup a organization like this, but I cannot figure out how I can achieve the delegated administration.

 

Sample Structure:

Parent Company (e.g. /) -> Multiple Sub-Group (e.g. /Group1) -> Multiple Teams (e.g. /Group1/Team1)

 

1.       Each team will have a admin to mange the user under that realm

2.       Each sub-group will have another admin to look after all teams

3.       Each admin have the control for their own sub-group / team only

 

I tried to createa role with some user/realm related access under particular realm, but after I tried to login with the account with that role, I can see/update the parent realm or other sub realm.

 

Is it possible for syncope to achieve what I want? Or anyone have simialr experience?ù


Hi Vincent, glad of your interest in Apache Syncope.

To be sure, I have created some sample data in an attempt to replicate your use case.

First, the realms: [1] where g1 and g2 are 'sub-groups' as you name them above (please beware that groups are a different concept in Syncope) and t11 / t12 / t21 / t22 / t23 are 'teams'.

Then I have created some roles: [2], one for each of the realms above, with full entitlements about users, and REALM_LIST which is only required if you are planning to operate via Admin Console (as it seems).

Finally I have created some users in several realms, /g1/t11 [3], /g1/t12 [4] (which are all reported in /g1 [5]) and /g2 [6]: as you can see, there are plain users and admin users, where the username of the latter is given to show which realm they are actually managing, e.g.

* [hidden email] which is granted the role 'Managing g1' and thus is allowed to manage users in /g1 [5]
* [hidden email] which is granted the role 'Managing t11' and thus is allowed to manager users in /g1/t11 [3]
* [hidden email] which is granted the role 'Managing t12' and thus is allowed to manager users in /g1/t12 [4]
* [hidden email] which is granted the role 'Managing g2' and thus is allowed to manage users in /g2 [6]

Given such setup, everything is working as expected and every admin user can only see and manage the users contained by the realms he / she is granted by role.
The only quirk I could find is that the realms view always starts from /, but even in this case the only users shown are the expected.

HTH
Regards.

[1] http://pasteboard.co/29sHsujiu.png
[2] http://pasteboard.co/29sWCF785.png
[3] http://pasteboard.co/29tBRMtxQ.png
[4] http://pasteboard.co/29tMu5CWi.png
[5] http://pasteboard.co/dlwgYicg.png
[6] http://pasteboard.co/29tnvwPlb.png

-- 
Francesco Chicchiriccò
 
Tirasa - Open Source Excellence
http://www.tirasa.net/
 
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Delegate admin for realms

Kwong,Vincent

It would be good if extend to those menu items in the console like Reports, Topology, Configuration, etc… as well.

 

Regards,

Vincent

 

From: Kwong,Vincent [mailto:[hidden email]]
Sent: Friday, May 05, 2017 3:10 PM
To: [hidden email]
Subject: RE: Delegate admin for realms

 

The case 1072 covered my point 2. Same as your understanding, those non-relevant button should be hidden or disabled to avoid confusion.

 

Thanks.

 

Regards,

Vincent

 

From: Francesco Chicchiriccò [[hidden email]]
Sent: Friday, May 05, 2017 2:58 PM
To: [hidden email]
Subject: Re: Delegate admin for realms

 

On 05/05/2017 06:06, Kwong,Vincent wrote:

Hi Francesco,

 

Tried with positive result, thanks a lot.


That's good to hear.

But the display is confusing, the add user button is available in all realms, and only display error when I am at the last step on create user.


I have now created

https://issues.apache.org/jira/browse/SYNCOPE-1072
https://issues.apache.org/jira/browse/SYNCOPE-1073

 

Here is my comments:

1.       Better to display the realms where the user have access only, in some situation I may not want the non-delegated sub-group visible especially they are individual companies


I have also created

https://issues.apache.org/jira/browse/SYNCOPE-1074

2.       Some console display should reflect user access to avoid confusion


Please give more details, this is not clear.

Regards.

From: Francesco Chicchiriccò [[hidden email]]

Sent: Thursday, May 04, 2017 4:57 PM
To: [hidden email]
Subject: Re: Delegate admin for realms

 

On 04/05/2017 04:59, Kwong,Vincent wrote:

Hi All,

 

I am new to syncope and going to evaulate the syncope functionality for my coming project.

 

I am trying to setup a organization like this, but I cannot figure out how I can achieve the delegated administration.

 

Sample Structure:

Parent Company (e.g. /) -> Multiple Sub-Group (e.g. /Group1) -> Multiple Teams (e.g. /Group1/Team1)

 

1.       Each team will have a admin to mange the user under that realm

2.       Each sub-group will have another admin to look after all teams

3.       Each admin have the control for their own sub-group / team only

 

I tried to createa role with some user/realm related access under particular realm, but after I tried to login with the account with that role, I can see/update the parent realm or other sub realm.

 

Is it possible for syncope to achieve what I want? Or anyone have simialr experience?ù


Hi Vincent, glad of your interest in Apache Syncope.

To be sure, I have created some sample data in an attempt to replicate your use case.

First, the realms: [1] where g1 and g2 are 'sub-groups' as you name them above (please beware that groups are a different concept in Syncope) and t11 / t12 / t21 / t22 / t23 are 'teams'.

Then I have created some roles: [2], one for each of the realms above, with full entitlements about users, and REALM_LIST which is only required if you are planning to operate via Admin Console (as it seems).

Finally I have created some users in several realms, /g1/t11 [3], /g1/t12 [4] (which are all reported in /g1 [5]) and /g2 [6]: as you can see, there are plain users and admin users, where the username of the latter is given to show which realm they are actually managing, e.g.

* [hidden email] which is granted the role 'Managing g1' and thus is allowed to manage users in /g1 [5]
* [hidden email] which is granted the role 'Managing t11' and thus is allowed to manager users in /g1/t11 [3]
* [hidden email] which is granted the role 'Managing t12' and thus is allowed to manager users in /g1/t12 [4]
* [hidden email] which is granted the role 'Managing g2' and thus is allowed to manage users in /g2 [6]

Given such setup, everything is working as expected and every admin user can only see and manage the users contained by the realms he / she is granted by role.
The only quirk I could find is that the realms view always starts from /, but even in this case the only users shown are the expected.

HTH
Regards.

[1] http://pasteboard.co/29sHsujiu.png
[2] http://pasteboard.co/29sWCF785.png
[3] http://pasteboard.co/29tBRMtxQ.png
[4] http://pasteboard.co/29tMu5CWi.png
[5] http://pasteboard.co/dlwgYicg.png
[6] http://pasteboard.co/29tnvwPlb.png

-- 
Francesco Chicchiriccò
 
Tirasa - Open Source Excellence
http://www.tirasa.net/
 
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Delegate admin for realms

ilgrosso
Administrator
On 05/05/2017 09:13, Kwong,Vincent wrote:

It would be good if extend to those menu items in the console like Reports, Topology, Configuration, etc… as well.


I see: the relevant menu entries are already disabled, but this is not very much visible without attempting to click.

Please comment SYNCOPE-1072.
Regards.

From: Kwong,Vincent [[hidden email]]
Sent: Friday, May 05, 2017 3:10 PM
To: [hidden email]
Subject: RE: Delegate admin for realms

 

The case 1072 covered my point 2. Same as your understanding, those non-relevant button should be hidden or disabled to avoid confusion.

 

Thanks.

 

Regards,

Vincent

 

From: Francesco Chicchiriccò [[hidden email]]
Sent: Friday, May 05, 2017 2:58 PM
To: [hidden email]
Subject: Re: Delegate admin for realms

 

On 05/05/2017 06:06, Kwong,Vincent wrote:

Hi Francesco,

 

Tried with positive result, thanks a lot.


That's good to hear.

But the display is confusing, the add user button is available in all realms, and only display error when I am at the last step on create user.


I have now created

https://issues.apache.org/jira/browse/SYNCOPE-1072
https://issues.apache.org/jira/browse/SYNCOPE-1073

 

Here is my comments:

1.       Better to display the realms where the user have access only, in some situation I may not want the non-delegated sub-group visible especially they are individual companies


I have also created

https://issues.apache.org/jira/browse/SYNCOPE-1074

2.       Some console display should reflect user access to avoid confusion


Please give more details, this is not clear.

Regards.

From: Francesco Chicchiriccò [[hidden email]]

Sent: Thursday, May 04, 2017 4:57 PM
To: [hidden email]
Subject: Re: Delegate admin for realms

 

On 04/05/2017 04:59, Kwong,Vincent wrote:

Hi All,

 

I am new to syncope and going to evaulate the syncope functionality for my coming project.

 

I am trying to setup a organization like this, but I cannot figure out how I can achieve the delegated administration.

 

Sample Structure:

Parent Company (e.g. /) -> Multiple Sub-Group (e.g. /Group1) -> Multiple Teams (e.g. /Group1/Team1)

 

1.       Each team will have a admin to mange the user under that realm

2.       Each sub-group will have another admin to look after all teams

3.       Each admin have the control for their own sub-group / team only

 

I tried to createa role with some user/realm related access under particular realm, but after I tried to login with the account with that role, I can see/update the parent realm or other sub realm.

 

Is it possible for syncope to achieve what I want? Or anyone have simialr experience?ù


Hi Vincent, glad of your interest in Apache Syncope.

To be sure, I have created some sample data in an attempt to replicate your use case.

First, the realms: [1] where g1 and g2 are 'sub-groups' as you name them above (please beware that groups are a different concept in Syncope) and t11 / t12 / t21 / t22 / t23 are 'teams'.

Then I have created some roles: [2], one for each of the realms above, with full entitlements about users, and REALM_LIST which is only required if you are planning to operate via Admin Console (as it seems).

Finally I have created some users in several realms, /g1/t11 [3], /g1/t12 [4] (which are all reported in /g1 [5]) and /g2 [6]: as you can see, there are plain users and admin users, where the username of the latter is given to show which realm they are actually managing, e.g.

* [hidden email] which is granted the role 'Managing g1' and thus is allowed to manage users in /g1 [5]
* [hidden email] which is granted the role 'Managing t11' and thus is allowed to manager users in /g1/t11 [3]
* [hidden email] which is granted the role 'Managing t12' and thus is allowed to manager users in /g1/t12 [4]
* [hidden email] which is granted the role 'Managing g2' and thus is allowed to manage users in /g2 [6]

Given such setup, everything is working as expected and every admin user can only see and manage the users contained by the realms he / she is granted by role.
The only quirk I could find is that the realms view always starts from /, but even in this case the only users shown are the expected.

HTH
Regards.

[1] http://pasteboard.co/29sHsujiu.png
[2] http://pasteboard.co/29sWCF785.png
[3] http://pasteboard.co/29tBRMtxQ.png
[4] http://pasteboard.co/29tMu5CWi.png
[5] http://pasteboard.co/dlwgYicg.png
[6] http://pasteboard.co/29tnvwPlb.png

-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Loading...