THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
The idea is that any user U assigned to a role R, which provides entitlements E1...En for realms Re1...Rek can exercise Ei on entities (users or roles, depending on the type of Ei) under any Rej or related sub-realms.
Example
Let's rephrase the sample used for current security model:
Let's suppose that we want to implement the following scenario:
Administrator A can create users under realm R5 but not under realm R7, administrator B can update users under realm R6 and R8, administrator C can update roles under realm R8.
As default, Syncope will have defined the following entitlements, among others:
- USER_CREATE, USER_UPDATE, ROLE_UPDATE
Here it follows how entitlements should be assigned (via roles) to administrators in order to implement the scenario above:
- A: USER_CREATE on R5
- B: USER_UPDATE on R6 and R8
- C: ROLE_UPDATE on R8
With role ownership, if administrator D is set as owner of a role R under realm R8, the following entitlements will be automatically granted:
- D: ROLE_READ + ROLE_CREATE + ROLE_UPDATE + ROLE_DELETE only on role R (not the whole realm R8)