Versions Compared

Old Version 15

changes.mady.by.user Francesco Chicchiriccò

Saved on

compared with

New Version Current

changes.mady.by.user Francesco Chicchiriccò

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Note
titleVersion Warning

The content below is for Apache Syncope <= 1.2 - for later versions the Reference Guide is available.

Table of Contents
styledecimal

Introduction

The primary purpose of identity management systems is to manage data belonging to users; it is common practice in such systems to define as well entities called roles that helps in defining and enforcing security policies. In addition to this, Syncope explicitly represents the fact that users can be assigned to roles by mean of memberships.

...

  • key is a string label (i.e. Surname)
  • Wiki Markup_values_ is a (possibly singleton) collection of data (i.e. \ [Doe\] but also \ [john.doe@syncope.apache.org, jdoe@gmail.com\])

The type of values that can be assigned to each attribute is defined via schemas.

...

With virtual attributes, values are not kept into the Syncope internal storage but somehow linked from an external resource.

For performance optimization, virtual attributes are managed by an internal cache to limit access to external resources.

The typical usage of virtual attributes is when an attribute can change on an external resource without notice and there is need of having access to the most updated value without relying upon synchronization.

Furthermore, for performance reason, the best practice is to keep the number of plain and derived attributes as low as possible: Apache Syncope should declare plain attributes just for data on which it must have the ownership; the rest should be declared virtual.

A virtual attribute can be mapped among several resources.
The values of a virtual attribute are the composition (in a distinct way) of values coming from each resource the virtual attribute is mapped on.

Virtual attribute values are always retrieved from an external resource either in case of SYNCHRONIZATION, PROPAGATION or BOTH mapping purpose.
The only way to avoid virtual attribute values retrieving from a certain resource is to remove SEARCH capability from the resource connector itself.

Virtual attribute values are:

  • unaffected by synchronizationsynchronizing the resource where they come from (if and only if the values are coming from one resource only)
  • available for propagation towards external resources

For performance optimization, virtual attributes are managed by an internal cache to limit access to external resources.
Virtual attribute cache is not configurable and cannot be disabled.

Each entry into the cache is key/values pair.
The key is composed of:

  • attributable type (USER or ROLE)
  • attributable id
  • virtual schema name.

The entry expire time is one minute. By the way, it can expire before if the referenced virtual attribute is interested by a propagation.
Entry expiration could be forced by interacting directly with VirAttrCache bean. This can be done just by exploiting available Syncope extension points.

Read-only

When attribute value(s) from an external resource are needed only to be read within Syncope, and can only be changed from the own resource, virtual read-only attributes are fit for the job.

...

One of most important features is about to link such attributes to external resources (LDAP server, Database, ...) so that propagation and synchronization can take place effectively.

Image Modified

Mapping purposes

Each mapping item can be configured for a specific purpose:

  • SYNCHRONIZATION - mapping item will be considered just during synchronization.
  • PROPAGATION - mapping item will be considered just during propagation.
  • BOTH - mapping item will be considered always.