src/main/asciidoc/reference-guide/concepts/roles.adoc - syncope - Git at Google

 //
 // Licensed to the Apache Software Foundation (ASF) under one
 // or more contributor license agreements.  See the NOTICE file
 // distributed with this work for additional information
 // regarding copyright ownership.  The ASF licenses this file
 // to you under the Apache License, Version 2.0 (the
 // "License"); you may not use this file except in compliance
 // with the License.  You may obtain a copy of the License at
 //
 //   http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing,
 // software distributed under the License is distributed on an
 // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 // KIND, either express or implied.  See the License for the
 // specific language governing permissions and limitations
 // under the License.
 //
 === Roles

 Roles map a set of <<entitlements,entitlements>> to a set of <<realms,realms>> and / or
 <<dynamic-realms, dynamic realms>>.

 In addition, Roles can be used to assign <<privileges,privileges>> to Users.

 [TIP]
 .Static and Dynamic Memberships
 ====
 Users are _statically_ assigned to roles when assignments are explicitly set.

 However, a condition can be expressed in the role definition so that all matching Users are _dynamic_ members of the
 role.
 ====

 ==== Delegated Administration

 The idea is that any user U assigned to a role R, which provides entitlements E~1~...E~n~ for realms Re~1~...Re~m~, can
 exercise E~i~ on entities (Users, Groups, Any Objects of given types - depending on E~i~ - or Connector Instances and
 External Resources) under any Re~j~ or related sub-realms.

 Moreover, any user U assigned to a role R, which provides entitlements E~1~...E~n~ for dynamic realms DR~1~..DR~n~, can
 exercise E~i~ on entities (Users, Groups, Any Objects of given types, depending on E~i~) matching the conditions defined
 for any DR~k~.

 [WARNING]
 .Dynamic Realms limitations
 ====
 Users to whom administration rights were granted via Dynamic Realms can only *update* Users, Groups and Any Objects,
 not create nor delete. +
 Moreover, the only accepted changes on a given entity are the ones that do not change any Dynamic Realm's matching
 condition for such entity.
 ====

 .Authorization
 ====
 Let's suppose that we want to implement the following scenario:

 ****
 Administrator A can create Users under realm R~5~ but not under realm R~7~, administrator B can update users under
 realm R~6~ and R~8~, administrator C can update Groups under realm R~8~.
 ****

 As by default, Apache Syncope will have defined the following entitlements, among others:

 * `USER_CREATE`
 * `USER_UPDATE`
 * `GROUP_UPDATE`

 Hence, here is how entitlements should be assigned (via roles) to administrators in order to implement the scenario
 above:

 * Administrator A: `USER_CREATE` on R~5~
 * Administrator B: `USER_UPDATE` on R~6~ and R~8~
 * Administrator C: `GROUP_UPDATE` on R~8~
 ====

 [[delegated-administration-console]]
 [TIP]
 .Delegated Administration via Admin Console
 ====
 When administering via <<REST>>, the entitlements to be granted to delegated administrators are straightforward:
 `USER_CREATE` for certain <<Realms>> will allow to create users under such Realms.

 When using the <<Admin Console>>, instead, more entitlements are generally required: this because the underlying
 implementation takes care of simplifying the UX as much as possible. +
 For example, the following entitlements are normally required to be granted for user administration, besides the actual
 `USER_CREATE`, `USER_UPDATE` and `USER_DELETE`:

 . `USER_SEARCH`
 . `ANYTYPECLASS_READ`
 . `ANYTYPE_LIST`
 . `ANYTYPECLASS_LIST`
 . `RELATIONSHIPTYPE_LIST`
 . `USER_READ`
 . `ANYTYPE_READ`
 . `REALM_LIST`
 . `GROUP_SEARCH`
 ====

 ===== Group Ownership

 Groups can designate a User or another Group as _owner_.

 The practical consequence of this setting is that Users owning a Group (either because they are directly set as owners
 or members of the owning Group) is that they are entitled to

 * perform all operations (create, update, delete, ...) on the owned Group
 * perform all operations (create, update, delete, ...) on all User and Any Object members of the owner Group, with
 exception of removing members from the Group itself

 regardless of the Realm.

 The actual Entitlements are assigned through the predefined `GROUP_OWNER` Role:

 . `USER_SEARCH`
 . `USER_READ`
 . `USER_CREATE`
 . `USER_UPDATE`
 . `USER_DELETE`
 . `ANYTYPECLASS_READ`
 . `ANYTYPE_LIST`
 . `ANYTYPECLASS_LIST`
 . `RELATIONSHIPTYPE_LIST`
 . `ANYTYPE_READ`
 . `REALM_LIST`
 . `GROUP_SEARCH`
 . `GROUP_READ`
 . `GROUP_UPDATE`
 . `GROUP_DELETE`

 The `GROUP_OWNER` Role can be updated to adjust the set of assigned Entitlements.

 ==== Delegation

 With Delegation, any user can delegate other users to perform operations on their behalf.

 In order to set up a Delegation, the following information shall be provided:

 * delegating User (mandatory) - administrators granted with `DELEGATION_CREATE` Entitlement can create Delegations for
 all defined Users; otherwise, the only accepted value is the User itself;
 * delegated User (mandatory) - any User defined, distinct from delegating;
 * start (mandatory) - initial timestamp from which the Delegation is considered effective;
 * end (optional) - final timestamp after which the Delegation is not considered effective: when not provided, Delegation
 will remain valid unless deleted;
 * roles (optional) - set of Roles granted by delegating to delegated User: only Roles owned by delegating can be
 granted, when not provided all owned Roles are considered as part of the Delegation.

 [NOTE]
 <<Audit>> entries generated when operating under Delegation will report both delegating and delegated users.
	//
	// Licensed to the Apache Software Foundation (ASF) under one
	// or more contributor license agreements. See the NOTICE file
	// distributed with this work for additional information
	// regarding copyright ownership. The ASF licenses this file
	// to you under the Apache License, Version 2.0 (the
	// "License"); you may not use this file except in compliance
	// with the License. You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing,
	// software distributed under the License is distributed on an
	// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	// KIND, either express or implied. See the License for the
	// specific language governing permissions and limitations
	// under the License.
	//
	=== Roles

	Roles map a set of <<entitlements,entitlements>> to a set of <<realms,realms>> and / or
	<<dynamic-realms, dynamic realms>>.

	In addition, Roles can be used to assign <<privileges,privileges>> to Users.

	[TIP]
	.Static and Dynamic Memberships
	====
	Users are _statically_ assigned to roles when assignments are explicitly set.

	However, a condition can be expressed in the role definition so that all matching Users are _dynamic_ members of the
	role.
	====

	==== Delegated Administration

	The idea is that any user U assigned to a role R, which provides entitlements E~1~...E~n~ for realms Re~1~...Re~m~, can
	exercise E~i~ on entities (Users, Groups, Any Objects of given types - depending on E~i~ - or Connector Instances and
	External Resources) under any Re~j~ or related sub-realms.

	Moreover, any user U assigned to a role R, which provides entitlements E~1~...E~n~ for dynamic realms DR~1~..DR~n~, can
	exercise E~i~ on entities (Users, Groups, Any Objects of given types, depending on E~i~) matching the conditions defined
	for any DR~k~.

	[WARNING]
	.Dynamic Realms limitations
	====
	Users to whom administration rights were granted via Dynamic Realms can only update Users, Groups and Any Objects,
	not create nor delete. +
	Moreover, the only accepted changes on a given entity are the ones that do not change any Dynamic Realm's matching
	condition for such entity.
	====

	.Authorization
	====
	Let's suppose that we want to implement the following scenario:

	****
	Administrator A can create Users under realm R~5~ but not under realm R~7~, administrator B can update users under
	realm R~6~ and R~8~, administrator C can update Groups under realm R~8~.
	****

	As by default, Apache Syncope will have defined the following entitlements, among others:

	* `USER_CREATE`
	* `USER_UPDATE`
	* `GROUP_UPDATE`

	Hence, here is how entitlements should be assigned (via roles) to administrators in order to implement the scenario
	above:

	* Administrator A: `USER_CREATE` on R~5~
	* Administrator B: `USER_UPDATE` on R~6~ and R~8~
	* Administrator C: `GROUP_UPDATE` on R~8~
	====

	[[delegated-administration-console]]
	[TIP]
	.Delegated Administration via Admin Console
	====
	When administering via <<REST>>, the entitlements to be granted to delegated administrators are straightforward:
	`USER_CREATE` for certain <<Realms>> will allow to create users under such Realms.

	When using the <<Admin Console>>, instead, more entitlements are generally required: this because the underlying
	implementation takes care of simplifying the UX as much as possible. +
	For example, the following entitlements are normally required to be granted for user administration, besides the actual
	`USER_CREATE`, `USER_UPDATE` and `USER_DELETE`:

	. `USER_SEARCH`
	. `ANYTYPECLASS_READ`
	. `ANYTYPE_LIST`
	. `ANYTYPECLASS_LIST`
	. `RELATIONSHIPTYPE_LIST`
	. `USER_READ`
	. `ANYTYPE_READ`
	. `REALM_LIST`
	. `GROUP_SEARCH`
	====

	===== Group Ownership

	Groups can designate a User or another Group as _owner_.

	The practical consequence of this setting is that Users owning a Group (either because they are directly set as owners
	or members of the owning Group) is that they are entitled to

	* perform all operations (create, update, delete, ...) on the owned Group
	* perform all operations (create, update, delete, ...) on all User and Any Object members of the owner Group, with
	exception of removing members from the Group itself

	regardless of the Realm.

	The actual Entitlements are assigned through the predefined `GROUP_OWNER` Role:

	. `USER_SEARCH`
	. `USER_READ`
	. `USER_CREATE`
	. `USER_UPDATE`
	. `USER_DELETE`
	. `ANYTYPECLASS_READ`
	. `ANYTYPE_LIST`
	. `ANYTYPECLASS_LIST`
	. `RELATIONSHIPTYPE_LIST`
	. `ANYTYPE_READ`
	. `REALM_LIST`
	. `GROUP_SEARCH`
	. `GROUP_READ`
	. `GROUP_UPDATE`
	. `GROUP_DELETE`

	The `GROUP_OWNER` Role can be updated to adjust the set of assigned Entitlements.

	==== Delegation

	With Delegation, any user can delegate other users to perform operations on their behalf.

	In order to set up a Delegation, the following information shall be provided:

	* delegating User (mandatory) - administrators granted with `DELEGATION_CREATE` Entitlement can create Delegations for
	all defined Users; otherwise, the only accepted value is the User itself;
	* delegated User (mandatory) - any User defined, distinct from delegating;
	* start (mandatory) - initial timestamp from which the Delegation is considered effective;
	* end (optional) - final timestamp after which the Delegation is not considered effective: when not provided, Delegation
	will remain valid unless deleted;
	* roles (optional) - set of Roles granted by delegating to delegated User: only Roles owned by delegating can be
	granted, when not provided all owned Roles are considered as part of the Delegation.

	[NOTE]
	<<Audit>> entries generated when operating under Delegation will report both delegating and delegated users.