[security-dev] IDM Realms and Applications - The Nitty Gritty

Bill Burke bburke at redhat.com
Thu Nov 15 19:33:14 EST 2012

On 11/15/2012 4:55 PM, Shane Bryzak wrote:
> On 11/16/2012 06:25 AM, Bill Burke wrote:
>> I don't think your design incorporates the idea of a distributed
>> application:  a set of services and websites that makes up one
>> application.  In other words the fun SOA buzzword.
> Even the latest design?
>> In my mind, you have a bunch of distributed services.  Each service may
>> or may not have its own roles and role mappings.  A user is allowed to
>> execute on a set of services and those services may call other services.
>> For example: a user may interact solely with Website A, but Website A
>> may need to interact with other services.
>> So, the actors would be Realm, Applications, Services, Users.
> I'd like to see a specific example demonstrating this use case. Would it
> be possible for the services that make up a single application to simply
> share the roles defined by that application? Adding yet another layer to
> the current design is going to really complicate things further.

A user might be "admin" for one service, but not "admin" for a different 
service.  Service "A" might want to invoke on Service "B" on behalf of 
the user.  Doesn't that have to be conveyed in the model somehow?


Bill Burke
JBoss, a division of Red Hat

More information about the security-dev mailing list