[security-dev] how to model services managed by a realm
Pedro Igor Silva
psilva at redhat.com
Tue Jun 11 10:00:52 EDT 2013
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Pedro Igor Silva" <psilva at redhat.com>
> Cc: security-dev at lists.jboss.org
> Sent: Monday, June 10, 2013 10:45:00 PM
> Subject: Re: [security-dev] how to model services managed by a realm
> On 6/10/2013 8:54 PM, Pedro Igor Silva wrote:
> > Hi Bill,
> > First of all, custom IdentityType implementations are targeted for
> > Beta5 and is related with PLINK-130.
> I see custom relationship tests.
Custom relationships are supported, but IdentityTypes not yet.
> > That said and considering what we have today, I would consider mapping
> > applications as realms. If I understood your use case correctly, each
> > application has its own users, roles, groups and relationships
> > between them, not visible or accessible by others.
> I don't think you understood. Each application does not have its own
> set of users, but does have its own set of roles. So the Realm manages
> a set of users who have access to a set of applications, each of which
> has their own set of roles. Think of a set of distributed applications
> in a company. You don't want to require registering a user for each one
> of these applications, you just want to define one user, then map their
> permissions to each application.
I see. I was thinking about each "application" having only a reference for a single user (same user maps to different accounts in twitter, google and fb, for example). But this is another scenario.
> > A realm will allow you to organize identity data per application,
> > where you can have the same user, role and group (with the same
> > loginName or name) between different realms. Maybe this example
> > application can be useful to demonstrate how to handle different
> > realms in a multi-tennancy architecture (using realms, only).
> > https://github.com/pedroigor/jboss-as-quickstart/tree/master/picketlink-authentication-idm-multi-tennancy
> > Another way to organize identity data is using tiers. Tiers, different
> > than realms, can be used to store only roles and groups. So, if you
> > want to share users you can use a single realm to store them and use
> > a specific tier for each application where its specific roles and
> > groups are located.
> If you store your users in a realm, and each application's roles in a
> tier, how do you create a role mapping between a role in the tier and
> the user in the realm?
Please, take a look at:
> Then another problem with your suggestion is, for a given Realm, how do
> I find out the associated Tiers? I'm not seeing any examples or code
> that allows me to do this.
I think we don't support this kind of query. But you can always get all users, groups or roles for a specific partition.
> Bill Burke
> JBoss, a division of Red Hat
More information about the security-dev