[security-dev] PicketLink IDM Relationships and SASL Authorizations

Darran Lofthouse darran.lofthouse at jboss.com
Fri Jun 21 13:29:18 EDT 2013

Thank you for the test Pedro,

I have been able to see how to perform the single queries but the part I 
am still thinking about is how we deal with the issue that each of the 
two agents could be a member of many groups.

To cross check this could involve many queries.

In a similar way how are the agent to group to role queries handled?  If 
a user is a member of a group and the group is associated with a role 
does the user have that role or does the relationship need to be 
manually queried?

Darran Lofthouse.

On 20/06/13 20:15, Pedro Igor Silva wrote:
> Hi Darran,
>     I wrote a simple test case to try to satisfy your objectives.
>         https://gist.github.com/pedroigor/5825698
>     We can also use custom attributes if you need some kind of metadata for each relationship instance.
> ----- Original Message -----
> From: "Darran Lofthouse" <darran.lofthouse at jboss.com>
> To: security-dev at lists.jboss.org
> Sent: Thursday, June 20, 2013 12:27:08 PM
> Subject: [security-dev] PicketLink IDM Relationships and SASL Authorizations
> Within SASL there is a capability where during the authentication phase
> the agent being authenticated can request that subsequently they want
> the authorization privileged of another agent.
> The loading the identity of the agent being requested is fine but at the
> moment I am looking within PicketLink IDM at how this one agent being
> able to run as another agent can be modeled.
> I can see using a custom relationship how it should be fairly easy to
> model a 1:1 mapping of users that an 'impersonate' each other but I have
> a few additional scenarios that could also be needed so wanted to look
> for ideas on how to support all of these simultaneously.
>    - A single agent can impersonate a single agent.
>    - A single agent can impersonate any user that is a member of a
> specified group.
>    - A member of a specific group can impersonate a single agent.
>    - A member of one group can impersonate an agent of another (or same)
> group.
> As mentioned in IRC over the last couple of days having some form of
> permissions check API in the IDM for the non AS processes feels like it
> would fit this really well - however at the moment I can perform this
> check outside of any permissions API so just looking for ideas how it
> could be achieved.
> Regards,
> Darran Lofthouse.
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev

More information about the security-dev mailing list