Re: [security-dev] how to model services managed by a realm

On 6/11/2013 11:27 PM, Shane Bryzak wrote: Will what you're working on allow you to create partitions on the fly? Right now, tiers and realms must be preknown and fixed for the lifetime of the IdentityManagerFactory. I just finished some work to allow File and JPA-based stores to be able to create and find partitions and was about to submit a pull request. There is a company-wide set of users. This is the Realm. A company has a set of distributed applications, each of these applications has their own role sets. I want to assign role mappings from the realm, to each one of these applications. From a management perspective you'll want to be able to manage all application user-role mappings from a specific Realm, or add/remove roles from an application. To be able to do this, you need to know which applications are managed by the Realm. Also, I want to be able to create a token for an individual authenticated user that contains role mappings for each application within the realm. All this needs to work in a SaaS model, where multiple realms can be created and managed. Pedro suggested that I model each Application as a Tier, but I'm having doubts about this because LDAP doesn't currently support the notion of a partition. Maybe I could federate this? Store username/credentials in the company's LDAP store, but store application, roles, and role mappings within a local store? Is this type of application data even stored in LDAP in reality? -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com