[security-dev] IDM: REST API
Bill Burke
bburke at redhat.com
Mon Dec 10 13:37:27 EST 2012
On 12/10/2012 12:56 PM, Anil Saldhana wrote:
> Bill,
> I am unsure if storing an aspect of an user as its attribute is
> hacking. OtherNames used is an attribute of the user.
>
> Each of our identity type constructs have attributes - user,role,group,
> application,tier,partition etc.
>
> Integration projects such as RESTEasy or GateIn or OAuth need to see if
> some of their usecases can be stored as attributes of identity type(s).
> This becomes an integration decision of the project. We do not want IDM
> to be bloated one size fits all, a strategy which has failed in the
> industry.
>
This is why you need a documented vision/requirements for the IDM. A
bloated API will fail, but, one that does not meet everybody's
requirements will also fail. You need to step through the documented
requirements to see how it fits (or doesn't fit) into the IDM API and
act accordingly. i.e.
* Granting specific access to somebody so they can act on behalf of you
seems like a pretty compelling cross-cutting use case that should be
supported in the model.
* How the IDM API works in a cloud environment that needs to service
multiple realms/aplications should also be thought through.
In the emails that have come out over the past few weeks, there's a
bunch of other use cases expressed by people that should be centralised
in a requirements document.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the security-dev
mailing list