[security-dev] IDM: REST API

Bill Burke bburke at redhat.com
Mon Dec 10 13:37:27 EST 2012


On 12/10/2012 12:56 PM, Anil Saldhana wrote:
> Bill,
>     I am unsure if storing an aspect of an user as its attribute is
> hacking.  OtherNames used is an attribute of the user.
>
> Each of our identity type constructs have attributes  - user,role,group,
> application,tier,partition etc.
>
> Integration projects such as RESTEasy or GateIn or OAuth need to see if
> some of their usecases can be stored as attributes of identity type(s).
> This becomes an integration decision of the project.  We do not want IDM
> to be bloated one size fits all, a strategy which has failed in the
> industry.
>

This is why you need a documented vision/requirements for the IDM.  A 
bloated API will fail, but, one that does not meet everybody's 
requirements will also fail.  You need to step through the documented 
requirements to see how it fits (or doesn't fit) into the IDM API and 
act accordingly.  i.e.

* Granting specific access to somebody so they can act on behalf of you 
seems like a pretty compelling cross-cutting use case that should be 
supported in the model.
* How the IDM API works in a cloud environment that needs to service 
multiple realms/aplications should also be thought through.

In the emails that have come out over the past few weeks, there's a 
bunch of other use cases expressed by people that should be centralised 
in a requirements document.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the security-dev mailing list