[security-dev] IDM Realms and Applications - The Nitty Gritty
Bill Burke
bburke at redhat.com
Thu Nov 15 19:33:14 EST 2012
On 11/15/2012 4:55 PM, Shane Bryzak wrote:
> On 11/16/2012 06:25 AM, Bill Burke wrote:
>> I don't think your design incorporates the idea of a distributed
>> application: a set of services and websites that makes up one
>> application. In other words the fun SOA buzzword.
>
> Even the latest design?
>
>>
>> In my mind, you have a bunch of distributed services. Each service may
>> or may not have its own roles and role mappings. A user is allowed to
>> execute on a set of services and those services may call other services.
>> For example: a user may interact solely with Website A, but Website A
>> may need to interact with other services.
>>
>> So, the actors would be Realm, Applications, Services, Users.
>
> I'd like to see a specific example demonstrating this use case. Would it
> be possible for the services that make up a single application to simply
> share the roles defined by that application? Adding yet another layer to
> the current design is going to really complicate things further.
>
A user might be "admin" for one service, but not "admin" for a different
service. Service "A" might want to invoke on Service "B" on behalf of
the user. Doesn't that have to be conveyed in the model somehow?
Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the security-dev
mailing list