[security-dev] IDM Realms and Applications - The Nitty Gritty

[Shane Bryzak]

On 11/16/2012 10:33 AM, Bill Burke wrote:
>
> On 11/15/2012 4:55 PM, Shane Bryzak wrote:
>> On 11/16/2012 06:25 AM, Bill Burke wrote:
>>> I don't think your design incorporates the idea of a distributed
>>> application:  a set of services and websites that makes up one
>>> application.  In other words the fun SOA buzzword.
>> Even the latest design?
>>
>>> In my mind, you have a bunch of distributed services.  Each service may
>>> or may not have its own roles and role mappings.  A user is allowed to
>>> execute on a set of services and those services may call other services.
>>> For example: a user may interact solely with Website A, but Website A
>>> may need to interact with other services.
>>>
>>> So, the actors would be Realm, Applications, Services, Users.
>> I'd like to see a specific example demonstrating this use case. Would it
>> be possible for the services that make up a single application to simply
>> share the roles defined by that application? Adding yet another layer to
>> the current design is going to really complicate things further.
>>
> A user might be "admin" for one service, but not "admin" for a different
> service.  Service "A" might want to invoke on Service "B" on behalf of
> the user.  Doesn't that have to be conveyed in the model somehow?
>
> Bill
>

Maybe what we really need to do is find another name for the abstraction 
that we're currently referring to as Application.  The only reason we 
currently have Applications is to support application-specific roles, 
which is exactly what you're suggesting we do for Services.