Hi 何嘉权, 1. Currently i don't think it is possible to add tenant, but that should be if you try to use ldap library directly. As long as you know the directory structure layout and ldap schema, that is possible. 2. Ya, currently i'm not using any Group for my current project implementation yet.(I'm using fortress from version 1.0.0-RC39) 3. It should be ok to have many permissions records, because later you just need to check using https://directory.apache.org/fortress/gen-docs/latest/apidocs/org/apache/directory/fortress/core/AccessMgr.html at checkAccess method.
In my opinion, fortress is giving you the framework of how rbac works. In the end, you are the one that need to define and fit it with your use case. Currently, I worked at blibli (http://www.blibli.com), one of the biggest e-commerce company in Indonesia. I'm using fortress and Apereo CAS to as the authentication and authorization of the most back-office management applications for all the microservices and successfully centralize the access management for all employees. Hopefully with my testimonial you can try to use it too, it just need little creativity to try to fit it with your use case since fortress is the implementation of Role-Based Access Control ANSI INCITS 359-2004. Thanks Regards, Yudhi Karunia Surtan -------------------------------------- https://github.com/yudhik On Sun, Sep 15, 2019 at 1:02 PM 何嘉权 <[email protected]> wrote: > Hi Yudhi, > > Thanks for replying and sorry for my ambiguity. > > We’re not implementing a second fortress. We’re learning to use it > correctly to avoid going to a wrong direction. > > 1. We are wondering if Fortress provides any REST api to add new tenants. > Or should we implement one? > 2. Do you mean you’re not using groups? > 3. Surprised to know about this! > > On Sun, Sep 15, 2019 at 1:39 PM Yudhi Karunia Surtan <[email protected]> > wrote: > >> Hi jiaquan, >> >> >> 1. What is ootb mean? >> 2. Currently I'm not using it. >> 3. Yes, since it is a whitelist of permission. Currently, I think I have >> more than 2000 perms at my current implementation at my company. >> >> Anyway, what do you mean by best practice here? Is it about correctness >> how you implement it? Or how to exactly using fortress? >> >> Sorry for my bad English. >> >> >> Regards, >> >> >> Yudhi Karunia Surtan >> >> >> >> >> On Sun, Sep 15, 2019, 10:18 何嘉权 <[email protected]> wrote: >> >>> Hi mighty Fortress, >>> >>> My team is evaluating how Fortress could fit into our product as an >>> access >>> control system. >>> >>> We've gone through the major official documents, set up a demo with the >>> REST enmasse as well as the Web commander, and played with it a little >>> bit. >>> But we cannot find any best practice when it comes to our business >>> requirements. >>> >>> We've multiple tenants with organizations of users, and organizations of >>> resources. According to our understanding of Fortress, we've ideas: >>> >>> - Multiple tenants should be well supported as documented. >>> - User organization could be implemented with Fortress's role >>> organization. >>> - Resource organization could be implemented with Fortress's perm object >>> organization. >>> >>> But then questions pop up and we fail to get any clue: >>> >>> - By adding a new tenant, there's no OOTB RESTful API. [1] >>> - User role inheritance is pretty powerful, but why do we still need >>> Group >>> that doesn't have inheritance support? [2] >>> - If one tenant has 1,000 of resources, and each of them has READ/UPDATE >>> permission, is it expected to have 2,000 different permission objects in >>> Fortress? >>> >>> Thanks for any advice. >>> >>> [1] >>> >>> https://github.com/apache/directory-fortress-core/blob/master/README-MULTITENANCY.md >>> [2] https://directory.apache.org/fortress/gen-docs/latest/apidocs/ >>> >>
