On Tue, Nov 28, 2023 at 7:33 PM Shawn McKinney <[email protected]> wrote:
> > > > On Nov 27, 2023, at 5:02 PM, Veniamin Gvozdikov < > [email protected]> wrote: > > > > Hello, > > > > I tried to use groups from file > > src/main/java/org/apache/directory/fortress/core/ant/Addgroup.java > > > > * <addgroup> > > * <group name="test001" protocol="test" description="Test Group > > 001" members="guser1,guser2,guser3" > > * properties="key1=value1, key2=val 2, key3='VAL 3'" /> > > * </addgroup> > > > > But the script with the snippet returns me. > > > > BUILD FAILED > > InitGroups.xml:34: group doesn't support the "members" attribute > > > > Total time: 1 second > > > > The attribute name is wrong have you tried: > > ``` > <addgroup> > <group name="test-group-1” > … > memberswithcsv=“user1,user2,user3” > … > </addgroup> > ``` > Thanks, it works now. > > > Could you please explain how groups work? I would like to assign a bunch > of > > roles to the group and add accounts to the group. > > Groups may have users (as members) or they may have roles, but not both. > > The Group of roles concept allows RBAC sessions to be created with a group > name as the principal as opposed to a userId. Think trusted scenarios where > the user was already authenticated elsewhere. > > The session may then be used on subsequent RBAC ops. > > User groups are not supported in RBAC ops. > > Are we missing a key use case? > I actually expected like AWS IAM has: >From AWS documentation: An IAM group is an identity that specifies a collection of IAM users. You can't use a group to sign-in. You can use groups to specify permissions for multiple users at a time. Groups make permissions easier to manage for large sets of users. For example, you could have a group named IAMPublishers and give that group the types of permissions that publishing workloads typically need.
