(1) Regarding to identity CCoS attributes:
Why and How AM API impact the IdRepo identity
attributes ? If so why amUser and amDiscoveryService
are not impacted ?
Please clarify.
(2) Regarding to the realm retrictions to attribute accessing
I really have some questions on Priviliges
(a) Why Priviliges are definied at realm level instead of
other AM identity container level such as group and role ?
(b) It seems,realm priviliges are setting a all iPlanetAMPolicyService,
specifically, PolicyCrossReferences for sunAMDelegationService
within the realm.
In addition, it sets the PolicyAdmin,RealmReadOnly,DatastoresReadOnly,
AllUserReadableServices,SelfReadAttributes, SelfWriteAttributes
Policies to target Identity subjects
(c) policy management is about to create referral policy
and at realm and sub realm and level.
ou=OrganizationConfig,ou=1.0,ou=iPlanetAMPolicyService,ou=services,
Then my question is what are the decision point to define priviliges instead
of policy at realm level. I mean I can create customer privilige services
as policy does. Please clarify my confusion.
Why Privilige does not requires Referral at root level since Privilige
is about to create policy in nature too.
Why and What should be defined as Privilige instead of Policy ?
Monday, December 12, 2005
Identity Privilige and Policy
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment