Hi Tran, the addition of metadata for users is not possible in the current implementation of Keyrock. And today we have not immediate plans to add something similar. However, as the new release is based on Openstack Keystone, if you are going to deploy your own instance of the component it is so easy to add a new field in the Users API in order to enable this type of parameters. We can give you some pointers in order to achieve that. I hope this helps, BR -- Álvaro > El 16 Feb 2015, a las 14:31, DANGERVILLE Cyril <cyril.dangerville at thalesgroup.com> escribió: > > Hello Alvaro, > I am forwarding you a question from Tran (in CC): > *Is it possible to define new attributes for a user in the IdM, e.g. application-specific?* > I don't think it is in the IdM GE specification, but maybe this is possible with KeyRock? > > Thanks for your help on this. > > Regards, > Cyril > >> -----Message d'origine----- >> De : Tran, Thanh Quang [mailto:thanh.quang.tran at fokus.fraunhofer.de] >> Envoyé : vendredi 13 février 2015 21:55 >> À : DANGERVILLE Cyril >> Cc : fiware-tech-help at lists.fi-ware.org; Álvaro Alonso >> Objet : RE: [Fiware-tech-help] IdM GE - Adding new attributes (e.g. >> application-specific) >> >> Hi Cyril, >> Thank you very much for your support. >> They are all patient attributes. Care Provider is the >> organization/department that take care patient. Emergency is also a >> sensitive patient attribute that we need for patient emergency use >> case. >> I just want to give an example that possible different non-standard >> attributes are required. >> In healthcare domain, they are specifying different types of human >> resources such as Patient, Practitioner, Related Person >> (http://www.hl7.org/implement/standards/fhir/resourcelist.html) >> >> Bests, >> Tran >> ________________________________________ >> From: DANGERVILLE Cyril [cyril.dangerville at thalesgroup.com] >> Sent: Friday, February 13, 2015 7:12 PM >> To: Tran, Thanh Quang >> Cc: fiware-tech-help at lists.fi-ware.org; Álvaro Alonso >> Subject: [Fiware-tech-help] IdM GE - Adding new attributes (e.g. >> application-specific) >> >> Hello Tran, >> I included the IdM (and PEP Proxy) GE Owner - Alvaro - in the >> discussion and changed the subject to make it more explicit. I just >> want to clarify your use case before giving an answer. >> >> 1) Can you give value examples for the attribute "care provider"? >> Is it the role/type of the person taking care of the patient? Doctor, >> nurse, intern, etc. In which case, "roles" (supported by the IdM) can >> be used for that. >> >> 2) As far as I understand, the "emergency status" is not a user >> attribute as it is not user-specific, is it? If it is like a "global" >> status, in XACML jargon, it is considered a Environment attribute. >> Maybe if the IdM supports adding custom attributes to applications and >> your healthcare application is registered in the IdM, you could get the >> attribute value from the IdM. To be checked with the IdM owner. >> Otherwise, such attribute is provided by an application/use-case- >> specific source of attributes, maybe the healthcare application itself. >> >> Regards, >> Cyril >> >> >> De : Tran Quang Thanh [mailto:thanh.quang.tran at fokus.fraunhofer.de] >> Envoyé : jeudi 12 février 2015 14:42 >> À : DANGERVILLE Cyril >> Cc : fiware-tech-help at lists.fi-ware.org >> Objet : Re: [Fiware-tech-help] Authorize PDP GE >> >> Dear Cyril, all, >> Thank you very much for your support and information. I am waiting for >> your configuration file :-) >> >> As far as I understand (correct me if I am wrong), in the upcoming >> access control model, the connection between Authorized PDP and IdM >> (the Attribute Finder) has been removed. This makes the IdM and PDP >> somehow more generic and independent, however it might raise a new >> issue as I mention in the following: >> >> As you know, in other domains such as our healthcare domain, one of the >> reason that we are interested in XACML access control model because of >> the flexible capability to create access policies based on many >> attributes. Such policies will use not only XACML standard attributes >> (e.g. subject-id, resource-id, time etc.) but also our domain-specific >> attributes. For example, we have a policy like this: >> "Doctor can access medical records of patients from their medical >> center. Other doctors can access patient records in case of emergency". >> In such policy, we adopt two user domain-specific attributes: care >> provider and emergency status >> >> With new architecture, to be sure such attributes can still be extract >> from token (if the IdM support) but how the PEP Proxy decide which >> attributes to include in the XACML request (do we need to include all >> user attributes in the request ?) and when the request contains such >> domain-specific attributes, how the PDP understand such attributes in >> order to validate the request without communicate with IdM ? >> >> The same concern to the support of domain specific attributes is to the >> only FIWARE IdM KeyRock GEri. Does it support a flexible mechanism to >> deal with this (e.g. through API or some configuration) ? As far as I >> know, the GCP IdM supports such functionality through API that allowing >> user create new attributes. >> >> If the GE owner or someone in the list can support, please help us to >> clarify this. >> Thank you very much, >> >> Bests, >> Tran >> >> >> >> On 11.02.2015 17:48, DANGERVILLE Cyril wrote: >> >> the PEP -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.fiware.org/private/fiware-tech-help/attachments/20150216/80197748/attachment.html>
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy