I'm working on a project that will use CAS as the authentication, but iMIS for authorization. I just wrote the ldap_authorization module for the ldap project. An imis authorization module would be very similar in architecture:
-
have a site admin define a set of rules for mapping a drupal user to an imis/ldap user and then an imis/ldap user to drupal roles, og groups ids, etc. In LDAP the rules are based on the ldap user entry attributes. In iMIS the mapping rules might include any number of imis attributes such as the GetParticipations webservice.
-
When a user authenticates,
A) derive the drupal roles, og groups etc. ids (imis_authorization, ldap_authorization modules)
B) grant them access to them (imis_authorization_drupal_roles, ldap_authorization_drupal_roles modules)
Does anyone else have a need for this or an alternative approach?
Perhaps a Generalized Approach
If done correctly, the ldap_authorization_drupal_roles could work out of the box with imis_authorization and be renamed authorization_drupal_roles, authorization_og, etc or some such. Or ideally the entitlements api will play the consumer end of the authorization.
It would be nice to have a pluggable framework for authorizations such as the feeds module does. For authorization, it might be such:
authorization provider type -> authorization mapper module -> authorization consumer module
imis -> imis authorization (mapper) -> drupal roles consumer
imis -> imis authorization (mapper) -> og consumer
ldap -> ldap authorization (mapper) -> drupal roles consumer
ldap -> ldap authorization (mapper) -> og consumer
where mapper and consumer modules were swappable. Perhaps feed's plugin architecture could do some of this? I'm not too familiar with the new feeds module.