My requirement is I have 2 Roles NA and Pacific and I want a single user(specific user lets say Adam) to handle these 2 role's cases but at the same time other users with Role NA should not see cases of Pacific role and vice versa.
We have owner based sharing in our org where we shared cases on the basis of Roles.
I want a feature where Adam (my user) can switch b/w these users(NA role user and pacific Role user).
Please help I am open to every suggestion.
I try to call Apex from flow to change the role of my user ,but the problem in this approach is -
suppose I am NA role user and currently own a case(case no -123), this case(case no 123) must be shared with NA user role only, but when I switched my role from NA to Pacific by using flow that I had created what happens is the case(case no-123) got shared to Pacific role and unshared with NA role cause we have sharing based on Role and this should not happen.
Many ways to do it, try these 2 and report back if it's not ideal.
Make "Adam" a manager of both teams, give him role above these in role hierarchy and he should see everything his subordinates see. (but his own cases won't be shared down)
or make him in "Pacific" role but create 2nd sharing rule.
Cases - Owner in role: NA - share with - group "Adam and friends" ;)
(make public group and make Adam the only member of that group)
Related
I've been trying to develop an internal staff portal for our company. There are departments, job grades, working areas, roles (user, editor, admin, super admin, etc...) and special groups (executives, etc) for user grouping.
User must have one (only one) department.
User must have one (only one) job grades.
User must work in minimum one area.
User must have one (only one) roles.
User may have one or more special groups.
Job grades and roles are hierarchical (an grade or role may be inherited of another one) but other ones not.
Users will see only allowed menus and access permitted routes.
User will also select which users can view it when posting a new content.
e.g:
Combination 1: (IT or Finance department) and (Job Grade is one of 9,10,11) and (Area is one of 1,5,8) and (Exclusive special group is one of 1,5,8) except user id=1
Combination 2: (HR department) and (Job Grade is 11) and user_id=3,4,5
Combinations can be related as AND/OR among themselves like Combination 1 AND combination 2
So, there will be lots of contents and every content will have different group permissions. I try to create a DB schema but it's very hard to get all contents that is visible to logged in user. Serialized data would be good for saving combination sets in db but it looks like impossible with serialized data. Is there an advantage to using MongoDB for this issue? How can i save combinations of group/user permissions in tables also?
I researched lots of ACL and RBAC examples but can't find the optimal solution. Please help.
Btw, i use Laravel Framework.
Thanks.
You need to look into attribute-based access control (ABAC - Wikipedia) and the eXtensible Access Control Markup Language (XACML). NIST, the National Institute of Science & Technology gives a great intro to ABAC here.
XACML will give you the ability to express fine-grained access control policies that use you attributes. In your question you have:
user attributes
department
job grade
working area
role
group
object (resource) attributes
content type
content location
content classification
With XACML you can write rules such as:
A user with grade==1 can do the action==edit on content of type==post
if content.department==user.department.
You can have as many rules as you like including conflicting rules or environment rules (deny access before 9am).
Have a look at the ALFA plugin for Eclipse to write your own policies (Wikipedia | Download).
HTH,
David
I'm trying to find the best implementation of class diagram and database structure for football court management. The system have three actors:
Super Admin : manage everything with all privileged (web back-office)
Court Owner : can create a Football Club that may have more than one stadium (web back-office)
Player: who can review a club and book an available stadium (mobile)
My problems are :
Since the three actors have the same properties, I don't need the "extend" relation between "user" and "owner", "player", "admin", but also I can't only have the class "user" because not all users can submit a review and only the owner can add a club... so how to manage the privilege of different users who have the same properties ? and do I need the User group table that can help me to know the group of each user ("owner", "admin", "player") ? (I see that Joomla and Wordpress use a user group table)
The Club can have many stadiums (courts) in the majority of cases they are identical so should In my solution bellow is it correct to have two classes "club" and "stadium" and put the common information (city , latitude, longitude) inside the class "club" ?
Take in consideration that player can book a stadium of a club and the club have another available stadiums that can be booked is my solution bellow correct ?
Please I need your guidance and suggestion of the best implementation for a football clubs management where:
There is three actors ("player", "admin", "club owner")
Each actor have different privileged (only owner can create a club, only player can book and review...)
Avery Club can have many stadiums and player can book one of them or many, and we need to keep track of the availability of other stadiums of the same club.
Here is what I have tried:
Edit link : https://creately.com/diagram/iaqn8ddo/T1IfqHRrhGcHYPihjOwMIQSwM%3D
View Link : http://creately.com/diagram/example/iaqn8ddo/Copy%2Bof%2BTakwira
Does not look too bad.
You already have classes for the actors. So that's done.
The "privileges" can be modeled by assigning the specialized classes the according methods. That is: Owner has a createClub() method and Player has book() etc.
You need a Booking class that keeps track of the bookings made by Player
One observation: the composition from Stadium (you have a typo in the name) to SportsClub does not seem to make sense. A club is not composed of stadiums. In best case it's composed of members. Replace it with an association and use ownedStadium as role.
I have different Active Directory groups and one BO universe.
Different active directory groups should have different restricted access on data in the universe.
How can I implement that? (unfortunately I did not found corresponding tutorial or documentation on the net.)
If there are more than one ways to implement data access, what is the best practice?
Thanks.
There are two main ways to implement row-level security in a universe. One is via a Security Profile; the other is via #variable('BOUSER').
If the security is to be applied at a group level (that is, all members of a group should have the same condition applied), then a Security Profile is appropriate. This is covered in Chapter 17 of the IDT User Guide. At a high level, the steps are:
From IDT, launch the Security Editor
Select the universe, and create either a Data Security Profile or a Business Security Profile (read the docs for the differences between the two, but one is that with the DSP, you will write a WHERE condition; with the BSP, you select objects and define a condition)
Once the Security Profile is created, select the group or groups that it should apply to
Repeat the above for each group that should have a restriction applied
The other method for applying row-level security is only applicable when the data source includes a table that has a mapping of BO user IDs to the values that they may have access to. For example, let's say you have a security table in your data source that looks like this:
user_id region
------- ------
U123 NE
U123 SE
U321 W
and your fact table looks like:
pk region value
__ ______ _____
1 NE 3
2 W 4
You can apply security such that user U123 only sees the "NE" row, and user U321 only sees the "W" row. You would join the two tables on region (security.region=fact.region), then create a new mandatory filter on security.user_id=#variable('BOUSER'). This will force the filter to be applied to all queries.
Note that both of the above methods work by adding conditions to the query's WHERE condition. If your users have permission to view and edit the query's SQL, they will be above to override the filtering logic. To ensure security, users should be denied this right.
I am working on one portal where will be few user roles. I have been wondering what is the best way to handle them. I have created separated tables for users and clients, but clients will want the functionality as users and users can become clients easy too.
I also don't want to make many joints, so what I as thinking is this:
I will have 4 different user roles (at least for now) as follow:
user
client
reviewer
admin
I will assing "id" to each role. At the same time I will keep table in mysql with these roles. It will be something like:
1 - admin
2 - reviewer
3 - client
4 - user
This table will be used only upon creation of user, to get the code of user "permissions". So Let's say that there will be a guy who is a user and reviewer. His role would be 24.
login password email role created
----------------------------------------------------------
guy password guy#gmail.com 24 2012-12-08 23:12:30
I think this could work pretty well, but still want to ask if you guys think this is good and effective solution.
Thanks
The other way to do this would be to have a many to many USER_ROLE table where for your example guy would have the following entires.
login role
guy 2
guy 4
I generally prefer this method of tracking roles. A join against this table in a situation like this should be fast and painless, especially if you move to using a user_id instead of a login, and index appropriately.
What you're defining is a Role Based Access Control System (I would suggest looking up resources on this). An RBAC system will have a separate table for users and another table for roles. There will be a many to many relationship between users and roles. Also, you will connect a permissions table to roles in another many to many relationship. The image attached represents how to implement this system:RBAC SYSTEM IN MYSQL
A similar question was asked before: How to design a hierarchical role based access control system
Here is the situation:
I have a "user" , which have many attributes. For example, "name", "email", "password", "phone".
There are some attributes that are open for public, for example, "name", "email".
These information is open for evenbody who visit the site.
But some, only for trust body in the system, for example "phone".
These information is open for the people that the user trust.... (Assume the user have a trust list that can accept other user to the trust list.)
And the private one "password".
This information is only for the user only, other people can't get access to it.
User can change different security level based on their need, for example, the user want to change the "email" for only trusted body, they can do so. It is also allow the user change their "phone" to public.
I use three number to represent three level of right. The first one with 3, second is 2, and the private is 1. So, I design the database in this way:
User
id(PK)
nameId(FK)
emailId(FK)
passwordId(FK)
phoneId(FK)
Name:
id(PK)
name(String)
securityLevel(int)
Email:
id(PK)
email(String)
securityLevel(int)
Phone:
id(PK)
phone(int)
securityLevel(int)
Password:
id(PK)
password(String)
securityLevel(int) //It must be 1
The question is, I can do it but my database will have many table, is there any simple way to do it? Moreover, is there any books about these kind of database design is recommended? thank you.
You don't need different tables for this, because each relation is a 1-1 relation.
Should a user have, say, multiple e-mail adresses, then you indeed should put the email and securitylevels in different tables. But because in this case, each user has exactly 1 email, 1 name, 1 phone, 1 password - just one table with 1 row per user should do.
If I understand this correctly, you could simply put all this information in two tables (user and friends) because as far as I know, it is a lot more efficient to get larger chunks of data with few queries, than smaller chunks of data with many queries. You would have something like this:
Users:
id
name
name_perm // 1, 2 or 3
email
email_perm // 1, 2 or 3
phone
phone_perm // 1, 2 or 3
password // Doesn't need permissions, always 1
Friends:
user_id
friend_id
When a user visits another user's page, first you check the permission level for each field. If level 2 is found, you would then query the friends table and check if current user ID is a friend of the user whose page is being viewed. If found, user is trusted and level 2 security info can be displayed. As for level 1 security, it's really simple - only display this info if both IDs match.
Hope this helps.
Whether or not the private data is segregated into a separate table does not solve the issue of how to prevent unauthorized access. The MySQL 5.1 manual section 5.4.5 discusses request verification/privileges, but if your database is hidden behind a web application with no direct access to your tables, then standard web server security alone might be sufficient. You should probably mention the entire os/server/db/language bundle you're using (LAMP, SAMP, whatever) so someone can suggest the best security scheme for your configuration.