Here is my sample graph
g.addV('user').property('userId','user1').as('u1').
addV('user').property('userId','user2').as('u2').
addV('user').property('userId','user3').as('u3').
addV('group').property('groupId','group1').as('g1').
addV('group').property('groupId','group2').as('g2').
addV('group').property('groupId','group3').as('g3').
addV('folder').property('folderId','folder1').property('inheritance',false).as('f1').
addV('folder').property('folderId','folder2').property('inheritance',true).as('f2').
addV('folder').property('folderId','folder3').property('inheritance',true).as('f3').
addV('file').property('fileId','file1').
addE('in_folder').to('f1').
addE('in_folder').from('f2').to('f1').
addE('in_folder').from('f3').to('f2').
addE('member_of').from('u1').to('g1').
addE('member_of').from('u2').to('g2').
addE('member_of').from('u3').to('g3').
addE('member_of').from('g3').to('g1').
addE('has_permission').from('g1').to('f1').
addE('has_permission').from('u2').to('f1').iterate()
Folder f2 is inheriting from f1 meaning the users and groups who have access to f1 will also have access to f2, same goes for f3.
Access to a folder for an user can come from a group or parent group of the group
How can i write a gremlin query to check permission for 'user1' have permission on f3 ?
Below query can fetch direct access to user or one of its group on the given folder where it doesn't check for parentfolder permissions through inheritance property.
g.V().has('user','userId','user1').emit()
.until(__.not(outE('member_of'))).repeat(out('member_of')).filter(outE('has_permission').has('permission','VS_F').inV().has('folder','folderId','folder1')).hasNext()
Instead of using filter, just continue the traversal:
g.V().has('user', 'userId', 'user1').emit().repeat(out('member_of'))
.out('has_permission').emit().repeat(__.in('in_folder').has('inheritance',true))
.has('folder', 'folderId', 'folder3')
.path().unfold().valueMap()
We first getting all the group membership recursively.
Then getting all the resources the user and his groups has access to.
Then traversing all the inherited resources recursively.
Finally, filtering the required resource.
The last line is only needed if you want to see the relations that permitted the access.
Related
I am building a training platform for work. I have created the requirements for a user to be trained based on a role given to them. If that role is aligned to a document it will sit against the user. I have managed to get most of the way but am struglling on the best way to finish the where statement within mysqli.
tbldocfiles is a list of my files. I am looking at docid (could be multiple files associated to the document)
tbltrainingaccess sets the roles (driver, warehouseman, customer services) and shows which role (by id) is associated to the document in docfiles.
tblusertraining is the list of users and what role they have associated to them. (driver, warehouseman, customer services).
I am listing the documents associated to the user so have thought the following is the best way:
Look at the user and how many roles he/she is allocated
Look at the roles returned in point 1 (where function)
Identify and match the documents that have the same roles as the user (Join function)
create the list, then look at the unique values for docid. (distinct value)
Example User Bri has the driver and warehouseman role.
There are 5 documents in the db, 3 of them are associated to the driver role (docid 1,2,3) and 2 of them are associated to the warehouseman role (docid 2,4) the 5th document is associayted to customerservice.
My query should do this:
List all documents associated to the roles, that are associated to the user Bri
1
2
3
2
4
Now select unique values (using docid) from the above list:
1,2,3,4.
So my answer will be a used as a count function at the end using mysql_fetch_rows
SELECT DISTINCT tbldocfiles.docid FROM tbldocfiles LEFT JOIN tbltrainingaccess ON (tbldocfiles.docid = tbltrainingaccess.docid) where groupid='1' or groupid='9'
The above code works. but i've got myself confused.
The where statement needs to be the result of a query similar to :
select * from tblusertrainingrole where userid='1' (1 will be a variable based on page selection)
the result in this would be 1, 9 which are the groupid results.
Basically any help would be appreciated! I am sure it will be simple but have burnt myself out on this for a while and most answers in here helped with joining but not the where statement (that I could find)
Thank you in advance everyone!
You can do a select statement in the where. Since it is an or statement you can use in for the results. Please replace * with the column name for the value you need. Should look like
where groupid in (select * from tblusertrainingrole where userid = '1')
I have SQL 2014 professional version 12.0.5000.0 with SSRS runing. eI have created a report in report builder 3.0 which works and runs find.
However when I go to create a subscription and run I get the user a1234 (as a example ) don't exist.
I looked there is no user with that name added to SSRS or in our domain.
my user name is ah1234 (as a example )
I looked in the subscription table and the owner is me ? However, the subscription is showing the owner as a1234?
I checked the report I uploaded it says the owner is a1234.
I'm thinking it might be a active directory issue but not sure.
Has anyone has see this before if so how can I fix the owner name of the subscription?
I don't know how SSRS has corrupted the owner name but here is a trick (written on 2008 R2) to correct owner names (I use this when people leave & their Active Directory user id gets deleted leaving orphaned subs that will not run).
Note that it updates the Microsoft-supplied subscriptions table, you may not wish to do that.
First identify the SSRS owner id for the from-person & also that of the to-person (you may need to get the to-person to create a subscription first):
SELECT distinct [OwnerID], u.username
FROM [<ssrs-database>].[dbo].[Subscriptions] s
join [<ssrs-database>].[dbo].[Users] u on s.ownerid = u.userid
Now make a safe copy of the subscriptions list, e.g.:
SELECT * into temp.subscriptionscpy
FROM [<ssrs-database>].[dbo].[Subscriptions] s
Now make the change, e.g. (this one changes the owner of all relevant subs):
update [<ssrs-database>].[dbo].[Subscriptions]
set ownerid = 'DDD87598-8957-42C8-8DBC-A893E7174CB6'
where ownerid = 'EBF0E483-69E6-4458-B171-BA28FFCCDF3F'
Now check the owner is as you want it.
I want to give access to users who have attribute with certain value.
Let's say I have "ou=protected,dc=example,dc=com" directory and I want it to be writable by any user with canAccessProtected attribute set to TRUE.
Something like
access to dn.subtree="ou=protected,dc=example,dc=com"
by users/canAccessProtected="TRUE" write
I've checked documentation and was unable to find a way, although I haven't grasped sets and few other things.
Is it possible to manage user access by attribute value? If yes, then how?
Create a dynamic group like:
dn:cn=protectedGroup,ou=groups,dc=example,dc=com
objectClass:top
objectClass:groupOfURLs
cn:protectedGroup
memberURL: ldap:///ou=users,dc=example,dc=com??sub?(canAccessProtected=TRUE)
Enable dynlist in your slapd.conf like:
overlay dynlist
dynlist-attrset groupOfURLs memberURL member
Grant write access to the members of that group:
access to dn.subtree="ou=protected,dc=example,dc=com"
by set="[cn=protectedGroup,ou=groups,dc=example,dc=com]/member & user" write
Add necessary ACL rules as you see fit.
Using SQLAlchemy through Flask-Admin/Flask-Security.
I have 2 roles: "admin" and "user"
Normal users own certain parts of the data (certain rows of the tables) and should only access their own data.
What is the standard idiom only allowing users to access their data but not other users' data? I created a special UserView and overrode get_query and get_count_query and included a filter in these methods. Is that the standard way?
I am new to SLQAlchemy, and I am having trouble filtering tables that are "distant" from the User table.
For example: User to Project (many-to-one), Project to X (many-to-many), X to Y (many-to-many), all with backrefs.
How would I filter in the Y view for a non-admin user to filter only those rows that are reachable from the current user (through Project)?
Thanks!
I have been reading carefully through the MediaWiki documentation but I have not been able to find out how to create new groups.
When I look at Special:Userrights, I see only 3 groups :
Bots, Sysops, Bureaucrats
I would like to create my own custom groups, so I can use some extensions like the http://www.mediawiki.org/wiki/Extension:Group_Based_Access_Control.
Can someone tell me how it's done, or point me to some documentation?
You can add permissions for new groups to your LocalSettings.php file and they will automatically appear in the Special:UserRights page.
For example, I wanted to disallow editing by regular users but create a "Trusted" group that was allowed to edit. The following code creates a "Trusted" group that is equal to the "user" group, except that "Trusted" users can edit but "user" users cannot.
$wgGroupPermissions['Trusted'] = $wgGroupPermissions['user'];
$wgGroupPermissions['user' ]['edit'] = false;
$wgGroupPermissions['Trusted']['edit'] = true;
$wgGroupPermissions['sysop' ]['edit'] = true;
On the Special:UserRights page, I can now check the "Trusted" box to make users trusted.
You can alter the appearance of the group name by creating the following messages:
(For a group named ninja:)
MediaWiki:Group-ninja (content: Ninjas)
MediaWiki:Group-ninja-member (content: ninja)
MediaWiki:Grouppage-ninja (content: Project:Ninjas)
This will insure that the group will be referred to as "Ninjas" throughout the interface, and a member will be referred to as a "ninja", and overviews will link the groupname to Project:Ninjas.
(source: http://www.mediawiki.org/wiki/Manual:User_rights#Examples)
Here you will find a List of Permissions. http://www.mediawiki.org/wiki/Manual:User_rights
I beleive I have found the answer, I just need to add the UserGroup and the permission to the wgGroupPermissions array in the LocalSettings.php file.
$wgGroupPermissions['TomatoUsers']['read'] = true;
$wgGroupPermissions['TomatoUsers']['edit'] = false;
I don't have the reputation to vote up the first answer (which can also be added to extension initialization files), but for when you get to adding users to your groups you may want to consider directly editing the database (ie. if you need to sync the wiki groups with external information). If you open the database "wikidb" the "PREFIX_user_groups"* table contains the mapping between user IDs (ug_user) and group names (ug_group). This table, combined with the "PREFIX_user"* table's name information (user_name) and ID information (user_id), give you all the information to add and remove large numbers of users from groups.
* Replace "PREFIX" with the database prefix you used for your wiki.