We Keep Coding

JSON data modeling: users who have access to projects

When structuring our data model (JSON in a document database), we have users which are part of a project. I.E. a project has many users and a user can be part of many projects.
Does it make sense to store each project a user has access to in the user:
{
"id": "u1"
"name": "John Doe",
"email": "john.doe#domain.com",
"projects": [
"p1",
"p2",
"p3"
]
}
Or instead store the users in the projects themselve:
{
"id": "p1"
"name": "Project A",
"users": [
"u1"
]
}
{
"id": "p2"
"name": "Project B",
"users": [
"u1"
]
}
{
"id": "p3"
"name": "Project C",
"users": [
"u1"
]
}
We anticipate needing to select all projects for a given user as well as selecting all users for a given project.

According to document of Mongo database (https://docs.mongodb.com/manual/tutorial/model-embedded-one-to-many-relationships-between-documents), two ways above is fine.
I think the business will make decision that which data model should be chosen, for e.g, if there were only one or two projects but many users and you only need to show list of projects of users, the first way is better.
P/S: If you use Mongo, please consider to use mongoose which helps to retrieve data easily.

Get UserId of shared calendar's owner using MS Graph API

I want to get the User's profile that shared a Calendar with me but this call needs the id or userPrincipalName:
GET /users/{id | userPrincipalName}
The shared calendar only returns:
{
"id": "**********************************************=",
"name": "Lala Lalala",
"color": "auto",
"changeKey": "Epg+nQ9k3kuTN16cfoLtwAAAsZgDvA==",
"canShare": false,
"canViewPrivateItems": false,
"canEdit": true,
"owner": {
"name": "Lala Lalala",
"address": "Lalala#outlook.com"
}
}
So how can I get the id or userPrincipalName of the shared calendar's owner?

For Work/School Accounts (Azure AD tenants), the userPrincipalName is the owner's address (i.e. alias#aad.domain.com):
"owner": {
"name": "Lala Lalala",
"address": "Lalala#outlook.com"
}
Assuming they're in the same tenant as your, you can retrieve their profile using GET https://graph.microsoft.com/v1.0/users/{owner.address}.
Important: This does not, however, apply to Personal Accounts (MSA/Outlook.com). I only mention this because your example used Lalala#outlook.com as the address.
Since Outlook.com is effectively a "single user" tenant, the only user you can retrieve is yourself (/me). Just as you cannot access a user's data from another company's AAD, you cannot retrieve another Outlook.com user's profile. If you consider the pricacey implications of my access your personal contact information, it makes sense why this rule is in place.

No directly way to implement what you want. But you can get the id or userPrincipalName by two steps:
Get calendars whose owner is not you, the response like you have posted(official docs):
https://graph.microsoft.com/v1.0/me/calendars
Use the address in the owner to call the following API:
https://graph.microsoft.com/v1.0/users/{address}
The response with id and userPrincipalName:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
"id": "5eec0ff7-b007-48c4-87ae-7cddb085f234",
"businessPhones": [],
"displayName": "...",
"givenName": "...",
"jobTitle": null,
"mail": "test#test.com",
"mobilePhone": "8612345678",
"officeLocation": "No WorkSpace",
"preferredLanguage": null,
"surname": "s",
"userPrincipalName": "test#test.com"
}

Microsoft Graph API - Can't fetch group members of contact type

I have a group that contains group, user and contact as members. I can fetch all of them in Admin UI and via PowerShell command Get-DistributionGroup -Identity 'myGroup'. Result looks like
[{
"Alias": "xxxxxx",
"Guid": "xxxxxx",
"Identity": "xxxxx",
"PrimarySmtpAddress": "xxxxxx",
"RecipientType": "UserMailbox",
"SamAccountName": "xxxxxxx",
"WindowsLiveID": "xxxxxxx"
},
{
"Alias": "yyyyyyyyy",
"Guid": "yyyyyyyyy",
"Identity": "yyyyyyyyy",
"PrimarySmtpAddress": "yyyyyyyyy",
"RecipientType": "MailUniversalSecurityGroup",
"SamAccountName": "yyyyyyyyy",
"WindowsLiveID": ""
},
{
"Alias": "zzzzzzzzzz",
"Guid": "zzzzzzzzzz",
"Identity": "zzzzzzzzzz",
"PrimarySmtpAddress": "zzzzzzzzzz",
"RecipientType": "MailContact",
"SamAccountName": "",
"WindowsLiveID": ""
}
]
Documentation states that GET /groups/{id}/members should return all group members, including users, contacts, and other groups as members.
I get only user and group tyro members back, not mail contact is returned.
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects",
"value": [{
"#odata.type": "#microsoft.graph.user",
"id": "xxxxxx",
........
},
{
"#odata.type": "#microsoft.graph.group",
"id": "yyyyyyyyy",
........
}
]
}
Is this a bug in API or documentation?

Currently, the /v1.0 endpoint does not support Contacts. Since it isn't aware of Contacts, it isn't capable of returning them via /members.
The /beta endpoint has support for the microsoft.graph.orgContact entity. If you switch to this version, you should start seeing Contact members showing up in the results.
This is documented in the Known Issues but it's a little hidden. It isn't filed under Groups but instead under Contacts: Organization contacts available in only beta.

Fiware IDM-Keyrock: How to check if user has some permission(permission_fiware) using keyrock API

I created some permissions(permission_fiware table) in Horizon regarding urls that can or cant be seen.I created permission(name:Upload images, with resource: "/image_upload") and role(role_fiware) admin that has this permission.
Now i want to check whether some user that is logged in to my application can view that page on url "/image_upload" that i defined in horizons permission.So my guess is i should first check what roles user has, and after that whether those roles that user is assigned have required permission.
So, my question is next:
How can i list what permission one specific user has.
In Keyrocks API:
http://docs.keyrock.apiary.io/#reference/keystone-extensions/role-user-relationships/list-users-role-assignments
i found how i can list all permissions for a specific role
http://keyrock/OS-ROLES/roles/role_id/permissions
but how can i get information about what roles(role_fiware) are assigned to a user?

As stands in the FIWARE-IDM documentation doing a request against the resource user of your IDM host using the access_token, will return the user information, and within that information you will find the roles that user have assigned:
GET
/user?access_token=XXXXXXXXXXXXXXXXXXXX
Response:
{
"organizations": [{
"website": "",
"city": "",
"name": "Franchise1",
"img": "/static/dashboard/img/logos/small/group.png",
"domain_id": "default",
"enabled": true,
"id": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"roles": [{
"name": "Franchise manager",
"id": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
}],
"email": "",
"description": "Test Organization"
}],
"displayName": "user1",
"roles": [{
"name": "End user",
"id": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
}],
"app_id": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"email": "user1#test.com",
"id": "user1"
}

How to identify the user's account type?

I'm trying to query Box API to identify if a user has a free or a paid account. So far I was able to query:
https://api.box.com/2.0/users/me?fields=enterprise
and I checked that if a user have a free account the attribute "enterprise" is null. But the problem is I can't distinguish between a paid account and a developer account because the have the same info on enterprise object:
{
"type": "user",
"id": "123",
"enterprise": {
"type": "enterprise",
"id": "456",
"name": "..."
}
}
Is there a way to identify theses 3 types of account (free, paid and developer)?

Currently you can only check whether or not the user has an enterprise by calling the GET /users/me endpoint.
{
"type": "user",
"id": "123",
"enterprise": {
"type": "enterprise",
"id": "456",
"name": "..."
}
}
and checking to see if the enterprise attribute is null to distinguish between a personal and enterprise user.