ACL are the access list which defines who can access a folder, While a group defines a collection of similar user access.
Can anyone please share how does folder, group and ACL are connected. Can a group have more than one ACL and vice-versa?
Need a little explanation as I am new to Documentum.
ACL are the access list which defines who can access a object (folder, content object, process, etc.)
group defines a collection of users or groups
ACL have two built in entries (dm_owner or creator, dm_world or eveyone) and N additional entries group or users
group cannot have ACL but more than one ACL can have the same group (one group/user per ACL)
Please, be more specific about your questions. ;)
Related
We were trying to implement a policy in azure to restrict role based assignment. We referenced below github policy, but during testing we observed it's not evaluating the roledefinitionIds defined in the parameter.
https://github.com/Azure/azure-policy/blob/master/samples/Authorization/allowed-role-definitions/azurepolicy.json
Tested with below roleIDs parameter -
b24988ac-6180-42a0-ab88-20f7382dd24c (Contributor Role)
acdd72a7-3385-48ef-bd42-f606fba81ae7 (Reader Role)
Ideally, it should whitelist the role IDs defined in the parameter, and deny the role assignment for other role IDs. But for some reason, during evaluation Azure policy service is not taking into account those role IDs defined in the parameter and instead restricting role based assignment for all the roles.
Need help in troubleshooting this.
I tried with this Role Definition ID and worked for me:
/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c
And if you are assigning the policy from Azure Portal and you want to provide multiple values, you need to put (;) semi-colon between the values.
You may input an invalid id. A valid Role definition id look like:
/subscriptions/%YOUR_SUBSCRIPTION_ID%/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c
Take a look at the sketch below. How can I have a "dynamic" role for limited_administrator? I want to be able to assign to different users the role of limited_administrator but that each of them being able to have access to a different combination of Modules.
Example:
user_limited_administrator:
access Module 1, access Module 2
payments_limited_administrator:
access Module 1, access Module 4, access Module 5
customer_representative_limited_administrator:
access Module 3, access Module 4, access module 5
... and other combinations based on future project needs
Do I need to add to the roles table all the limited_administrator accounts that I need to use and assign to the user that specific limited_administrator role? Is there another way?
P.S: my "user" role also has to be split into 3 or 4 subtypes as the limited_administrator would be.
Edit: I found this question and an amazing answer that may solve most of my issues.
Can this approach use an incremental type of user role permissions (build on from the other). Consider these permissions: search, post, comment, manage users. I want to have: guest (search), user (search, post, comment), admin(search, post, comment, manage users). Can I say this: guest (search), user is guest + (post, comment), admin is user + (manage users)? Would this be a programming mess?
My company has their own database and it contains user and group tables.I am creating a workflow manager using Activiti API also i am using Activiti-REST. I need to fetch user data and group data from my company database instead of using ACT_ID _USER and ACT_ID_GROUP. I searched through internet and post in their forum but i didnt get any sensible answers.
In the forum they suggest to use LDAP but i dont have touch LDAP.
I went through activiti source.can i just modify its iBATIS mapping files related to ACT_ID _USER.Will it work. Or their any better approach. Also activiti-rest api must work according to our own tables.
Please can some one show some good references regarding to this.
you have to implement the interface org.activiti.engine.impl.interceptor.SessionFactory and return the type of org.activiti.engine.impl.interceptor.Session appropiate (org.activiti.engine.impl.persistence.entity.UserIdentityManager.class or org.activiti.engine.impl.persistence.entity.GroupIdentityManager.class), then you have to create your own User/Group Manager (usually extending the org.activiti.engine.impl.persistence.entity.UserEntityManager or org.activiti.engine.impl.persistence.entity.GroupEntityManager).
Finally you have to register your Custom Session Factories on your processEngineConfiguration, for more info (a little outdated because in 5.13 the session types changed) is available on this blog post
I'm currently working on a platform which is planned to coordinate the communication with customers in future. Users can be added to projects and have certain rights. Therefore users are assigned to different user roles (admin/manager/member/viewer). Admins can view all projects and are allowed to add other users to a project. If a user (e.g. role:member) is added to a project, he will have certain rights (depending on the role), if not, he is not allowed to access the project at all.
I'm using Cake's ACL Component and everything is working great, when i disregard if a user is added to a project or not. The only solution I can think of, is not to grant rights on the group-level, but on the user-level when an admin adds an user to the project.
Is there an easier way to solve this issue? Otherwise I'm afraid that the code would become totally confusing.
There is a another way (I don't really know if easier, depends on your point of view). The ACL component only helps you to create roles, but you need a role and project-access management, right?
What I do in this cases:
Create a Project_Permission table in your database (give it a better name, I'm lacking imagination). Depending on your project, create the associations: a user can be related to many projects and a project can have many users accesing it. If you are following the cake conventions (and your tables are named users and projects) and it doesn't interfere with what you already have, the table should be
PROJECTS_USERS
id
project_id
user_id
created and modified //if you want to
Create appropriate actions where the admin (or other type if users, that's up to you)
can add users to projects and save that many-to-many association in
the previously created table.
Since the authorization for the project does not come from the ACL component, you have to create an "authorization" function yourself. I recommend putting this in the beforeFilter() function of the AppController (if you don't have an AppController, you'll have to do it in every controller you want this to work). In this function, check if the logged user is in the existing table and has an association with the project. Something like:
function beforeFilter() {
//let's assume you have the project id somewhere, in a global variable like $this->_projectID
$user = $this->Session->read('Auth.User.id');
$project = $this->Project->find('first', array('conditions'=>array('id'=>$this->_projectID, 'User.id'=>$user)
if (count($project) > 0) {
//the user has permission to see the project
} else {
//he doesn't
}
}
It's difficult to give an actual code because I'm not sure of your model associations nor where do you want the code or if you have the variables needed for this available everywhere, but I hope you get the idea. After that it's just a matter of how you want to handle the restriction of access (normally a flash message and redirection is involved).
I hope this is clear enough :S
i am able to retrieve lists of contacts for specified mailboxes using exchange web services. my issue is that some of the contacts returned have been deleted by the outlook user, and i need to determine which ones. how can i do this?
all the examples i've seen online use this method, but never for contacts.
i have tried setting the Traversal property of the ItemView variable to SoftDeleted, but that does not return anything.
below is the pertinent portion of my code:
ItemView itemViewDeleted = new ItemView(100);
itemViewDeleted.Traversal = ItemTraversal.SoftDeleted;
FindItemsResults<Item> deletedItems = svc.FindItems(WellKnownFolderName.Contacts, itemViewDeleted);
You need to check the WellKnownFolderName.DeletedItems folder. That is where my contacts go when I delete them.
There are (3) ways to delete a Contact. See TechNet for Exchange terminology reference.
Delete (moved to Deleted Items folder - WellKnownFolderName.DeletedItems)
Soft Delete (moved to Recoverable Items folder - WellKnownFolderName.RecoverableItemsDeletions)
Hard Delete (purged from mailbox - WellKnownFolderName.RecoverableItemsPurges)