Is it possible in Rundeck to limit a user group to only see a specific group inside of a project. The project has 5 different groups "folders" with jobs in there. I can limit run access to the group I want, but I don't want the user group to see any of the other folders under the project. Does that make sense?
Project
group1 Hide for a user group
group2 Access for all
group3 Hide for a user group
There is.
Just remove read from the job group acl.
The follow acl only allow user from user_group to run and read jobs under group2 only. The users can not read(see) jobs other than jobs under group2
description: Limited user access for group in a project
context:
project: 'project1'
for:
job:
- equals:
group: 'group2'
allow: [run,read]
by:
group: [user_group]
Note: if you have multiple acl, your acl may be overridden by another acl file.
Rundeck ACL
Related
I'm creating a Google Data Studio dashboard with the filter by email option. It's easy to do it when you want to allow the user to see only one option, for example
user region
alice A
bob F
charlie Z
But how can I do to give access to some user to all regions from A to Z? Is there a better way to do it than simply creating 26 rows for every user with this admin access?
I'd like to avoid creating this table:
user region
admin A
admin B
admin C
...
admin Z
and instead do something similar to this
user region
admin *
In bigquery connector, you can write custom query like -
select *
FROM table_name
where
case when #DS_USER_EMAIL IN (select distinct map_field from table_name )
then #DS_USER_EMAIL
else 'all' end = map_field
You will have to create a mapping for 'all' one time. But this works. No need to use feature - filter by email id
I am trying to create nested groups in ejabberd's mod_shared_roster corresponding to the organizational structure of my enterprise, similar to this:
Group1
- Subgroup1-1
- Subgroup1-2
Group2
- Subgroup2-1
- Subgroup2-1-1
- Subgroup2-1-2
- Subgroup2-2
...
Using web interface I can only make one-level flat group structure.
Is there a way to do it?
This depends in the client. For example, Tkabber supports nested groups (Preferences -> Roster -> Nested and Nested_delimiter), and I have configured :: as delimiter.
Then, in the ejabberd webadmin, I create groups:
g1
Name: Group1
sg11
Name: Group1::Subgroup1-1
Members: user1#localhost usergroup1-1#localhost
Displayed Groups: sg11
When user1 logins, he gets the usergroup1-1 contact and is displayed in a nested group Group1->Subgroup1-1
Here is my sample graph
g.addV('user').property('userId','user1').as('u1').
addV('user').property('userId','user2').as('u2').
addV('user').property('userId','user3').as('u3').
addV('group').property('groupId','group1').as('g1').
addV('group').property('groupId','group2').as('g2').
addV('group').property('groupId','group3').as('g3').
addV('folder').property('folderId','folder1').property('inheritance',false).as('f1').
addV('folder').property('folderId','folder2').property('inheritance',true).as('f2').
addV('folder').property('folderId','folder3').property('inheritance',true).as('f3').
addV('file').property('fileId','file1').
addE('in_folder').to('f1').
addE('in_folder').from('f2').to('f1').
addE('in_folder').from('f3').to('f2').
addE('member_of').from('u1').to('g1').
addE('member_of').from('u2').to('g2').
addE('member_of').from('u3').to('g3').
addE('member_of').from('g3').to('g1').
addE('has_permission').from('g1').to('f1').
addE('has_permission').from('u2').to('f1').iterate()
Folder f2 is inheriting from f1 meaning the users and groups who have access to f1 will also have access to f2, same goes for f3.
Access to a folder for an user can come from a group or parent group of the group
How can i write a gremlin query to check permission for 'user1' have permission on f3 ?
Below query can fetch direct access to user or one of its group on the given folder where it doesn't check for parentfolder permissions through inheritance property.
g.V().has('user','userId','user1').emit()
.until(__.not(outE('member_of'))).repeat(out('member_of')).filter(outE('has_permission').has('permission','VS_F').inV().has('folder','folderId','folder1')).hasNext()
Instead of using filter, just continue the traversal:
g.V().has('user', 'userId', 'user1').emit().repeat(out('member_of'))
.out('has_permission').emit().repeat(__.in('in_folder').has('inheritance',true))
.has('folder', 'folderId', 'folder3')
.path().unfold().valueMap()
We first getting all the group membership recursively.
Then getting all the resources the user and his groups has access to.
Then traversing all the inherited resources recursively.
Finally, filtering the required resource.
The last line is only needed if you want to see the relations that permitted the access.
How to only first superAdmin access to a group permissions example(signature permissions), but other admin and superAdmin no access to that (signature permissions)
for example, first SuperAdmin with id = 1 only see and access some permissions and can change it,
and other superAdmin cannot see this permission.
Super admins are defined in the library/config.php file:
$config['superAdmins'] = '1,2,3';
1, 2 and 3 being three different user IDs.
I need your advice on a LDAP structure and associated ACL.
Our LDAP will manage 10 (number may vary) organizations which contains users (total of 250 users)
I want 1 user by organization to be allowed to manage all the users of his own organization.
Users will also be attached to custom groups.
What is the best LDAP structure for that ?
My first idea is the following :
Groups :
dn: cn=Manager,ou=Roles,ou=Groups
objectClass: posixGroup
objectClass: top
cn: Manager
gidNumber: 10100
memberUid: user1
memberUid: user3
dn: cn=Structure1,ou=Structures,ou=Groups
objectClass: posixGroup
cn: Structure1
gidNumber: 10000
description: Structure1
memberUid: user1
memberUid: user2
dn: cn=Structure2,ou=Structures,ou=Groups
objectClass: posixGroup
cn: Structure2
gidNumber: 10001
description: Structure2
memberUid: user3
memberUid: user4
user1 should be allowed to edit user user2 but not user3 or user4
user3 should be allowed to edit user1 but not user2
I actually get stuck on ACL because I don't success to user the groups of an entry using ACL set method.
I would like doing something like this :
{1}to dn.children="ou=Users" by set="[cn=]+this/groups+[,ou=Structures,ou=Groups]/memberUid & user/uid" write by * read
I am able to use groupOfNames if better than posixGroup
I've already read :
http://www.openldap.org/doc/admin24/access-control.html
http://www.openldap.org/faq/data/cache/1133.html
http://www.openldap.org/faq/data/cache/1134.html
My contribution is one option to solve this situation. I know it's been a while, but i hope this helps to someone out there.
- Change to groupofnames or organizationalrole (the last one support empty groups) both require a dn as member.
- Enable memberof overlay, to enable the memberof operational attribute on the user (this will add the list of groups where the user is a member of, to an attribute in the user entry)
olcMemberOfGroupOC: organizationalRole
olcMemberOfMemberAD: roleOccupant
olcMemberOfMemberOfAD: groups ("groups" is the operational attribute added to the user)
Once both actions where performed and you're sure the users has values on the groups operational attribute, according to the original question, here are 2 scenarios:
1st scenario - user1 is allowed to write user3,ou=users as they belongs to cn=Manager,ou=Roles,ou=Groups
2nd scenario - user1 is allowed to write user2,ou=users as they belongs to cn=Structure1,ou=Structures,ou=Groups
by set="this/groups & user/groups" write
This acl allows write whenever both users (the modified and the modifier) have the same group, the the acl will set write privileges.
user=user1,ou=users
"user/groups" get the values of the modifier groups attribute. cn=Manager,ou=Roles,ou=Groups - cn=Structure1,ou=Structures,ou=Groups.
this=user3,ou=users
"this/groups" get the values of the modified object groups attribute. cn=Manager,ou=Roles,ou=Groups and cn=Structure2,ou=Structures,ou=Groups
this=user2,ou=users
"this/groups" get the values of the modified object groups attribute. cn=Manager,ou=Roles,ou=Groups and cn=Structure1,ou=Structures,ou=Groups
I hope this solves the question and be useful to anyone struggling with openldap acl's as i did some days ago.
Best regards!!