I searched a lot about mandatory access control lists and i did not find useful information about how to apply macl in documentum. i need to know the steps and how to configure.
I already had Documentum CS 7.3 with TCS license enabled and i tested it by applying esignature on pdf document
macl allows you to dynamically apply acl to objects depending on specific conditions.
Example 1:
Software developers are assigned read permission on documentation documents
Team Leads are assigned write permission on documentation documents.
Project Managers are assigned delete permission on documentation documents.
Example 2:
while Users are located in US
users are assigned a write permission on documents under US cabinet and read permission on documents under all other cabinets e.g: UK, Egypt, UAE.
If Users logged in from another network location like UK
Users are assigned write permission on documents from UK cabinet and * read permission * on documents under all other cabinets.
I found The answer to my question by using:
the Required Group, and Required Group sets
where you can give some users some permissions and apply it only if they are members of a specific group only.
Required Groups
(Users/Groups must be a member of all listed groups to access this item)
Required Groups List
(Users/Groups must be a member of at least one of the listed groups to access this item)
I found an issue with EMC's documentation documents:
It states that in order to benefit from Trusted Content services Capabilities you must have TCS license installed. but, practically whether you installed the TCS license or not you can create dynamic ACLs and benefit from the group membership restriction. (practically TCS is not required "case was Tested", and there is misleading information about Dynamic ACLs usage and implementation) no scenario is provided
Sorry, but from your question one could assume that there is something called mandatory ACL within Documetnum platform. However there isn't - AFAIK.
There are several ways with which you can dynamically apply ACL or in terminology of Documentnum platform permission set.
Based on repository configurable parameter:
inherit from object type
inherit from user who created object
inherit from parent folder
If this doesn't fits you you can write TBO (Type Based Object) code which acts as trigger and runs your custom logic.
There are other ways to achieve what you want but you need to be more specific about your requirement.
If your client is D2, you can utilize the dynamic permission model based on documents attributes. This way you can achieve what you are asking for.
Related
The document shows that the r_fullprofile member permission is needed to get the user's organizations field.
I can not find in the document way to get the r_fullprofile permission.
I have already created new developer application.
Question:
How to get permission to fetch user's organization data via API call.
As per my understanding, I have only seen basic and lite profile member permissions.
Currently LinkedIn provides only 3 type of products, which are given below
and the scopes are provided based on these products.
For you requirement, you can opt for the marketing developer program, which will give the permission r_organization_admin
and using this permission, you can use following endpoint to get user's organizations along with roles.
We also did similar things in our app, where we list down user's organizations and user can select them to share their posts from our app.
I've been searching the docs but I can't find anything.
The goal is to retrieve different stats from our files. Actually, we can retrieve almost everything we need, except for the document openings and document openings per user.
So here is the question: How can I retrieve document views of a drive document (a G Sheet to be more precise) ? Can I segment it by user ?
Thank you
I understand that your goals are the following one:
You want to retrieve document views
Of a particular document (and you know it's id)
Associated to a specific user
Please correct me if I get it wrong. If those are your goals, then you can use the Admin SDK as pointed out by Rubén in the comments. Now I am going to detail how you can make such a request easily.
You could use the method activities.list() to get a list with what you want. You only have to populate these four parameters:
Parameter
Value
Description
userKey
The user's email
Determine the user
applicationName
drive
Identifies the Google service
eventName
view
Designate the type of activity
filters
doc_id=={MY DOCUMENT ID HERE}
Filters by the document
That configuration will provide you with your desired data. Leave a comment below if you need help creating that request in your own environment.
Is it possible to export a member's join date to a google group? When you manually export a .csv from a group it gives information on the join date. However, in google app script, I don't see the option for this in the Groups Service. This is the information that is in the .csv:
Any help or resources would be appreciated!
Short answer:
No, you cannot do that programmatically.
Long answer:
Google Groups functionality is mainly handled by Directory API, in its Groups and Members resources. That's what the Apps Script Groups Service is using behind the scenes, and you could use its methods directly by enabling the Admin SDK Directory Service in your script (the APIs —and, as a result, the advanced services— usually have greater functionalities than the Apps Script built-in classes).
If you look at the properties of any of these resources (Groups and Members), you won't find anything close to a join date property, so it doesn't seem to be part of the open API, and can only be accessed through the UI.
The same can be said of Groups Settings API, which can be used to manage group settings: no join date can be found in its resources.
Because of this, you have no way to programmatically store and retrieve the group member's join dates.
Workaround (of a sort):
If you are adding members to a group programmatically, with the API method Members: insert, you could make your application store the date in which each member was added, and retrieve it later. This is not possible, though, if members are added through the UI.
Filing a Feature Request:
Since this resource does seem to exist already (it can be accessed through the UI), I'd suggest you to file a feature request in this Issue Tracker component to make this available to the API. If you do that, please make sure that you explain the usefulness of this functionality (explain how this could help you and, potentially, other users).
Reference:
Directory API: Groups
Directory API: Members
Directory API: Manage Groups
I would like to create an Azure Active Directory Custom role with the following perimeters:
Who to assign the role to:
Either a user, or group
What access will the role have:
Default role permissions from "User Access Administrator" directory role
Scope:
The custom role would only grant access in the specified AAD Groups
(My idea is to have users with this custom role, be able to fill the roles of a User Access Administrator ONLY in the Scoped AAD Groups)
This would provide application administrators the required rights to assign application roles to the specified "Scope" AAD groups, with least privileged in Active Directory
Is it possible to scope an Azure Active Directory custom role to an AAD Group? Not assign the role to a group, but rather the custom role only grant permissions to manage the AAD Group (Assign / Remove application roles to the group... etc)?
Meaning no rights/permissions exist in AAD, except for User Access Administration of that specified "Scope" AAD Group
If so, what would the scope format be, when creating the custom role? Preferable in JSON or Powershell
There is no support today for custom roles in Azure Active Directory. Only the predefined Administrator Roles, as described in the documentation, are available for use.
You may, however take a look at the advanced self-service or delegated group management capabilities and combine them with some existing role (like User Access Adminsitrator or Application Administrator). You may also like to see the difference between Application Administrator and Cloud Application Administrator.
In persuade for least privilege access, you may find the Least Privilege Role by Task document useful. And also the Microsoft Azure AD Privileged Identity Management to control and audit privileged tasks.
Last, but not least, a preview feature - Administrative Units may be of interest to you.
To summarize it
As of today (2018-12-04), there is no option to create custom role within Azure AD. Neither to constrain given role to a specific Group (be it security or office)
I believe this is already available now? https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-custom-overview
Trying to figure out if I can do the following via the box-api.
authenticate as an enterprise admin
lookup a user (in our case a special box user named "group_xxx" where this account will serve as a non-person shared group like "group_math_dept", "group_engineering_dept", etc...).
query for the root folder info for a given user-id (perhaps "GET /users//folders/0"
(tried that it doesn't work).
View the list of enterprise users with whom the given folder has been shared.
Modify the list of enterprise users with whom the given folder has been shared.
What I'd like to do is develop an app to delegate admin of these special group accounts to an appropriate individual in the given group. We can maintain who admins what locally. I can authenticate as one of our Box Admins (i.e. I have working code for steps 1 and 2). However, I don't see support in the API v2.0 doc for steps 3, 4, and 5.
Am I missing anything?
Unfortunately my understanding is the same as what you've found; that account and meta operations like steps 3 through 5 are not currently supported through the API.
UPDATE:
Looking at Box's developers blog it looks like functionality for steps 4 and 5 were actually just added, but are not yet in the documentation.
http://developers.blog.box.com/2012/09/10/v2-api-updates-keep-rolling/
Box actually has some more enterprise/admin API methods in private beta. Those are made accessible to early testers for a controlled environment, and include methods to perform operations on behalf of other users with administrative privileges.
If you're interested, feel free to email api [at] box [dot] com to discuss the testing of beta methods.