I have a created a custom role MyRole in OpenIDM. I have also created a new user User1 and a simple workflow. If User1 has roles MyRole and any of the in-built roles like Administrator/User/Task Manager then we can login to the OpenIDM console as User1 and able to see the new workflow on the dash board.
But, if the user1 has is associated with only the new role MyRole , then the workflow is not visible on the OpenIDM console for User1 login.
Can someone please explain me why I am not able to see the workflows using a user with only a custom role? How my custom role is different than that of the inbuilt roles? Any config files to be updated for mapping of custom roles and in-built roles?
Thanks.
Related
Is there a way to create RBAC roles in such a way that only provides a user to create a project and be admin for that project?
I cannot create cluster-admin role restricted for a project as we dont know what project it can be.
The usecase is , a user should be able to create a project and be admin to only his project
It's not possible to create an RBAC policy that will let them create a specific project. We handle this by having an onboarding system that permits people to request projects through a github pull request; when we approve the PR, our tooling creates the project and then sets up the requester as a project admin by creating per-project groups and rolebindings.
Have you looked at the self-provisioner role? I think this is what you are looking for.
That allows user to create projects. In that project they will then have local admin rights, except to modify quotas. Note that they actually have to use new-project to do this, they still can't just randomly create namespaces. (This is one of the reasons projects exist.)
Look at the docs for RBAC, including self-provisioner and differences between admin and cluster-admin.
Also see the section of project creation including how you template out the new projects.
I'm new to angular and am now developing a role management dashboard where a super-admin can assign and manage roles(possible roles: 'school admin', 'Teacher', 'Student', 'Parent') and their permissions respectively by clicking the check boxes.
NOTE: Refer the image for role management dashboard.
I found this link "https://jasonwatmore.com/post/2018/11/22/angular-7-role-based-authorization-tutorial-with-example" to be helpful when I tested to assign the permissions to the roles statically.
I also went through this question "Angular 6 Role based Authentication", but again the answer for this only helps with static role assignment.
so when a user clicks on the check box, the user should be assigned access to that particular component. I'm wondering is there a way where am user can manage roles and their permissions dynamically from an UI like Angular?If yes, how do we do it? Or any links that relates this would be of great help !!
I would like to create an Azure Active Directory Custom role with the following perimeters:
Who to assign the role to:
Either a user, or group
What access will the role have:
Default role permissions from "User Access Administrator" directory role
Scope:
The custom role would only grant access in the specified AAD Groups
(My idea is to have users with this custom role, be able to fill the roles of a User Access Administrator ONLY in the Scoped AAD Groups)
This would provide application administrators the required rights to assign application roles to the specified "Scope" AAD groups, with least privileged in Active Directory
Is it possible to scope an Azure Active Directory custom role to an AAD Group? Not assign the role to a group, but rather the custom role only grant permissions to manage the AAD Group (Assign / Remove application roles to the group... etc)?
Meaning no rights/permissions exist in AAD, except for User Access Administration of that specified "Scope" AAD Group
If so, what would the scope format be, when creating the custom role? Preferable in JSON or Powershell
There is no support today for custom roles in Azure Active Directory. Only the predefined Administrator Roles, as described in the documentation, are available for use.
You may, however take a look at the advanced self-service or delegated group management capabilities and combine them with some existing role (like User Access Adminsitrator or Application Administrator). You may also like to see the difference between Application Administrator and Cloud Application Administrator.
In persuade for least privilege access, you may find the Least Privilege Role by Task document useful. And also the Microsoft Azure AD Privileged Identity Management to control and audit privileged tasks.
Last, but not least, a preview feature - Administrative Units may be of interest to you.
To summarize it
As of today (2018-12-04), there is no option to create custom role within Azure AD. Neither to constrain given role to a specific Group (be it security or office)
I believe this is already available now? https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-custom-overview
I am working on a project management application http://kerika.com where I am having following case, where I am not able to downgrade a user's role on a google-drive file from "writer" to "reader":
A project owned by user U1 is shared with user U2 with role "Team Member".
When a new document is attached to the card of the project, it is uploaded to the google-drive account of user U1. Let's call this file as F1. U1 becomes owner for F1 and it is shared with user U2 with "writer" role.
When U1 decides to downgrade user U2's role to visitor for kerika project :
Kerika internally need to update user U2's role for F1 on google-drive to "reader".
Here as a kerika developer it becomes hard to find the Permission object for the user U2 to modify its role as Permission object of GoogleDrive API doesn't provide information about user's email address. It provides information about user's name but not about email address.
I have also looked at the google-drive-sdk video at http://www.youtube.com/watch?v=Z2OIlwju8UM&list=PL0FA2818902D9D123&index=15.
Videos says that google-drive-api is not populating user's email address for security reason.
First thing is that, google-drive web version is showing other user's email address in share dialog box where security is not concerned?
If google developers have decided to not populating the email address then they should have some work-around this issue.
e.g.
When I want to change a user's role from "reader" to "write", I can insert a new permission record with role as "writer" and role is being updated properly.
But the same thing is not working when I update user's role from "writer" to "reader".
Does anyone has same problem and found a work around to solve it?
Thanks in advance for your help,
Chirag Moradiya
You should be using the update() or patch() method to modify an existing user's permissions to the file. Obviously, the difficulty here lies in identifying the correct permissionId for the user to modify.
You could try storing a table of permissionId to email address on your end but that assumes all permission changes are done within your app, not via the native Drive UI.
Your other option would be to have the end user identify which user's rights should be modified, help them choose by showing the name and picture that Drive API does give you.
We're developing a web app using the Zend framework and Mysql.
Currently, accounts are unique by email address. We want to be able to allow the admin of an account to grant access to the admin of another account. This person would then be a "user" of the linked account. The account holder would then log into their admin account and then select which linked account they want to access.
Please note: the access should only be one way. Account 1, who grants access to Account 2, should not be able to access account 2. Only account 2 can access account 1. If Account 1 wanted access to account 2, account 2 would then have to grant access to account 1.
What is the best method of going about this?
I think trying to tie permissions to accounts is your problem, you need to add a second 'layer'. Let's stick with Google Analytics as the example:
Let's say Joe Bloggs wants to use Google Analytics. He first has to create a Google account (assuming he doesn't already have one). He then creates a Google Analytics account for his site. Say Joe then wants to give access to Jane Smith, let's assume she already has a Google account. To give her access all he is doing is giving her Google account access to his site, he's not giving her access to his Google account.
Zend_Acl is role based so let's try and apply ZF concepts to this example. The user management screens in GA allow you to give users either "View reports only" access, or "Account administrator". So you'd define a role in Zend_Acl for each of these access levels:
$acl = new Zend_Acl();
$acl->addRole(new Zend_Acl_Role('guest'));
$acl->addRole(new Zend_Acl_Role('admin'), 'guest');
the second parameter on addRole means the role should inherit all permissions from the other role specified. So what I've done above is define two roles: guest and admin; and said admin should inherit all permissions that guest has.
You then have your 'resources', which are the things that can be accessed. So we'll define one for reports, and one for user management:
$acl->add(new Zend_Acl_Resource('reports'));
$acl->add(new Zend_Acl_Resource('users'));
we'll then give 'guest' access to reports, and 'admin' access to users:
$acl->allow('guest', 'reports');
$acl->allow('admin', 'users');
then in the relevant controllers (or plugin, or wherever) you can check permissions:
public function reportsAction()
{
[...]
// assume $role contains the role of the currently logged in user
if (!$acl->isAllowed($role, 'reports')) {
// show a permissions error
}
}
public function usersAction()
{
[...]
if (!$acl->isAllowed($role, 'users')) {
// permissions error
}
}
As far as storing this in MySQL goes, you just need a lookup table that links users, sites (in this example) and roles:
userID | siteID | role
1 1 admin
2 1 guest