I am using liferay 6.1.1 .
There is a login portlet on a page which its view permissions removed from portlet configuration so that there is no way to view the portlet and no one can login to portal!
Is there any way for change portlet permissions other than portlet
configurations?
Which database table Liferay store default portlets
configuration permissions?
Portlet Level Permission is used when you want to restrict the access to that Particular portlet with necessary permission then you set same through Portlet Configuration.
If you want the same permission for that portlet to be applicable through out the Site, Portal (i.e. login porlets in any pages of Site or Portal) you can use site role, regular role respectively from Control Panel and for Role > Define Permission for that Particular Portlet with your desired permission that will apply to all users in that role.
For more details you can also go through Liferay Admin Guide to know more on Permissions.
Database table that store portlet permissions is ResourcePermission
Hope this Helps !
Related
What permissions does a user need to manage the promoted workspaces in Carbon? Are these the same permissions required to edit individual workspaces?
Carbon Administration
Carbon administrator permissions are required to publish and promote Carbon workspaces (i.e., choose which workspaces are displayed in the workspace switcher), as well as manage org-wide settings, such as whether or not Carbon is displayed in dark mode.
Carbon administrator permissions are granted via the Carbon Organization Administrator application permission in Control Panel and are organization specific. You may need to reach out to your platform administrator if you require these permissions.
Editing Carbon Workspaces
Permission to edit Carbon workspaces is based on compass permissions of the workspace and is separate from administrator permissions. If a user has edit permissions on the compass resource, they are able to edit it in Carbon. If they have view permissions, they can view it but not edit it.
I've built an authenticated .net core (5.0) web application using Identity (2.2) and set up two factor authentication using a smartphone authenticator app. This is all working fine. I'm now trying to configure the application to enforce the two-factor authentication so that in order to reach any controller / action (apart from those needed for the authentication process), a user MUST be two-factor authenticated, by which I mean they must have enabled 2FA, set up the smartphone authenticator app and then gone through the two-factor authentication process. I'm sure there must be an easy way to do this, but I'm unable to find any posts anywhere on how to do it. Can anyone help? Thanks in advance.
Im using this startup application for my app trntv/yii2-starter-kit,
Is there any option to add permissions and assign permissions to role using front end? how can i integrate the front end for rbac? please help me to do the frontend for roles and permissions
I needed to run IISExpress under a specific identity. After going through this post how to run iisexpress app pool under a different identity I changed the processModel's username and password attributes in my \Documents\IISExpress\config\applicationhost.config file.
I would like to verify the change in my web application. Is there a way to verify?
Ultimately, what I'm after is that my security works properly using the PrincipalPermission attribute. I believe the Name property on this attribute matches the user under which IISExpress and my application are running.
Thanks in advance for your help.
IISExpress runs with current user identity and changing ProcessModel username/password won't help. Only way to run with particular identity is to launch iisexpress.exe with 'runas'.
I'm probably way too late to help, but have you tried changing your project to run with Local IIS instead of IIS Express?
Here's the way I do it (you could start in Visual Studio, but I find this more straighforward):
Launch IIS Manager with admin privilege (important that you have rights to muck with localhost)
Add a new Application Pool running with the Identity you need for your database (probably your windows account)
Create a new application on iis
point it to your project folder
assign it to the app pool you just created
In Visual Studio open your project's properties (select the project in solution explorer hit Alt-Enter or use context menu). In the Web Section, select Local IIS instead of IIS Express. No need to create virtual directory (you already did).
Now your app can open the database. As an added bonus, your project is always available to run. no need to start it from visual studio.
We have an active directory domain (let's call it foodomain) and a domain user account (foodomain\fooAppPoolUser) used for the IIS application pool identity.
We want to run the app pool under this user account and not under Network Service or the new AppPoolIdentity as we have to access SQL server and have multiple applications on IIS (with own app pools) accessing different databases.
The problem is that I can't find a clear HOW-TO explaining, which user rights have to be set for this user account and how IIS has to be setup so that this will work.
First I got errors (unfortunately I can't remember which ones), then I added fooAppPoolUser to the local admin group (Administrators, I know, was only to test), then it worked. Now I removed the user again, restarted IIS and it still works.
So I'm confused a bit and would like to know, how the configuration/setup has to be to have it working.
Somwhere I read, that the account needs to have the "Impersonate a client after authentication" user right. That's the reason I added the account to the Admin group (the user rights assignment is blocked via group policy, but this can for sure be changed if really needed.
I hope I was clear enough what the question is and hope somebody has an answer.
It's frustrating that this information is so hard to find, since some security admins seem to enjoy the cruel and unusual punishment of changing default policy settings to thwart installing apps within IIS.
Here's what I believe you should do to enable an account to work as an ApplicationPool identity:
Run aspnet_regiis -ga DOMAIN\USER to add permissions to access the IIS Metabase. (Exactly what that means, who knows?) aspnet_regiis reference
Add the user to the IIS_IUSRS group. This may be done automatically depending on the IIS configuration setting processmodel.manualGroupMembership but easiest to add it yourself.
If security policy is using windows defaults that's about it. If the security policy is locked down you may need to enable specific user rights for the account. The ones you have by default for ApplicationPoolIdentities (which seems a good place to start but not necessarily all required):
Access this computer from the network
Adjust memory quotas for a process
Allow log on locally
Bypass traverse checking
Generate security audit details
Impersonate a client after authentication - (Often not available by default on locked-down environments)
Log on as a batch job - (Often not available by default on locked-down environments)
Log on as a service - (I'm not sure this is needed)
Replace a process level token
If you're using windows auth and Kerberos (provider=Negotiate) then depending on the URL and if kernel-mode auth is on you might need to set up an SPN. I suggest switching to NTLM if possible. Otherwise, see articles below about SPNs and find a friendly domain admin to add them for you.
Fun reading:
Default permissions and user rights for IIS 7.0, 7.5, 8.0. This is the best reference, see the user rights at the bottom.
User Rights (on Windows Server 2008, but still interesting and helpful as it's a long article you can CTRL+F to find IIS-related comments)
User Rights Assignment on Server 2008 R2+. You have to drill into each right to see what it mentions about IIS.
How To: Create a Service Account for an ASP.NET 2.0 Application - pity there's no more recent version of this article.
SPN Checklist for Kerberos on IIS7/7.5
How to use SPNs - applies to IIS6 or to 7/8 if Kernel-mode authentication is turned off.
The reason why you application worked AFTER removing Administrator rights is that your application was compiled to the Framework temp folder using the administrator rights - Your application worked after removing the administrator rights because the application was compiled. If you update your application and it requires recompilation, the app pool account will need trusts again.
First I got errors (unfortunately I can't remember which ones), then
I added fooAppPoolUser to the local admin group (Administrators, I
know, was only to test), then it worked. Now I removed the user again,
restarted IIS and it still works.
I found the following link answered a similar question I had: http://www.iis.net/learn/manage/configuring-security/application-pool-identities
Basically, ApplicationPoolIdentity is a virtual user account that still behaves like NETWORK SERVICE, but without some of the down-sides; each app pool has it's very own ApplicationPoolIdenity account created with it.
More detailed information can also be found that is also specific to IIS 7.5 Application Pool Identities.