We're developing a web app using the Zend framework and Mysql.
Currently, accounts are unique by email address. We want to be able to allow the admin of an account to grant access to the admin of another account. This person would then be a "user" of the linked account. The account holder would then log into their admin account and then select which linked account they want to access.
Please note: the access should only be one way. Account 1, who grants access to Account 2, should not be able to access account 2. Only account 2 can access account 1. If Account 1 wanted access to account 2, account 2 would then have to grant access to account 1.
What is the best method of going about this?
I think trying to tie permissions to accounts is your problem, you need to add a second 'layer'. Let's stick with Google Analytics as the example:
Let's say Joe Bloggs wants to use Google Analytics. He first has to create a Google account (assuming he doesn't already have one). He then creates a Google Analytics account for his site. Say Joe then wants to give access to Jane Smith, let's assume she already has a Google account. To give her access all he is doing is giving her Google account access to his site, he's not giving her access to his Google account.
Zend_Acl is role based so let's try and apply ZF concepts to this example. The user management screens in GA allow you to give users either "View reports only" access, or "Account administrator". So you'd define a role in Zend_Acl for each of these access levels:
$acl = new Zend_Acl();
$acl->addRole(new Zend_Acl_Role('guest'));
$acl->addRole(new Zend_Acl_Role('admin'), 'guest');
the second parameter on addRole means the role should inherit all permissions from the other role specified. So what I've done above is define two roles: guest and admin; and said admin should inherit all permissions that guest has.
You then have your 'resources', which are the things that can be accessed. So we'll define one for reports, and one for user management:
$acl->add(new Zend_Acl_Resource('reports'));
$acl->add(new Zend_Acl_Resource('users'));
we'll then give 'guest' access to reports, and 'admin' access to users:
$acl->allow('guest', 'reports');
$acl->allow('admin', 'users');
then in the relevant controllers (or plugin, or wherever) you can check permissions:
public function reportsAction()
{
[...]
// assume $role contains the role of the currently logged in user
if (!$acl->isAllowed($role, 'reports')) {
// show a permissions error
}
}
public function usersAction()
{
[...]
if (!$acl->isAllowed($role, 'users')) {
// permissions error
}
}
As far as storing this in MySQL goes, you just need a lookup table that links users, sites (in this example) and roles:
userID | siteID | role
1 1 admin
2 1 guest
Related
I would like to have an access to objects on a shared disks created by other users using SA accounts.
I discovered that by making a call to https://www.googleapis.com/drive/v3/files with the following query:
q=mimeType!='application/vnd.google-apps.folder' and 'GOOGLE_DRIVE_FOLDER_ID' in parents and trashed=false&supportsTeamDrives=true&teamDriveId=GOOGLE_TEAM_DRIVE_ID&fields=files(id ,name ,webViewLink ,webContentLink)
I get different results depending on the account. If I am using access token generated for service account we get different result than if I am using access token generated for a user account.
Service account "sees" only files that were create by that particular service account whereas regular users "see" all the files created by other users as well.
Anyone had similar issue and know any solution or workaround?
I get different results depending on the account. If I am using access token generated for service account we get different result than if I am using access token generated for a user account.
What you need to understand is that you can only see the files that you have permission to see. If you are logged in on a normal user account you will only be able to see the files that you own, or have access to. The same goes for a service account, think of a service account as a dummy user. The service account can only see the files it has been granted access to.
Assuming that your shared disks that you are talking about is gsuite then you can have the gsuite admin set up domain wide delegation on the service account and grant it access to the files on the domain.
permissions
If you dont have gsuite or dont want to give the service account full access to the domain you. You might also want to try having the owner of the drive run a permissions.create and add the service account.
I would like to create an Azure Active Directory Custom role with the following perimeters:
Who to assign the role to:
Either a user, or group
What access will the role have:
Default role permissions from "User Access Administrator" directory role
Scope:
The custom role would only grant access in the specified AAD Groups
(My idea is to have users with this custom role, be able to fill the roles of a User Access Administrator ONLY in the Scoped AAD Groups)
This would provide application administrators the required rights to assign application roles to the specified "Scope" AAD groups, with least privileged in Active Directory
Is it possible to scope an Azure Active Directory custom role to an AAD Group? Not assign the role to a group, but rather the custom role only grant permissions to manage the AAD Group (Assign / Remove application roles to the group... etc)?
Meaning no rights/permissions exist in AAD, except for User Access Administration of that specified "Scope" AAD Group
If so, what would the scope format be, when creating the custom role? Preferable in JSON or Powershell
There is no support today for custom roles in Azure Active Directory. Only the predefined Administrator Roles, as described in the documentation, are available for use.
You may, however take a look at the advanced self-service or delegated group management capabilities and combine them with some existing role (like User Access Adminsitrator or Application Administrator). You may also like to see the difference between Application Administrator and Cloud Application Administrator.
In persuade for least privilege access, you may find the Least Privilege Role by Task document useful. And also the Microsoft Azure AD Privileged Identity Management to control and audit privileged tasks.
Last, but not least, a preview feature - Administrative Units may be of interest to you.
To summarize it
As of today (2018-12-04), there is no option to create custom role within Azure AD. Neither to constrain given role to a specific Group (be it security or office)
I believe this is already available now? https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-custom-overview
It seems I'm not allowed to add an Enterprise Admin or Co-Admin to a group via the API. I can add all other types of users to groups, and can create/edit/delete groups just fine, but I'm not allowed to add a user to a group if that user is an Enterprise Admin or Co-Admin.
Is this expected behavior, or is my application user missing some sort of entitlement?
POST /group_memberships
{ "user": { "id": "12345"}, "group": { "id": "12345" } }
{
"type":"error",
"status":403,
"code":"access_denied_insufficient_permissions",
"help_url":"http:\/\/developers.box.com\/docs\/#errors",
"message":"Access denied - insufficient permission",
"request_id":"xxxxxxx"
}
This is the box a limitation/feature. You can not add an Enterprise Admin or Co-Admin to the group of another Administrator.
For example:
User A and B are enterprise admins. Each sing up to box separately.
When user A create a group, he can create a new user and add the created user to the group.
But user A can not add the user B to the group.
Likewise, when user B create a group, he can not add the user A.
Because they are from different organizations.
You will clear when you try to add an Enterprise Admin to the group via https://app.box.com website. If you do so, the pop up will show with the message "The supplied email address already has a Box account that belongs to a different organization."
Is it possible to retrieve the list of users in a Google Apps Domain with a non-admin account?
Non-admin users can call users.list(viewType=domain_public) which offers the same amount of details that the users see in the domain contacts directory.
Depends on what you think an admin account is.
Long ago the user roles were just "regular" and "admin". Now you can choose from a fine-grained set of permissions and define a role name for them. "Superadmin" is now a built-in role that has every permission possible.
So, if you define a role which can retrieve the user list and assign it to a user I wouldn't call it an admin account.
You need to be a true admin to do that, though :)
As a complement to the other (excellent) answer, what I do in our domain is to create a full list of domain users in a spreadsheet with all necessary informations and run a script every night that updates the spreadsheet automatically. When I make a change (add or remove user) I can run the script manually to avoid temporary differences.
This script runs as "me" but any domain user has access to the list (I invite them to this shared doc when I create their account so it shows up in their drive/shared with me folder). With this solution I don't need to give special rights to any users.
I am working on a project management application http://kerika.com where I am having following case, where I am not able to downgrade a user's role on a google-drive file from "writer" to "reader":
A project owned by user U1 is shared with user U2 with role "Team Member".
When a new document is attached to the card of the project, it is uploaded to the google-drive account of user U1. Let's call this file as F1. U1 becomes owner for F1 and it is shared with user U2 with "writer" role.
When U1 decides to downgrade user U2's role to visitor for kerika project :
Kerika internally need to update user U2's role for F1 on google-drive to "reader".
Here as a kerika developer it becomes hard to find the Permission object for the user U2 to modify its role as Permission object of GoogleDrive API doesn't provide information about user's email address. It provides information about user's name but not about email address.
I have also looked at the google-drive-sdk video at http://www.youtube.com/watch?v=Z2OIlwju8UM&list=PL0FA2818902D9D123&index=15.
Videos says that google-drive-api is not populating user's email address for security reason.
First thing is that, google-drive web version is showing other user's email address in share dialog box where security is not concerned?
If google developers have decided to not populating the email address then they should have some work-around this issue.
e.g.
When I want to change a user's role from "reader" to "write", I can insert a new permission record with role as "writer" and role is being updated properly.
But the same thing is not working when I update user's role from "writer" to "reader".
Does anyone has same problem and found a work around to solve it?
Thanks in advance for your help,
Chirag Moradiya
You should be using the update() or patch() method to modify an existing user's permissions to the file. Obviously, the difficulty here lies in identifying the correct permissionId for the user to modify.
You could try storing a table of permissionId to email address on your end but that assumes all permission changes are done within your app, not via the native Drive UI.
Your other option would be to have the end user identify which user's rights should be modified, help them choose by showing the name and picture that Drive API does give you.