SAP Hybris backoffice set permission denied for everyone on an object - sap-commerce-cloud

I want to set in SAP Hybris a "permission denied" for reading, writing, removing and editing for everyone in the Backoffice, except for the members of a very specific "UserGroup". Only "Employees" who are inside a "UserGroup" (let's call it allowededitorusers) should be able to see or make changes to the "UserGroupModel" model, the target object of this permission within the Backoffice, thus avoiding unwanted changes.
That is, "only users who are within the "allowededitorusers" group will be able to see or make changes to the "UserGroupModel" object".

Related

How to allow a user with read access to respond to a Sharepoint 2013 Survey?

How to allow a user with read access to respond to a Sharepoint 2013 Survey ?
I have tried with the read access only, but its not able to get the "respond to survey" link. I have also tried the "contribute access" option also and this time, I have got the button "Respond to Survey". When I tried to fill the survey details and click submit, I'm getting an access denied error message.
You cannot add items to a list (usually what is meant when you say "respond to a Sharepoint survey") with only Read permissions. Users will need either Contribute permissions or a custom permission level that includes Add Items. It is also important to distinguish the site or list that you're setting permissions for: when you say that you have "contribute access", you may only have set Contribute permissions for your site. You need to set it for the list that contains the survey results.
Lists usually inherit permissions from their parent sites, but it is often prudent to stop inheriting and set custom permissions on lists (like surveys) that everyone will need to contribute to. That will keep users in other directorates/groups/teams from mucking with the Shared Documents library (and many other things) of whatever directorate/group/team is hosting the survey.
Lists can be set up to handle access requests so that the "access denied error message" you received will include a link to request access. This may be a feature to consider on your survey to simplify the resolution of future permission errors.

Setting dynamic author_id on Safecracker form as non Super Admin group

I have a project where I need a member group called Staff Admin (slightly less privileges than Super Admin) to be able to public entry data on behalf of a site Member via a Safecracker form. Now I am able to successfully set an 'author_id' on the form (using a hidden input) and a user logged in under the Super Admin group can successfully publish the new entry and have the specified author_id set on the entry.
The problem is that even though I have the 'Staff Admin' group settings allow to edit and change authors on entries, I'm unable to do it on a Safecracker form and the specified 'author_id' is ignored and I'm getting an error triggered for 'invalid_author' (The selected author is invalid.)
Think the line in the Api_channel_entries.php is around 1246 (under EE 2.4) where it’s looking to authenticate against Super Admin group only as the exception:
if ($data['author_id'] != $this->EE->session->userdata('member_id') && $this->EE->session->userdata('group_id') != 1)
Any ideas how I might circumvent this problem I have?
That error is being triggered because the author ID that you're trying to reassign the entry to is not one of the designated valid authors for the channel. To fix this you'll need to edit the member group (of the user you're trying to assign the entry to) and enable the 'Include Members in PUBLISH page multi-author list?' setting.
You may also need to enable that setting for each individual user via Member Administration > Edit Member > Member Preferences > "Include user in PUBLISH page multi-author list?"

Disallow viewing list items

Suppose there's a top-secret list (inherits its permissions from its parent) that contains records that were created earlier by different users. There are several groups with rights to administer, read, write-constrainted.
There is a group of authors of top-secret items. Author can only create a 'secret-item'. But the item shouldn't be viewed by other participants of the group (Authors).
I can't access/change site programmatically. And I'm curious how come I do this manually.
First, keep in mind that you cannot do "top-secret" in SharePoint. The site collection administrator will always have access to all content.
Manually, there are two features that come close to your request:
under advanced options in the list settings: user can only read/write his/her own items
under the same advanced options: activate approval. Content in draft state will remain hidden (except from approvers and site owners)
In addition to the answers from #Christophe, you can also modify the permissions of individual List Items.
If you were able to make programmatic changes, I would suggest attaching an ItemAdded event receiver to a custom Content Type named "Top Secret." But in this case, the permissions changes can be made as a manual step after adding the item.
The risk, of course, is if the author forgets to change the permissions, changes the permissions incorrectly, or changes the permissions very slowly (allowing others to see it before permissions are changed).
For more information on changing the permissions of a List Item, see Break permission inheritance on a folder, document, or list item.

can users access the SharePoint application page who have read permissions?

we created one page and placed under LAYOUTS folder.so can u tell me can all users access this page by giving their AD credentials.
some users are not able to login to this page.
pleage give me some suggestions.
The default Application Page setup will require the View Application Pages permission, and all derived permissions. You can manually configure the permissions of the application page by defining the RightsRequired property of the page. This is usually defined OnLoadComplete, but you can specify to occur after OnPreInitComplete by configuring the RightsCheckMode property.
But, without fiddling in these settings, it is still possible that certain users who have the read permissions on the general site may be barred from the Application Page. This can arise whenever you have controls that require different permission levels. For example, if you have a custom application page that has a field control associated with a specific list and item, if that control is in Edit mode then the user needs Edit permissions for that list and item in order to view the application page. It does not actually matter if this field control has anything to do with the list in question! For example, I once had an application page designed for bulk-downloading files which are in two folders. I wanted to re-use this page for a few different document libraries, so I decided to create a custom multi-lookup field control that would take the List query string as if on a New Form, and build the list of items to download that way. But this page was blocked for a subset of users who were not allowed New item permissions in one of the two folders, even though the page technically didn't do anything involving adding new items.
Any other elements on the page which require a separate set of permissions than general site permissions will also interfere, but the general case is with item-level and list-level permissions conflicting with the site-level permission. Simply check all of your controls, especially ones based on SharePoint web controls. As long as the user has permissions necessary to operate all of these, the user should be able to view the application page.
The entire user who has read permission, they can access this page.
If this page trying to do any manipulation, which needs hire permission, you may get access denied.
For trouble shooting comment all cods and try to access this page with read permission.

Site members/visitors get access denied error page because of webpart

I`v developed custom webpart. I can add it to page and site owners can view page with no problems.
However Site visitors/users get redirected to access denied error page. Sure, I must be doing some stuff normal users are not allowed to.
But the thing that bugs me is that when I place breakpoint in webpart constructor or even variable declaration it won't get hit! (If i try to view page with limited privileges). But in my browser, I get the access denied page. However, if I close that webpart, I instantly have access to that page and everything is OK.
What's the catch here? I was hoping I could catch exception with debugger to see which statement is guilty one, but it seems webpart doesn't execute any code and I get that exception.
Edit: Sorry, turns out debugger now hits those breakpoints. Don't know what changed, because symbols were loaded.
What is the trust level at your Sharepoint site ? You might want to give Fulltrust temporarily to see if you have any access problems.
If yes, then you might have a Code Access Security (CAS) problem on your hands. My first instinct is that your assembly does not have neccessary privilages to run correctly for normal users.
You can configure it using custom CAS entry in the manifest.xml for the webpart, e.g. if you are calling external resources then you might have to configure System.New.WebPermission and define which url you are allowed to access. You can find more info on this at the U2U site.
Also what does your webpart do ? If you are trying to access resources which normal users don't have access to (e.g. a list in some site) then you have to use the SPSecurity.RunWithElevatedPrivilages method, so that you have the neccessary privilages (be careful to create new Site instance within that method so that the Context populates correctly).
Found the solution.
Turns out that i wanned to determine if user belongs to a specific group by trying to access that group users. As this was impossible if a user doesn't have such a permissions, it was throwing some kind of internal exception with message
"Unable to evaluate expression because
the code is optimized or a native
frame is on top of the call stack."
Anyways, i now learned to loop through SPUser.Groups (SPGroupCollection) and check if we have a matching group rather than enumerating group principals and seeing if he's inside.
You need to give permission(update personal webpart) to the visitor group. However, it is not recommended. If you want you can create a separate permission level and associate it with the visitors group.
Cheers!!

Resources