I have a SPFx webpart which is a form for users to submit requests which will run the group and teams provisioning code.
The code works fine when the user is logged in as a 'Global Admin', but when a normal user with minimum permission levels uses the form, the provisioning is not allowed and is faced with these errors:
Creating group is not allowed:
Tenant admin has not enabled Unified group creation error
Creating teams is not allowed:
Teams disabled in user license admin error
Is there a way to run the code regardless of the user context? or any ways to elevate the privilege of the webpart or block of code with admin permissions?
https://learn.microsoft.com/en-us/sharepoint/dev/spfx/use-aad-tutorial
You will need to specify that specific api permissions your application needs.
basically starting from here: https://learn.microsoft.com/en-us/sharepoint/dev/spfx/use-aad-tutorial
specifically, the graph api permissions that you will need is at least Group.ReadWrite.All, Directory.ReadWrite.All in order to create a team.
Hopefully this helps a bit.
Is there a way to run the code regardless of the user context?
Yes. You could implement Get access without a user to use Application permission to create the resources. It will allow you to create a group without a user.
You can also check with your admin if the ability of creation Groups for users has been disabled. See Manage who can create Groups.
And it's strongly recommended to check if the Teams license is assigned to the user.
Related
I've created and registered a web application via Azure Active Directory -> App Registrations.
Within my application manifest I've created a role (why there's no UI to do this is beyond me), and for now am planning on adding quite a few more.
However, I'm unable to assign users to the role I created via Azure Active Directory -> Enterprise Applications, as the Add, Edit, and Remove options are greyed out.
According to these docs, I need to be Global Admin to be able to set these. The only way I can do so is to keep pestering my network admin every time I want to assign users/groups to roles. This is obviously not a suitable solution, and as the registered application owner, it should be trivial for me to control the authorization levels of my application.
How is it possible for me to assign users & groups to the roles I create? If it's simply not possible without having to raise the issue with my global admin, what are my options?
Unfortunatelly, as per docs, you already went through, today only administrator can assign roles to an application.
There is a feature request to simplify that and Microsoft is working on a solution. If you give your vote, it will certainly make the request more important.
For time being it is only the Global Admin who can grant permissions to an Application.
I need to give permissions to edit/create/destroy pages in a node to a group of users.
I've created a group and added a test user to that group.
I can't seem to give permission to the Pages application so see if i can see the node.
I also added game this role permissions at the node level too.
Ideally this editor role would be able to create new sub pages, which also means being able to upload media.
Your new user must have editor privilege level (you can edit user in Users application). If you want to provide ability to see content in Pages app you have to grant the user with Browse tree and Read permission (content module). To satisfy your scenario you need to grand user with Modify and Create permissions, too (maybe Design?).
Just FYI: The approach provided by Brenden (cloning the role) is very handy but there a is chance you grant the user with permission you don`t want to provide (inappropriate permissions for original role).
I've found the most efficient method is review the out of the box roles provided by Kentico and clone the one which fits closest to your needs. Then modify your cloned role to add/remove abilities and permissions.
If you're unsure of what each role can and cannot do, create a new test user with one of the roles assigned to them and log in as them. Do the same for all the roles you want to test until you find the one closest to what you're looking for.
I'm building a sitecore 7.2 using asp.net MVC 5.0. The site will have login and each user will be roles.
We need to show/hide the site menu items based on logged in user Roles. The user detail and roles are stored in SAP backend.
Could someone please advise what's the best way to achieve above?
Essentially you will want to map the roles stored in your backend system to Sitecore Roles. Potentially look into creating a custom Role Provider (see in document below)
Once logged in, requests are made to Sitecore are made in context of that logged in user. Therefore if the user, or their role, does not have permission to view an Item, it will not be returned in the request. This effect means that your Menu will not display items they do not have permission to access.
You and Content Editors can control what users and roles can access via the Security Editor and view their access rights via the Access Viewer in the Content Editor.
This documents will have everything you need - http://sdn.sitecore.net/upload/sitecore6/sc61keywords/security_api_cookbook_usletter.pdf
http://sdn.sitecore.net/upload/sitecore6/securityadministratorscookbook-usletter.pdf
Its also worth noting that Sitecore's seucirty manages roles as Ors. So if one of the user's role has permission to see an Item, then the user can see it.
If you require the roles to be Ands; every role must have permission before its displayed to the user, check this post out - http://www.sitecore.net/learn/blogs/technical-blogs/john-west-sitecore-blog/posts/2015/03/require-membership-in-multiple-roles-in-the-sitecore-aspnet-cms.aspx
You need the roles for the current user from SAP? There is an Odata API for that: http://help.sap.com/saphelp_nw73ehp1/helpdata/en/4c/5bde6197817511e10000000a42189b/content.htm
You could query the API in real-time, but it would of course require a login to SAP for the current user.
Or - you could use another API and connect via a service user.
I have a requirement to deactivate a user for a particular organization.In liferay we deactivate the user directly by control panel under users tool.if i deactivate,The user will deactivate in portal level so it is applicable to all organizations not to particular organization.so can i do manual code for this or is there any alternative by default?
User Management in Liferay is global - to the whole portal. You authenticate to the portal, thus a deactivated user can't be authenticated to the portal.
You can make users members of Organizations or site - and this membership (or other organization- or site-level roles) can be used to provide them with permissions.
If you want them to be able to sign in, don't deactivate them. If you don't want them to access a certain organization, make the content of that organization available to members only - and exclude the user from the members of that organization.
OK you could do this in code level ,
User singleUser=UserLocalServiceUtil.getUser(userId)
singleUser.setStatus(WorkflowConstants.STATUS_DENIED);
UserLocalServiceUtil.updateUser(singleUser);
So basically setting User Status to either WorkflowConstants.STATUS_DENIED, WorkflowConstants.STATUS_EXPIRED or WorkflowConstants.STATUS_INACTIVE will do the work of deactivating particular User.
But you need to research on the aftermath effect of these status field.
Im trying to run a command on the AddUserToGroup method via webservices (UserGroup.asmx).
I set up the code as follows.
//set up the user group
userGroup = new UserGroup.UserGroup();
userGroup.Url = vtiBin + "/UserGroup.asmx";
userGroup.Credentials = CredentialCache.DefaultCredentials;
So I have my credentials being passed to the webserive. Now I run the following
userGroup.AddUserToGroup("System Group", preferedName, userLogin, email, "");
this throws an exception, my account does not have permission. however if I run this code under a different user with GOD access it works
What is the minimum required permission??
I have given my account
Full Access to the User Information List (on the sharepoint site)
Manage Analytics, Manage Audiences, Manage User Profiles, Personal Features, Personal Site, Set Permissions (sharedServices Admin, Personalization services permissions )
Couldn't this also have more to do with the permission to manage the group rather than permission to use the web service? I know I've run into similar situations via the UI before, and it turned out that I didn't have permissions to edit the group's membership. I believe there are a few situations in which you have permission to edit a group's membership:
You are the creator of the group
The creator of the group (or a site collection administrator) designated you as an owner of the group
The group was configured to allow all group members to edit its membership, and you are a member of the group
You are a site collection administrator
Is it possible that none of those conditions fit for you?
There is a permission in SharePoint to allow for web service calls. It's called "Use Remote Interfaces". Your user should have this permission to make changes via web services.