Our account department has asked me a question, that I didn't know the answer to.
Must first tell, that we are on a hybrid environment.
Each month I export our users from Azure, to forward it to the accounting department. Which then distributes the license costs for the internal department the user works in.
Our problem is that the department field in AD, isn't detailed enough as some of the departments have sub-departments. These sub-departments isn't mentioned in the field, cause we use that for our e-mail signatures, and we do not want to have these in official communication.
The accounting department is asking, if we can enrich the export, with a department number.
So is there a way, where I can use some of the other fields on the users AD object, that gets synchronized to Azure, and again gets into the export from the Active users list?
If your users are synchronized from on-premise AD to Azure AD, you could use the onPremisesExtensionAttributes property of the user object. There are fifteen extensionAttributes in onPremisesExtensionAttributes, you can store the department number in any one of them.
After storing them, you could refer to this link and this post to sync the attributes to Azure AD and get the attributes.
Related
I'm writing an API integration for docusign and I wanted to create a second organization for testing, but I can't do it because when I reach the screen to add accounts to the organization, I can't see any accounts listed.
I visit https://admindemo.docusign.com/create-organization
I fill the Name and Description, and press Next
In the Link Accounts page, I see no accounts. How can I add some accounts to this screen?
I'm not sure I understand the relationship between accounts and users, because I have created some users from the Admin>Users screen, but those are not displayed in the account page.
If it isn't asking too much, could I have a short explanation of the difference between these users and what the Organization page asks for, "Accounts"? I remember when I created these "Users", I had to provide an email account, and for me that relationship between Service and Email is what I normally consider an Account.
How can I add some new Accounts to create a second Organization and test the API?
Or, since I want to create more organizations to test if DocuSign has an option to make an organization Primary, is there such an option? I tried browsing the Organization settings but I could not find this.
Can I make one organization the "Primary" organization for an account? How would this be reflected in the response of the API endpoint?
Thank you very much!
Here is a diagram explaining the relationship between organization, accounts, members and users. Hope this make sense.
An account can only belong to a single organization, therefore, you need another account to get another organization (but an organization can have more than one account).
As you can see my question above, I was wondering if it is possible to retrieve the assigned groups of an Azure Active Directory (AAD) based user via Microsoft GraphAPI.
My situation is, that I have an ASP.NET MVC project with Microsoft Azure enabled. My goal is, that an Azure user can login on my website with it's Azure account.
The idea is, that an azure user is an admin or an user (depending on the azure groups) and depending of this role group, the user can view more or less of my webpage.
For example:
When Peter logs in with his azure account on my webpage, he should only be able to see:
Add new Document
Edit Document
Remove Document
because he is only assigned as "User" in Azure Active Directory.
But when Sabrina logs in with her azure account on my webpage, then she should be able to do the same as Peter, but she also can see:
Manage Products
Add new customer
etc.
because she is been assigned as an admin in Azure Active Directory.
My problem is, that I did not find out how I retrieve the assigned group of an user with Microsoft GraphAPI. The part, which user can see or not after I got the roles is not a big deal.
I already tried this API call:
https://graph.microsoft.com/v1.0/me/
But it seems, that the response of this call does not include the actual assigned group of that user.
Do you think it is possible to retrieve the assigned group of an azure user? Is this even possible? Or do I have to do something else to retrieve these information?
I hope you understand my point and I am also looking forward for any response. Thanks in advance!
Add /memberOf to the URL to receive the groups a user is member of.
https://graph.microsoft.com/v1.0/me/memberOf
Here's a link to the specific graph api - https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups
Take a look at this sample application on Github. It does something very similar with a task tracker application, where different users are able to perform different actions based on the group they belong to -
https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims/blob/master/README.md
Also, in cases where a user is a member of too many groups, you get back an overage indicator and have to make a separate call to get all groups. Read about “hasgroups” and “groups:src1” claims here - https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-id-and-access-tokens
According to your system architecture, if some user has too many joined groups, the API https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups will return too many groups.
But if the groups with permissions in your system are not too much, you can use this API: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_checkmembergroups to check if the current user is the member of specified groups.
It is not good idea to use this API: https://graph.microsoft.com/v1.0/me/memberOf. Because it returns only the groups that the user is a direct member of, but security group can be member of security group.
We are using Google for corporate since last 5 years. There have been many dozens google groups created by different site/business division/local administrators. Now we need to know, for each employee, which all groups he is a part of. Does google provide any API to fetch this details ?
Yes. The Directory API has a function to Retrieve all groups for a domain or the account. Here's a part in the docs that I think is what you are specifically aiming for:
All groups for the account — Use the customer argument with either my_customer or the account's customerId value. As an account administrator, use the string my_customer to represent your account's customerId. If you are a reseller accessing a resold customer's account, use the resold account's customerId. For the customerId value use the account's primary domain name in the Retrieve all users in a domain operation's request. The resulting response has the customerId value.
There are organizations, users, roles and groups in Liferay. But there are many methods in liferay API that returns company or need company id as argument. E.g. UserLocalServiceUtil.getUserByEmailAddress(long companyId, String emailAddress) or com.liferay.portal.model.User getCompanyId().
For what purpose the company is provided in Liferay? Why I have to provide company id to find user by email address?
Documentation does not say too much.
In short - you can have more than one portal instance in the same server (in the same database) and you need "companyId" to avoid db data conflicts between those instances. A single instance itself is a full portal with users,groups,roles and everything else. Having "companyId" you can save, for example, two users with same emailAddress for different instances.
We have a Salesforce app where we have some custom objects and want to expose the various custom object rcords to customers.
We need to ensure that customers can see only the records belonging to their Account. Because of the way these records are setup(owned by various system users at different levels of processing), we cannot use owner based sharing...and cannot use criteria based sharing since its not dynamic(I cant use criteria based sharing to say "Share this record with all customer portal users who belong to the same Account as the record" at runtime).
So I know I have to use Apex based sharing. I have read up on the sharing objects and the sharing table. But how would I approach this.
I can write a trigger which upon inserting will create a share object and get all userids who belong to the customer portal group and whose account equals the account of the record and associate them with the share object of the record.
But I feel this is overkill correct? Lets say there are 5 users from one of our customers and lets say there are 500 records created a day...that means 2500 share objects a day just for 1 customer...for 10 customers this can go upto 25000...and scale in this way...
Am I right here?
Another problem would be if a new person joined that customer team..unless another process updates the sharing on older records, he/she cannot see the older records.
So is there a better/elegant way to do this? I thought of adding a share object to the group...but there is just one group "Customer portal group" and how do I associate the group with the account of the users?
I will appreciate any thoughts about this.
You should take a look at high-volume customer portal users. They're much cheaper relative to standard customer portal users and should meet your needs. Unlike regular users they have a totally different sharing concept. In a nutshell if they own an object they can see, if not they can't. You can then extend this based on whether a contact or account lookup on the object matches the logged in user.
Read up on this documentation:
License Types (scan to High Volume Customer Portal)
Granting High-Volume Portal Users Access to Records (login required)
You can use groups for sharing to avoid creating so many sharing records. You would have one group per account and one sharing record per account. Instead of managing thousands of sharing records you would have to manage hundreds of groups.
I haven't tried this approach with this many groups, but I read some time ago that it should work (someone posted using a LOT of groups for sharing). If you do try this, please tell us if it worked OK.