I am trying to change widget configuration at runtime based on the user. I would like to populate the collection-browser with different sub types of promotions (this is a custom type for my requirement). For certain users they should only see certain promotion types and be able to add/delete these types.
<widget id="custombackoffice-search-init"
widgetDefinitionId="com.hybris.cockpitng.widgets.common.propextractor"
template="false" slotId="cockpitWidgetChildrenInvisible">
<setting key="expression">'Promotion'</setting>
<setting key="socketDataType_$T" type="String">java.lang.String</setting>
</widget>
<widget-connection sourceWidgetId="custombackoffice-search-init" outputId="genericOutput"
targetWidgetId="custombackoffice-collectionBrowser-fulltextsearch" inputId="type"/>
<widget-connection sourceWidgetId="custombackoffice-collectionBrowser-fulltextsearch" outputId="searchData"
targetWidgetId="custombackoffice-collectionBrowser-advancedsearchengine" inputId="searchData"/>
<widget-connection sourceWidgetId="custombackoffice-collectionBrowser-fulltextsearch" outputId="searchContextChanged"
targetWidgetId="custombackoffice-collectionBrowser-advancedsearchengine" inputId="changeSearchContext"/>
<widget-connection sourceWidgetId="custombackoffice-collectionBrowser-advancedsearchengine" outputId="pageable"
targetWidgetId="custombackoffice-collectionBrowser-browser" inputId="pageable"/>
Is there a way to configure the type 'Promotion' to have a different subtype at runtime or have different configurations configured beforehand for each user. I know I can restrict the data with searchRestrictions but using only search restrictions impacts the *backoffice-listviewactions. These actions are only visible if a user has read/write access on the configured type e.g. 'Promotion'.
I think you want to achieve this . In case you need any more answers about backoffice widgets, here is a good documentation with a lot of questions with answers provided by SAP.
Related
I'm programming a new application with many users, a few roles and specific permissions for those roles. For that I want to create the following tables:
Users (ID,Login, password,..)
Roles(ID,Rolename)
User_Roles(User_ID, Role_ID)
Permissions(ID,PermissionName)
Permission_Roles(Permission_ID, Role_ID)
My idea was to build a function, which allows to check if a user has a specific permission to access a form. I would do that by creating Permissions/Rules like 'canReadFormX', 'canEditFormX' which would allow me to use one main function to check and perfom those specific rules and a function per form to call it.
Is that a way to go (or rather did I understand everything correctly regarding RBAC) or is that just far to complicated? Any advise is very appreciated!
It seems fair to me, and similar to what we have already set, for the first 3 tables.
You then have to solve the 'action' problem, ie to distribute permissions to use your appl's actions. I am not sure that your 'Permissions' proposal will cover all the situations, as you have to deal with 2 major categories of actions:
The 'Open form' actions, that you already have identified: you effectively have to define 2 levels of authorisation for each form: the 'view' right, and the 'update' right.
All other actions, such as form specific buttons or menus, that will allow you to run a specific action other than just opening a form (execute a report, make a specific calculation, automatically import or update data, etc).
One solution/My advice is to maintain 2 tables for this:
A 'Forms' table
An 'Actions' table
And the corresponding link tables:
A 'Form_Role' table
An 'Action_Role' table
With such a configuration, you are fully covered. You can even decide which role has the right to see a specific report on a specific form, as long as the corresponding action is accessed through a specific control or menu on the form.
Both Forms and Actions tables are very interesting as they both participate in your application metamodel...
EDIT: By the way, if you are on a domain, you can use user's domain credentials to control his\her access rights to your system. In this case you do not need to store a password in your RBAC system.
I am building a phone catalog of my organization (an AJAX application which accesses the search.asmx web service).
I'd like to show a list box where the user could select a department (which is stored in managed property Department). To fill the list box with values, I need to somehow select all the distinct values of that property.
Is it possible through search.asmx web service?
What I've found:
an article, which states that it is possible, but it does not use the web service interface
a Microsoft's white paper which states that "If the protocol client specifies at least one property, it MUST also specify the Path property. If it does not, the protocol server MUST return the status code "ERROR_BAD_QUERY"."
The two findings are somewhat inconsistent. (and, yes the search really returns ERROR_BAD_QUERY).
Why bother to check with the web service or complicate it?
Get all the properties into a DataTable.
Then create a DataView & then you can apply the DISTINCT on required column.
Finally use it to bind to your list box.
I've got a custom list with a custom content type. I'm aware that when you create a new item you can see a drop down for the different content types on that list which I assume all have their own NewForm.aspx somewhere. I can specify in the content type definition which columns are shown on the New form and that I can replace the new form with a custom one of my own design.
What I'm trying to achieve is to have multiple New forms but for the same content type listed on the New drop down. I would like each new form to expose different fields of the content type. Additionally I'd like to make particular New forms only visable by users with particular permissions although this isn't critical.
Scenario:
I've got a content type with all the fields I need for a risk assessment. When a new item is created it only exposes fields to enter contact details. Once this is created a workflow with infopath forms then drives the gathering of the rest of the risk assessment information through booking, the inspection itself and approval of the data. I want the ability to have a second option to easily enter all this information on a different new form for an inspection that's already been done and needs logging in the system.
You could customize the NewForm.aspx (e.g. via SharePoint Designer) for the initial submission case. Obviously, all of the required fields will need to be populated in some fashion.
The EditForm.aspx is the out-of-box page for updating existing list items. You may be able to customize this to meet your update an existing risk assessment case. From the post above it's not entirely clear to me whether this distinction between these pages is fully understood.
In both of these cases, you can add code-behind to the .aspx pages. However, it's usually best to start as simply as possible, keep it as simple as possible and only add complexity as necessary.
Hope this makes sense and helps. Good luck!
Dan,
Per your scenario, I have done something similar by creating one content type per actor/stage. Consider using a simple SharePoint Designer workflow to change your content types onChanged (simply by setting the Content Type) column so that the perspective actors only see the columns you want them to see in the edit/newforms. As long as the proper content type is set, your users will only see the fields you want them to see. Furthermore, with creative use of views and audience targetting of pages you can somewhat prevent these users from seeing columns.
Also, you can prevent users from seeing the different content types (under the new button) in the advanced content type page.
I'm trying to figure out a clean way to hide a custom field type from the list of available columns when a user goes to add a new column to a list. I only want this field type to show up when a given feature has been activated (the feature could be site, web, or web app scoped for my purposes).
One theory (haven't had a chance to try implementing this yet) is that I could set all the ShowOnListAuthoringPages (and similar) properties to "false" in the fldtypes_myfield.xml file, then programmatically set this value to true when a given feature is activated.
In XML file, please set
<Field Name="UserCreatable">FALSE</Field>
I't work with me
Are you sure that you are able to see the Publishing Fields Type in the List Create Column Only with Publishing Infrastructure feature activated. I have a MOSS 2007 Server and I Create a Site Collection based on the Team Site (In this Publishing Infrastructure was not active) but still I was able to see the Rich HTML Fields in the Create Site Column Page. I doubt Publishing Infrastructure controls this function. Your option is good one for this, I would say.
Custom Field Types Features are per definition Farm Scoped, since Custom Field Types have to be deployed farm wide.
You cannot "hide" them from users. A field in a list is based on a field type (bool, user etc.). You CAN hide fields, not the base types. So if a user wishes to create an entirely new (site) column, he or she 'll be able to see that field type.
So, it does look like the only way to do really hide the field times is with attributes in the fldtypes_myfield.xml file. There are a series of properties that affect it's visibility described in this MSDN page. In my particular case I ended up just using the UserCreatable property and marking it as false. This pretty much means the field type won't show up in the UI anywhere, so you'll need to make a feature or some kind of list/library template that you deploy that makes use of the type. I guess this is an area we can hope for improvement on in SP 2010 (perhaps along with a scoping mechanism for event receivers so they don't have to be "global" in the farm).
I'm searching for the best way to handle view-level authorization (where you hide markup based on a user's roles).
The typical way to do this is with the Acegi Security authz tag, as follows:
<authz:authorize ifAnyGranted="ROLE_FOO, ROLE_BAR, ROLE_BLAH">
<!-- protected content here -->
</authz:authorize>
The problem with that approach is that it quickly gets messy. For one, you either hard code the user roles as above or you create a constants file that duplicates them all. Second, there's no way with the current scheme to group roles logically. I suppose one solution is to define a separate role for each UI element, but then the declarative method level security on the business methods would need to be updated for each UI element (would that be a good thing?). This would also cause a proliferation of user roles! The use cases for my application actually mandate very few, e.g., Manager, Manager Supervisor, Super User (can do everything), Read Only, etc.
The solution that comes to mind is to treat the authorizable UI elements similar to message resources. That is, define a series of "authorization points" in a properties file similar to a MessageResources file. My initial thoughts are as follows:
com.lingoswap.home.editUserNameButton.ifAnyGranted=ROLE_FOO, ROLE_BAR, ROLE_BLAH
com.lingoswap.home.deleteAccountButton.ifNotGranted=ROLE_NOOB
com.lingoswap.home.deleteAccountButton.ifAnyGranted=ROLE_ADMIN
...
To protect content on the home page, we would then use a different protected tag (one that borrowed heavily from the original authz, possibly a sub class):
<security:protect component="com.lingoswap.home.editUserNameButton">
<!-- edit user name button -->
</security:protect>
<security:protect component="com.lingoswap.deleteAccountButton">
<!-- show the awesome delete account button that's not for nincompoops -->
</security:protect>
The advantages to this approach are the following:
Easy to test - we can write unit tests that verify the user-role-to-ui-element mappings (of course, it still has to be used on JSPs)
Error checking at runtime (and test time) - if a user role is misspelled in the .properties file, we can throw an Exception
Easy to tweak user roles - the requirements team continually refines the user roles; it'd be nice to change them all in one central location
Easy to understand - we can at a glance view the user role permissions for the entire application
Can be done DRYly (using property Spring placeholders to group related roles, e.g., ${readOnlyGroup} can be used in the properties file instead of the actual role names
The disadvantages seem to be:
Moderate complexity
Others??
Thanks for your advice.
Regards,
LES2
I did somethig similar to the second approach. And because I wanted all my security definitions in one place I implemented my own objectDefinitionSource for the FilterSecurityInterceptor.