Multiple Sites and Authentications with one Database - security

This may be a simple question, but it's my first time setting-up a website this way and I need some advice please.
The setup:
I have two websites: WS1 & WS2, each with different domainnames.
They both point to the same IP using nginx server blocks and SSL is
setup for each domain name. I will be using Express.js with ArangoDB (where I can
add additional databases in ArangoDB to split-up the two sites in the
backend if necessary)
The problem:
Sometimes these two sites will be accessing the same info from the database and I would
prefer NOT having to duplicate the data but they will have different
authentications. Each site will have different account
authentications and page restrictions for each member of each site.
The question:
How would I set this up to ensure security, so that one account
doesn't get access to any other site? Do I need two separate frameworks in each server block? Should I create two databases? Best recommendations pls ?

This depends on your authorization framework.
Authentication identifies who is accessing your site, and part of that identity is the user, the company/domain, and the role/group they belong to.
Authorization is the description of what that user, company/domain, or role/group is allowed to access.
You probably know about cookies and username/passwords for the user identification. The user is stored in the database and mapped to the company/domain they belong to. and the user is also mapped to the role/group they belong to.
select userID, company from users where username = ?, $username
select group from groups where userID = ?, $userID
Some of the records in the database are probably scoped to a single domain/company and others to a role/group. You add the domain/company or role/group as a column on the database, and use it in your query.
select content from companyPages where company = ?
or
select content from groupPages where group in (select group from groups where userID = ?))
You can have users from multiple companies/domains using the same groups too.
And putting it together:
Select content from pages WHERE
group in (select group from groups where userID= ?)
AND company = (select company from users where userID=?);
Basically you have to define your authorization scheme and map it to your data model.

Related

Creating model for groups of users in node js Web Application

I am creating an application that should allow users to create or join a group with other users. Every user in a group will have access to some common information. The users are currently stored in a Postgres database with attributes: name and email. I am trying to create a model for groups that would contain a list of authorized users that can access its material.
One approach I thought of was creating a new table in the database consisting of rows of groups and each group had a column: 'authorized_users' which contained an array. However, I read that this is bad practice in SQL.
Another approach would be to create a new table each time a group is created and store the authorized users in that table.
I was looking for help to see if there is an API for node that already performs this, or if any of you have suggestions on how to implement this group model.
You need a new table that keeps the users in groups info, modelling a many to many relationship:
users_groups:
user_id,
group_id,
(optional) can_read, can_write, etc

How to implement Dynamic Security in PowerView

I have created a PowerView using a BISM connection in Enterprise Portal of AX. That PowerView report will be used by 100+ users. I want every user to his/her data in the PowerView instead of viewing the complete data. One option is to create 100+ security roles in SSAS (multidimentional) which is not a viable option. Please guide me how can i achieve dynamic security in PowerView so that every user sees its own view. Thanks.
Power View doesn't not offer any kind of security. You will need to do this in SSAS, but you don't need 100+ security roles. You will want to look into dynamic security. To create dynamic security, you will need some way to relate a user to the information they should see. This usually means adding a field to an existing table or creating new tables.
If all users are secured by the same attributes, they can be contained in a single role. If some users are secured based on one attribute and others based upon another attribute, then you may need multiple roles.
Here's how this might work.
Create a table that contains all users that will need access to your cube.
Create a bridge table that ties the users to the attribute on which you are securing their access. For instance, maybe users can only see certain products so you have a table of User IDs and Product IDs.
Add these tables to your DSV.
Create a user dimension.
Create a measure group based upon your security bridge table
Create a role for this user type and add an MDX statement to the Allowed Member Set. Also, set the Enable visual totals checkbox.
Populate the members for the role, preferably through an AD group rather than individually if you have 100+ users.
Your allowed member set will look something like
Exists(
{[Product].[Product ID].members},
STRTOSET("[Users].[UserName].[UserName].&[" + Username() + "]"),
"Bridge User Product"
)
You can find a good blog post here and a good video about SSAS security here (dynamic security starts around the 35 minute mark).

Liferay database access level (Site Level)?

I have a requirement that I need to restrict the liferay database in site level.
Let me first explain my scenario.
Admin is the one who will create the site and site admins.
Here admin user is the owner and sites are different clients.
Now each site will treat as a different client.
So the site admin have privileges to see only his site related data
in the data base but not others site data.
How can I handle this situation?
Do I need to use the multiple databases for multiple clients/sites?
How do I maintain the different database for different client? Any
suggestion please?
Note: I am not using Organizations, we are using only sites.
I hope I understand what you need. Based on my understanding, you can create separate instance for each client in liferay and use database sharding. Database sharding will allows you to have different db for each client.
HTH.
You can use GroupID to split the users to some groups: Group Admin and Group Normal User.
Not to use different database for diffirent client. Because 2 group have some same points.You need only one database for all of things you want to do.But you can customize it follow GroupID ^^
Good luck!

security access for groups symfony

Hi i have a group system and i'd like to add some security to it.
Users can belong to multiple groups and id like to know the best way to authorize people to see the groups only if they are in it. If they aren't i want to redirect them to a another page, which is different according to the group.
For now i created a service but i have to use it in every controller...
I've heard of multiple things but not sure if they are appropriate for my situation.
Thanks for your help
There are several different ways to do this depending on the approach/complexity. Here are a few:
1) Use Symfony ACLS. When a user is added to a particular group, you can use the symfony ACL system to grant them view access to that group, and then later check isGranted() against that group to see if they have view permissions.
2) Create a custom voter
http://symfony.com/doc/current/cookbook/security/voters.html#creating-a-custom-voter
3) If the number of groups is limited in number, you could even use Doctrine query filters to automatically add a where clause to all queries where the group_id is in a list of allowed groups for that user. You can bypass this for all admin users. http://doctrine-orm.readthedocs.org/en/latest/reference/filters.html

How do I retrieve the users of a specific group or data store through OpenAm 11 SOAP (or REST) web-services?

I have the following requirement: Retrieve the users from OpenAm which are members of a specific group. Alternatively, if possible, retrieve users defined in a specific data store. All this through web-services.
We have our own JDBC data store implementation which reads users from and authenticates users against our database. That works fine. The data store is one of two data stores in our sub realm. The other data store points to an LDAP.
Now I need to read the users (and later the user attributes) from users being defined in the LDAP data store, and only users of a specific group, if possible.
Previously we did that with wso2. There they had a web-service method that allowed you to retrieve users of a specific group only.
Currently I am looking into the IdentityServices web-service of OpenAm, and I am able to list all users of my realm, and get the attributes. But for performance reasons, it would be nice to be able to refine the search. Is that possible? Am I looking at the wrong web-service?
Regards,
Sascha

Resources