I'm developing an application, where users are able to store their notes.
The roles hierarchy is the following:
user role could create, read, update and delete their own
notes.
admin role inherits user role and has access to
all users notes.
The issue is, that most of ACL tutorials, are describing generic cases, regarding how to declare permissions for a roles like user, admin, manager etc.
There is a lack of information regarding the cases, when we need to protect specific user notes from changing by other users. How to handle this in the scope of ACL?
Related
I need to create multiple users in same AD and need to isolate the resources created by one user from other user.Is it really possible.since I am new to Azure I am not aware that this is really possible.It would be great if some one render their hands to advice on this.
There is no absolute isolation, there are only certain restrictions.
The users created in the AAD tenant are all the Members by default, they have the default permissions e.g. Read all properties of groups, Read properties of registered and enterprise applications. So if user A created some resources e.g. group, application, the user B will also be able to read the properties of them.
There are some restrictions, like Manage properties, ownership, and membership of groups the user owns, Manage application properties, assignments, and credentials for owned applications. This means some properties of the resources can just be managed by the Owner of them.
For more details about the default user permissions, you could refer to https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions
And if the user is assigned as the admin role in the tenant, he will have more permissions than the default users, see https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles
I'm new in sails and I have a PostgreSQL database. I want to implement a user management. I have some users, each user can be assigned to multiple groups, each group can be assigned to multiple roles and each role can have some permissions! I checked document of sails permissions but I didn't get it well. for example, I want some groups not to be able to add or edit users or I want some roles not to be able to see user management menu. what should I do?
I may be a little late to post answer here, But there is a way available for access control in sails.
Sails has built-in policy based access control system.
Policy
Policies in Sails are designed for controlling binary ("yes or no") access to particular actions. They work great for checking whether a user is logged in or for other simple "yes or no" checks, like whether the logged in user is a "super admin".
But for Dynamic permissions,
Helpers
Link for documentation of helper, access-control-and-permissions
For more complex permission schemes, like those in which a requesting user agent's access rights depend on both who they are and what they're trying to do, you'll want to involve the database. While you can use policies to accomplish this, it's usually more straightforward and maintainable to use a helper.
One can find example here,
Using helper for access control and permission
So you can use postgreSQL for storing roles and their respective permissions and retrive user role and check permission on need in policy/helper.
Sails.js has no ACL managment
You have to use 3rd party middleware like roles or role-acl
Sounds like what's most important is the association of the user to the permission (or role). So you could consider making models for each tier (user, role, group) or you can make a model for each kind of group and/or role (though that sounds like it could get out of hand) and then have the models associated with eachother. Then in the view action you can set what the permissions are (aka what groups or roles are allowed to see that page). Also in the markup you can set who is allowed to even see a button.
For example:
isSales could be a boolean on your group or roles model for a user that is in sales and they are allowed to see the edit button to change the price of something. So in your markup you have:
<div v-if="user.isSales">
<button> Edit price </button>
</div>
Most of the following is done with the parse-dashboard so it's a bit wordy, but I understand the code just not the relationships.
I'm setting Parse.Roles and it seems like each individual Parse.Object needs to have the Role set to have access to a given Parse.Object. For example, an Object ACL needs to contain both "Admin" and "Moderator" (with respective permissions) for Admins or Moderators to have access.
Since parent and child roles are possible, it would make sense to set a Parse.Object's ACL with the "Organization" Role, which is then further modified by the child Role. So, a "Viewer" within an "Organization" cannot Write, but an "Admin" within the "Organization" can Read/Write. I've tried multiple ways of doing this - associating one user to a "Viewer" and one to an "Admin" within an "Organization" but this does not seem to work.
My Current Solution: To manually/programmatically set each Parse.Object ACL with multiple pre-set Roles. E.g. Parse Class "Person" with ACL Roles "Viewer" & "Admin".
Question: If I want to create a different Role in the future for this same Organization, will I need to loop through each Parse.Object and manually set the new Role for each of the past Objects?
It would make sense that these relationships should be managed by the parent Organization so that this doesn't need to be done manually, but this doesn't seem to work.
Any answers, thoughts, or links are appreciated.
As you have mentioned, roles can have roles and inherit the privileges of their parent role.
Hence, if the new role applies to all objects of a class or a group of them, you don't need to loop through all parse objects.
I will give you an example:
Let's say you have a class named Posts.
you have a role name viewer, and you have a role named editor.
when you create a new post object, you add both roles viewer and editor as the ACL of the post object. For instance, the viewer role can only have read access and editor may have both read and write access.
For each organization:
First you create a role name uniqueOrganizationName
Then you add all users belong to that organization to uniqueOrganizationName users (relation).
Now, in the future, if you want to add all users of that organization to for instance editorRole, instead of adding editorRole to all user objects, you can add uniqueOrganizationName to editorRole roles. Now, all users of that organization can modify all posts. If you want some users of the organization to be able to edit the post, the you add those users to editorRole users.
Note: this approach is global. so the organization editors may edit all posts objects. If you want to limit the editors of an organization to only be able to edit posts belong that that organization:
create two unique role for each organization viewUniqueOrganizationRole & editUniqueOrganizationRole.
Now, when you create a new post, depending on what organization that post belongs to, you add viewUniqueOrganizationRole && editUniqueOrganizationRole to the ACL of the post object.
After this, you can add users' to viewUniqueOrganizationRole to be able to view posts belongs to that organization or you can add users to editUniqueOrganizationRole so they can edit your post.
I hope I could answer your question. This is a complex design.
I need to give permissions to edit/create/destroy pages in a node to a group of users.
I've created a group and added a test user to that group.
I can't seem to give permission to the Pages application so see if i can see the node.
I also added game this role permissions at the node level too.
Ideally this editor role would be able to create new sub pages, which also means being able to upload media.
Your new user must have editor privilege level (you can edit user in Users application). If you want to provide ability to see content in Pages app you have to grant the user with Browse tree and Read permission (content module). To satisfy your scenario you need to grand user with Modify and Create permissions, too (maybe Design?).
Just FYI: The approach provided by Brenden (cloning the role) is very handy but there a is chance you grant the user with permission you don`t want to provide (inappropriate permissions for original role).
I've found the most efficient method is review the out of the box roles provided by Kentico and clone the one which fits closest to your needs. Then modify your cloned role to add/remove abilities and permissions.
If you're unsure of what each role can and cannot do, create a new test user with one of the roles assigned to them and log in as them. Do the same for all the roles you want to test until you find the one closest to what you're looking for.
So I am very interested in using Cloudkit but the documentation on anything over the basic features is horrible. I am looking to establish two basic user types: standard user (someone that can read records only) and an Admin user (can create and modify records). I setup security roles to reflect this and changed the access modifiers on each of the record types to include these roles. However, I cannot find anywhere how to change a user from one role to the other. I have implemented an Admin login of sorts in the app. Once they enter in the appropriate credentials, I want to allow that user to start editing records.
Does anyone know how to do this?
Thanks
I think it's still not possible to assign a security role to a user using code. Then this answer is still valid: How do I access security role in cloudkit