I have set up sonata user bundle with sonata admin. Now I have user groups that have some roles. I created an "admin" group and assigned ROLE_ADMIN.
Now if i create a user and assign him to this admin group I try to log out and login in admin panel with this user. I'm getting access denied error.
It seems that I need to set user role as ROLE_ADMIN. Group roles does nod work. What good are user groups for if I still have to set a role for individual user?
Or is there a way to make group roles work?
Seems I found the answer. I have to configure sonata_user:
sonata_user:
table:
user_group:fos_user_user_group
Related
I have User Admin role assigned and just noticed that am not able to delete external users.
the user admin has right: microsoft.directory/users/delete and i guess that is not enough.
the global admin has right: microsoft.directory/users/allProperties/allTasks
Create and delete users, and read and update all properties.
Do you know if there is any other role that grants the right to delete external users? or am i missing here something?
I have User Admin role assigned and just noticed that am not able to delete external users.
You can check user admin roles here. As per document as shown in below image for this User admin role Delete or Restore users is not applicable.
As per your requirement Global Administrator has this delete user access privilege. Here you can go through Global Administrator rights.
there is any other role that grants the right to delete external users?
AFAIK the Global Administrator role is the only built-in role in Azure AD that grants the ability **to delete external users but If you do not want to assign the Global Administrator role but still you want to be able to delete external users, you can create a custom role and assign the "microsoft.directory/users/delete" permission to it.
In Azure You can create custom role in different ways like
~Using Azure portal.
~Using PowerShell
~Using CLI
To create custom role using portal check your custom role is enabled or disabled as shown in below image Select your subscription or Resource group >> Access control >> +Add >> Add Custom role.
Creating Custom role is bit complicated if you are ok with custom role follow these detailed steps in create custom role MS Document using Azure Portal.
Create Custom role Using PowerShell
I use Django auth groups. The groups contain permissions(https://docs.djangoproject.com/en/4.1/ref/contrib/auth/#group-model). Now groups are assigned to users based on their actual role. In my test setup one group contains the permission (market.xyz). This group is assigned to the logged in user.
In the debugger I see that the group permission is assigned (line 88)
But if I call user.has_perm(per1) I get False (line 87).
Same results for calling user.has_perm('market.xyz').
I can not make sense of this result. Is it necessary to activate the auth group mechanism? Do I have to add some additional Middleware?
To be sure I double-checked the documentation about group permissions being available on user level (https://docs.djangoproject.com/en/4.1/topics/auth/default/#groups):
A user in a group automatically has the permissions granted to that group. For example, if the group Site editors has the permission can_edit_home_page, any user in that group will have that permission.
Above I already suspected that some kind of Middleware is missing to activate the auth groups. Pretty close! After some trial and error I discovered that the ModelBackend makes it all work. IMHO the documentation on auth groups could make a remark on this!
AUTHENTICATION_BACKENDS = [
"foo.bar.MyOwnAuthBackend",
"django.contrib.auth.backends.ModelBackend",
]
I have a problem..
My scenario is:
Create new role..let say "Supporting Administrator Role"
Inside define permission, under Users and Organization, there is no option for create user
I know "Administrator role" has ability to add user.
The reason i create new role for support admin is, I dont want the user assigned in this role can see all setting. But this role need ability to manually add user like what super admin can do.
Can someone help me please.
I have created a 'Site User' role which is appropriate for users who will be Viewers on every available portlet. For example a user with this role should be only allowed to view documents in Documents and Media portlet but not allowed to add a new document or edit an existed.
I have defined the proper permissions in my Site role, however users with this Site role are still able to create events or add documents etc.
All these users are also assigned with the Social Office User role but as I'm seeing there is no such permission granted from this role.
I'm wondering if this is a normal behavior or the only solution is to modify portlets in a way that they won't allow users without the 'Site Admin' role to perform certain actions.
They're most likely still assigned to the "User" role (portal wide), or gets the permission from being a "Site Member". As you can't remove permissions, only add them through roles, check these roles for their bundled permissions.
They're assigned as default to Site Member role as Olaf stated. Look this file:
https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/resource-actions/documentlibrary.xml
As Site Member you have :
<site-member-defaults>
<action-key>ADD_DOCUMENT</action-key>
<action-key>ADD_FOLDER</action-key>
<action-key>ADD_SHORTCUT</action-key>
<action-key>SUBSCRIBE</action-key>
<action-key>VIEW</action-key>
</site-member-defaults>
as default action permissions.
The inherited roles are the roles which appear as shown in the image:
So my questions are:
What are inherited roles? Please explain.
What are the use-cases in which roles would appear in this section for a User?
Thanks in advance.
You can (for example) be member of a UserGroup which is assigned a role. This would not be editable on the user profile, but an effective role that is good to see if it's there. The other "independent" roles (e.g. through an organization) should also appear there.
Inherited roles can be configured in:
Control Panel > Roles > Select a particular role > Assign Members > Select the Sites tab
Inherited Roles
Inherited roles really not existed in the liferay but we can see these roles in the user my account page roles section .these roles specially appear when the user can be member of user group which is assigned a role.
We can say if any roles which associates with User Group and the user is member of respective user group then role can be visible as part of inherited roles section.
Simply we can say that user directly not associated with role instead of that User Group will be associated with role and the user will be member of User Group then the roles are become as inherited role to users who are belong to User Group.