I have created new add-on as like as survey add-on. Module consist 3 level of groups,
Head Manager(admin)
Manager
User
If i am logged in as a manager and print the report, i am getting below warning,
"AccessError: ('AccessError', u'The requested operation cannot be completed due to security restrictions.
Please contact your system administrator.\n\n(Document type: res.partner, Operation: read)') "
My rules are:
Manager:
<record model="res.groups" id="base.group_survey_manager">
<field name="name">Custom Survey Manager</field>
<field name="implied_ids" eval="[(4, ref('base.group_survey_user'))]"/>
<field name="users" eval="[(4, ref('base.user_root'))]"/>
</record>
<record id="project_survey_manager_access" model="ir.rule">
<field name="name">Survey Manager access rights</field>
<field name="model_id" ref="custom_survey.model_custom_project_survey"/>
<field name="domain_force">[(1, '=', 1)]</field>
<field name="groups" eval="[(4, ref('base.group_survey_manager'))]"/>
<field eval="1" name="perm_unlink"/>
<field eval="1" name="perm_write"/>
<field eval="1" name="perm_read"/>
<field eval="1" name="perm_create"/>
</record>
Partner Form Security:
<record id="partner_list_access" model="ir.rule">
<field name="name">Access to the manager to list related partners</field>
<field name="model_id" ref="base.model_res_partner"/>
<field name="domain_force">[('create_uid', '=', user.id)]</field>
<field name="groups" eval="[(4, ref('base.group_survey_manager'))]"/>
</record>
If the manager is logged-in, i would like to list the partner who is created by the current manager. That's why i added the partner rule.
How to solve this issue?
Access to the manager to list related partners
[('create_uid','=',user.id)]
Here, there is no meaning to apply security access for create remove it, add simple domain to filter records.
If you want to restrict user to create then give that rights into the access rights csv file.
Goto Settings -> Manage Access Rights -> select the user -> check the option of PORTAL in 'other extra rights' at the bottom. if it is black so mark it True.
Related
I have a model called "banner". I am trying to create a security group "custom_sales" which will only have read access to "banner". However, I want the admin user to have all access rights.
This is what I'm trying:
security/groups.xml:
<record model="res.groups" id="custom_sales">
<field name="name">Custom Sales Group</field>
<field name="users" eval="[(4, ref('base.user_admin'))]"/>
</record>
ir.model.access.csv:
access_ftrv_banner,access.ftrv.banner,model_ftrv_banner,custom_sales,1,0,0,0
This does create an access right of read only for custom sales users but the admin can no longer even view the banner model
first : modify security group because what you wrote will make all users in your custom group admin role (base.user_admin)
<record model="res.groups" id="custom_sales">
<field name="name">Custom Sales Group</field>
<field name="users" eval="[(4, ref('base.group_user'))]"/>
</record>
second : add all access rights to admin
access_ftrv_banner_admin,access.ftrv.banner.admin,model_ftrv_banner,base.user_admin,1,1,1,1
I have the next workflow:
An user fills in some fields configured in Dynamic Data List and clicks submit.
An user with the role Petition analyzer can assign the petition to himself. Then he can do the next three things: resolve it - notifying the creator about this, asking for details - the petition returns to the creator, forward it to an organization.
The organization, in turn, can resolve the petition or ask for details.
I have created two users, user1 and user2 who belong to the organization and have the role Security role.
Everything works great except the time when the petition analyzer decides to forward the petition to an organization. The task does not appear under "My Workflow tasks" menu for any of the users belonging to the organization.
If I assign the "forwarded to an organization" task to a petition analyzer, the petition analyzer receives the task so, I believe, the workflow is correctly created. Or not ... it's your decision to make.
The role, users, organization creation I'm worried about. I have created a role "Security role" of type "organization", an organization called "Organization A" and the users: user1, user2 are added to the Organization A and assigned the role "Security role". When I log in as user1 I expect to find the task and be notified about it which does not happen.
I am waiting for your sugesstions. Thank you.
Here is my workflow:
<workflow-definition
xmlns="urn:liferay.com:liferay-workflow_6.2.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:liferay.com:liferay-workflow_6.2.0 http://www.liferay.com/dtd/liferay-workflow-definition_6_2_0.xsd">
<name>Petition workflow</name>
<description>Petition Workflow</description>
<version>1</version>
<state>
<name>created</name>
<metadata>
<![CDATA[{"xy":[36,51]}]]>
</metadata>
<initial>true</initial>
<transitions>
<transition>
<name>sent it to be analyzed</name>
<target>sent it to be analyzed</target>
</transition>
</transitions>
</state>
<task>
<name>asking for details</name>
<metadata>
<![CDATA[{"transitions":{"resubmit":{"bendpoints":[[303,140]]}},"xy":[328,199]}]]>
</metadata>
<actions>
<action>
<name>reject</name>
<script>
<![CDATA[
Packages.com.liferay.portal.kernel.workflow.WorkflowStatusManagerUtil.updateStatus(Packages.com.liferay.portal.kernel.workflow.WorkflowConstants.toStatus("denied"), workflowContext);
Packages.com.liferay.portal.kernel.workflow.WorkflowStatusManagerUtil.updateStatus(Packages.com.liferay.portal.kernel.workflow.WorkflowConstants.toStatus("pending"), workflowContext);
]]>
</script>
<script-language>javascript</script-language>
<execution-type>onAssignment</execution-type>
</action>
<notification>
<name>Notification creator that the petition was modified</name>
<template>Petition was modified by ${userName}. Please make the needed changes and resubmit.</template>
<template-language>freemarker</template-language>
<notification-type>email</notification-type>
<notification-type>user-notification</notification-type>
<execution-type>onAssignment</execution-type>
</notification>
</actions>
<assignments>
<user />
</assignments>
<transitions>
<transition>
<name>Resubmit</name>
<target>sent it to be analyzed</target>
</transition>
</transitions>
</task>
<task>
<name>sent it to be analyzed</name>
<metadata>
<![CDATA[{"xy":[168,36]}]]>
</metadata>
<actions>
<notification>
<name>Notification petition analyzer that he needs to analyze a petition</name>
<template>${userName} sent you a ${entryType}.</template>
<template-language>freemarker</template-language>
<notification-type>email</notification-type>
<notification-type>user-notification</notification-type>
<execution-type>onAssignment</execution-type>
</notification>
<notification>
<name>Notification creator, through email, that the analysis is complete</name>
<template>
The petition has been analyzed and has the following commentaries: ${taskComments}.</template>
<template-language>freemarker</template-language>
<notification-type>email</notification-type>
<recipients>
<user />
</recipients>
<execution-type>onExit</execution-type>
</notification>
</actions>
<assignments>
<roles>
<role>
<role-type>regular</role-type>
<name>Petition analyzer</name>
</role>
</roles>
</assignments>
<transitions>
<transition>
<name>Resolve petition</name>
<target>approved</target>
</transition>
<transition>
<name>Ask for details</name>
<target>asking for details</target>
<default>false</default>
</transition>
<transition>
<name>Forward to an organization</name>
<target>forwarded to an organization</target>
</transition>
</transitions>
</task>
<task>
<name>forwarded to an organization</name>
<metadata>
<![CDATA[{"xy":[168,36]}]]>
</metadata>
<actions>
<notification>
<name>Notification user belonging to an organization that he received a task</name>
<template>${userName} sent you a ${entryType}.</template>
<template-language>freemarker</template-language>
<notification-type>email</notification-type>
<notification-type>user-notification</notification-type>
<execution-type>onAssignment</execution-type>
</notification>
<notification>
<name>Notification creator, through email, when the analysis is completed</name>
<template>
The petition has been sent to be analyzed and has the following commentaries: ${taskComments}.</template>
<template-language>freemarker</template-language>
<notification-type>user-notification</notification-type>
<notification-type>email</notification-type>
<recipients>
<user />
</recipients>
<execution-type>onAssignment</execution-type>
</notification>
</actions>
<assignments>
<roles>
<role>
<role-type>organization</role-type>
<name>Security role</name>
</role>
</roles>
</assignments>
<transitions>
<transition>
<name>Resolve petition</name>
<target>approved</target>
</transition>
<transition>
<name>Ask for details</name>
<target>asking for details</target>
<default>false</default>
</transition>
</transitions>
</task>
<state>
<name>approved</name>
<metadata>
<![CDATA[
{"xy":[380,51]}
]]>
</metadata>
<actions>
<action>
<name>approve</name>
<script>
<![CDATA[
import com.liferay.portal.kernel.workflow.WorkflowStatusManagerUtil;
import com.liferay.portal.kernel.workflow.WorkflowConstants;
WorkflowStatusManagerUtil.updateStatus(WorkflowConstants.toStatus("approved"), workflowContext);
]]>
</script>
<script-language>groovy</script-language>
<execution-type>onEntry</execution-type>
</action>
<notification>
<name>Notification creator that petition has been approved</name>
<template>
The petition has been approved with the following comentaries: ${taskComments}.</template>
<template-language>freemarker</template-language>
<notification-type>user-notification</notification-type>
<recipients>
<user />
</recipients>
<execution-type>onEntry</execution-type>
</notification>
</actions>
</state>
</workflow-definition>
I have took while to look for your workflow definition and test it a bit on my local environment. I managed to reproduce same effect. Even all tasks were assigned to right users, notification for organization roles seemed to not working at all.
Here is what I managed to see after some deeper research:
Web Contents edited within another organization (or just another site) than the one connected with role Security role makes notifications not working for organization roles.
From other hand if you do following:
Enable your workflow definition for given organization (the same which is set to Security role)
Create Web Content within given organization (the same as above)
All notifications seems to be working!
This is quite strange since, whole workflow seems to be working, no matter what organization it uses, but notifications seems to be closely related to organization, of processed tasks. This is either a bug or a feature.
Update
Check out this pat of code WorkflowTaskManagerImpl class:
if ((role.getType() == RoleConstants.TYPE_SITE) ||
(role.getType() == RoleConstants.TYPE_ORGANIZATION)) {
List<UserGroupRole> userGroupRoles =
UserGroupRoleLocalServiceUtil.
getUserGroupRolesByGroupAndRole(
kaleoTaskInstanceToken.getGroupId(),
kaleoTaskAssignment.getAssigneeClassPK());
for (UserGroupRole userGroupRole : userGroupRoles) {
pooledActors.add(userGroupRole.getUserId());
}
kaleoTaskInstanceToken.getGroupId() is based on groupId which was saved in kaleotaskinstancetoken entry. This means, as I have mentioned above:
If you create Web Content in different Organization than the one which is assigned to your organization role, this part of code won't be able to find such role. As consequence no single notification will be send, for this task.
This is either bug and should be fixed by Liferay, or some sort of feature allowing to pass Organization roles to workflow defintion not connected directly with organization.
I want to build a user registration store for Sitecore 8 website. The users will go in an external database.
Sitecore.NET 8.0 (rev. 150223)
.NET Framework 4.0.30319.18052
Razor Version=3.0.0.0
MVC 5.2.3.0
Asp.net MVC comes with the membership built in (AccountController, views, etc). I wanted to port this to my Sitecore project. The problem is Sitecore also uses membership internally. I know there is a way for getting membership working for the Sitecore 6.x versions through the switching providers described at Sitecore authenticate users against external membership database.
Is it still the same process for Sitecore 8?
This still applies to Sitecore 8 and the core asp.net membership features and the switching membership provider can still be used. The mongo db side of Sitecore 8 is for xDb, but you still use membership systems to authenticate.
I won't provide any further detail as the post you referenced seems to cover it all. Just in case there's another good post here:
https://himadritechblog.wordpress.com/2014/11/24/sitecore-custom-membership-provider/
Make sure you declare a new domain for you membership system in your domains.config.
I ended up not using the SimpleMembership and just going with Membership. I could not get the adapter that the thecodeking link mentions to work.
This method is not properly documented. I just had to change the config files. I did not have to create a custom class that inherits from MembershipProvider.
Web.config:
In membership section,
change realProviderName to "switcher"
copy "sql" node and change name and connectionStringName to "external"
In switchingProviders section,
add "external" node with domains "external"
web.config:
<membership defaultProvider="sitecore" hashAlgorithmType="SHA1">
<providers>
<clear />
<!-- change realProviderName to "switcher" -->
<add name="sitecore"
type="Sitecore.Security.SitecoreMembershipProvider, Sitecore.Kernel"
realProviderName="switcher"
providerWildcard="%"
raiseEvents="true"
/>
<add name="sql"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="core"
applicationName="sitecore"
minRequiredPasswordLength="1"
minRequiredNonalphanumericCharacters="0"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="false"
maxInvalidPasswordAttempts="256"
/>
<add name="switcher"
type="Sitecore.Security.SwitchingMembershipProvider, Sitecore.Kernel"
applicationName="sitecore"
mappings="switchingProviders/membership"
/>
<!-- copy "sql" node and change name and connectionStringName to "external" -->
<add name="external"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="external"
applicationName="sitecore"
minRequiredPasswordLength="1"
minRequiredNonalphanumericCharacters="0"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="false"
maxInvalidPasswordAttempts="256"
/>
</providers>
</membership>
<switchingProviders>
<membership>
<provider providerName="sql" storeFullNames="true" wildcard="%" domains="*" />
<!-- add "external" node with domains "external" -->
<provider providerName="external" storeFullNames="true" wildcard="%" domains="external" />
</membership>
</switchingProviders>
ConnectionStrings.config:
add connection "external"
config:
<add name="external" connectionString="..." providerName="System.Data.SqlClient"/>
Domains.config:
add domain "external"
config:
<domain name="external" ensureAnonymousUser="false" />
Then use the "external" provider directly which saves user to external db. This is the key point.
// uses "external" provider directly
Membership.Providers["external"].CreateUser(...)
Instead of this which saves to core db.
// uses default provider
Membership.CreateUser(...)
I personally like to keep the membership logic very simple and away from custom providers. Sitecore has a concept of Virtual User that you can instantiate once you authenticate on the external DB. You can set any custom properties on this virtual user and let sitecore record it in xDB.
Here is a good example.
I have the following issue when using BizTalk 2013 ("R1") and SharePoint Online:
I have a static send port configured to add data to one specific list in a list in a SharePoint Online environment.
I have authentication setup using the username and password and I'm 100% sure this is a correct username and password. I'm able to login using the same credentials via a browser without problem.
FYI: the account used is a "Microsoft" only account, so not listed as an organizational (work/school) account as well.
Whenever I try to send something to the list, I get the following error:
A message sent to adapter "Windows SharePoint Services" on send port "SP_SharePointOnline" with URI "wsss://company.sharepoint.com:443/sites/poc/Biztalk-Demo/TR/Lists/List%%201" is suspended.
Error details: [System.ServiceModel.CommunicationObjectFaultedException] The communication object, System.ServiceModel.Channels.ServiceChannel, cannot be used for communication because it is in the Faulted state.
This error was triggered by the Windows SharePoint Services receive location or send port with URI wsss://company.sharepoint.com:443/sites/poc/Biztalk-Demo/TR/Lists/List%%201.
Windows SharePoint Services adapter event ID: 12310
I have enabled WCF and WIF tracing in the BizTalk BTSNTSvc.exe and BTSNTSvc.exe.config as follows:
<system.diagnostics>
<sources>
<source name="Microsoft.IdentityModel" switchValue="Verbose">
<listeners>
<add name="wif" />
</listeners>
</source>
<source name="System.ServiceModel.MessageLogging" switchValue="Verbose">
<listeners>
<add name="wcf" />
</listeners>
</source>
</sources>
<sharedListeners>
<add initializeData="C:\logs\WCF64.svclog" type="System.Diagnostics.XmlWriterTraceListener" name="wcf" />
<add initializeData="C:\logs\WIF64.svclog" type="System.Diagnostics.XmlWriterTraceListener" name="wif" />
</sharedListeners>
I get WCF logging, but I don't have any WIF logging (as I would expect).
The WCF logging provided the following as to why the channel faults (extract from WCF Trace Viewer):
<S:Fault>
<S:Code>
<S:Value>S:Sender</S:Value>
<S:Subcode>
<S:Value>wst:FailedAuthentication</S:Value>
</S:Subcode>
</S:Code>
<S:Reason>
<S:Text xml:lang="en-US">Authentication Failure</S:Text>
</S:Reason>
<S:Detail>
<psf:error>
<psf:value>0x80048821</psf:value>
<psf:internalerror>
<psf:code>0x80041012</psf:code>
<psf:text>The entered and stored passwords do not match.
</psf:text>
</psf:internalerror>
</psf:error>
</S:Detail>
</S:Fault>
As said: I'm 100% sure this is the correct username and password!
I'm stuck here, anyone able to help me out or point me in the right direction?
Why don't I have any WIF logging?
Regards,
I think there is a problem in your URL. what if you try to use in the utl the link to your sharepoint site and the name of your List as "Destination Folder URL".
you can check this walkthrough
I am working with CRM 2011. I created a new organization ORG with a Service Account SRVACC. I created 2 other users with system admin role. I also created One Business Unit. So now in my System I have one Parent Business & one Child Business unit, 2 System admin users and One SRVACC with system admin role.
For testing purpose, i changed the BU of the SRVACC from parent BU to child BU. The problem is that now I cannot change it back to the parent BU for the SRVACC record.
Can someone please help.
Error:
Unhandled Exception: System.ServiceModel.FaultException`1[[Microsoft.Xrm.Sdk.OrganizationServiceFault, Microsoft.Xrm.Sdk, Version=5.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]: System.Web.HttpUnhandledException: Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #9D70E497Detail:
<OrganizationServiceFault xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/xrm/2011/Contracts">
<ErrorCode>-2147220970</ErrorCode>
<ErrorDetails xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Collections.Generic" />
<Message>System.Web.HttpUnhandledException: Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #9D70E497</Message>
<Timestamp>2014-10-06T07:23:41.398256Z</Timestamp>
<InnerFault>
<ErrorCode>-2147220943</ErrorCode>
<ErrorDetails xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.Collections.Generic" />
<Message>Principal user (Id=f55c3ae0-5748-e411-bb3d-005056a77686, type=8) is missing prvReadAsyncOperation privilege (Id=e84acc8f-0c61-43e3-a716-20964a483bdf)</Message>
<Timestamp>2014-10-06T07:23:41.398256Z</Timestamp>
<InnerFault i:nil="true" />
<TraceText i:nil="true" />
</InnerFault>
<TraceText i:nil="true" />
</OrganizationServiceFault>
If you read the Error you will find:
Principal user (Id=f55c3ae0-5748-e411-bb3d-005056a77686, type=8) is
missing prvReadAsyncOperation privilege
(Id=e84acc8f-0c61-43e3-a716-20964a483bdf)
prvReadAsyncOperation privilege is the Read privilege for System Job Entity (Role Customization tab):