Where security role is used - security

I have created a form for a specific group of users in my CRM 2011 system. I want only them to be able to see this form. I can copy their a security role and set the form for this security role only, but I will have a a problem:
they are currently in a security role with another group of users. If I copy the security role, the will not longer see the specific customization's all over across the system.
I only want one form to be different from the others. Is there any way I can find all the forms that are enabled for the specific security role (in order to give the new role this rights too)?

Assumptions based on your question: You already have default form for the entity that is used by all users (All Users). You want to add an additional form to that entity that is only available to some of the users (Select Users). All Users are currently assigned a security role that gives them the necessary access to the system.
Create a new security role (Form Specific Role). You don't have to give this role any privileges just a name.
Assign the Select Users the Form Specific Role. Do NOT remove their other security role(s).
Add the new form the entity, Restricted Form.
Highlight the new form and click Enable Security Roles. Select the option Display only to these selected security roles and select the Form Specific Role you created in step # 1. Make sure Enabled for fallback is unchecked. Click Ok.
From the forms list Form Order and select Main Form Set (or the appropriate form type if you are working on a Mobile or Quick Create Form.
Use the Up/Down arrows to make the new, Restricted Form, the top choice.
Save and Publish all changes.
Now whenever a user that has been assigned the security role accesses this entity their default form choice will be the Restricted Form. There will be NO impact to any other forms they are accessing or any of their privileges in the rest of the system, as required by your problem statement.

Related

Kentico User and Role Management

I am running Kentico 11. I have a section of the site that requires user login to read and download some hidden content.
Those users are stored in the Configuration -> Users table. I have a custom Role that these users are assigned to so they can login and view the content & download files. We have an external (CRM) system that is integrated with Kentico. This CRM automates the User account creation & Role assignment based on yearly training records. So the user accounts do not get manually created. CRM manages the creation & deactivation. This is working as intended with 1,000s of users.
Business requirements have changed and now requires two levels of access. Will require a 2nd Role be created. First tier will allow basic access to content. A new 2nd tier (additional Role) will allow access to the file downloads.
The first tier will remain managed by the 3rd party integration from CRM (account & 1st role assigned). The 2nd tier will have to be manually controlled. Someone will have to login to Kentico, Configuration -> Users. Search for the user and add the 2nd Role.
To avoid putting the burden on the programmers I need to allow some of my non-technical team (customer support, product management) to be able to manage the Users.
These non-technical do not have Kentico CMS accounts. I do not want to make them Administrator and give them "keys to everything".
My question is specific to Configuration -> Permissions -- can I give my non-technical team the Read permission to "CMS Basic User" and Manage User Roles "Contractor" (and my custom role 1st ) and expect that they will be able to login to Kentico, navigate to Users and maintain my Contractors.
This is expected to allow them to view my contractors, and add them to a new 2nd role "Contractor Download". Take bob.smith#someemail.com for example. Bob is a contractor, the CRM tool added him to the Users Table with the roles Authenticated, Everyone and Contractor. Bob has completed some training and now needs the Contractor Download role.
Is the appropriate best-practice in Kentico to give my non-technical staff the CMS Basic User role & Contractor Role so they can manage our contractors? Is there a risk to this configuration? Will they be able to manage other roles? I do not want them to be able to edit content management, ecommerce or any other configurations.
It can be hard to give permission to manage one role but not the other. Usually in terms of UI permissions, you either have permission to the entire operation or you don't.
While using Kentico's back end UI would be beneficial, and giving them an account with limited administrative roles I think would be fine, what i would do is create a custom User interface and give them access to that UI, and all that UI element would be would be a drop down of available users to assign to the role, and a button that would use Kentico's API to assign them.
You can make the entire thing using the Custom Control webpart and point to your ascx, don't need anything particularly fancy.
the API to assign the role is pretty simple:
UserRoleInfoProvider.AddUserToRole(ValidationHelper.GetInteger(ddlAvailableUsers.SelectedValue, 0), RoleInfoProvider.GetRole("ContractorDownload").RoleID);
Make the drop down a list of (UserID, UserFullName) using the following dataset:
int[] UserIDsInContractorRole = UserRoleInfoProvider.GetUserRoles()
.WhereEquals("RoleID", RoleInfoProvider.GetRole("Contractor").RoleID)
.Select(x => x.UserID).ToArray();
int[] UserIDsAlreadyAssigned = UserRoleInfoProvider.GetUserRoles()
.WhereEquals("RoleID", RoleInfoProvider.GetRole("ContractorDownload").RoleID)
.Select(x => x.UserID).ToArray();
ddlAvailableUsers.DataSource = UserInfoProvider.GetUsers().WhereIn("UserID", UserIDsInContractorRole).WhereNotIn("UserID", UserIDsAlreadyAssigned).Columns("UserID, FullName").OrderBy("FullName").Result;
ddlAvailableUsers.DataValueField = "UserID";
ddlAvailableUsers.DataTextField = "FullName";
ddlAvailableUsers.DataBind();

Sitecore security - combining roles

Is there a way to combine access rights for a Sitecore item?
For example, I have a page that I would like to lock down to users who are a member of two different roles rather than just just one, and a user who has just one of the roles should be denied access.
I know you can have roles within roles but wondering if there was a simpler way to achieve this?
I'm using Sitecore 7.2.
If you are trying to check this in code, you can easily do so using
var user = AuthenticationManager.GetActiveUser();
return user.IsInRole("Role1") && user.IsInRole("Role2") ? "Granted":"Denied";
But if you are trying to achieve this in Sitecore Security on an item, then an AND of those 2 roles will be assigned. Ex: If I allow access to an item in Role1 but deny in Role2, the user with Roles 1 and 2 will have his/her access denied.
The simplest way to approach this is to define a new role with appropriate access rights and assign the relevant users to it, either manually or by script. That keeps your access rights transparent. You could code your way around the issue, but you could end up creating an admin nightmare, where it's near to impossible to see which roles and users have access to which items. E.g. what would you expect to see in the Access Viewer when looking at one of the roles, or at a user with one or both of the roles? There's a big difference between assigning access rights programmatically and evaluating them programmatically.
One way that you could achieve it via the Security Editor is by utilising Sitecore's Roles in Roles functionality.
Essentially you will want to create a New Role in the Role Manager that will contain the two roles, Role A and Role B. Select your New Role in the Role Manager and click Member Of button. In the modal click Add and select the two roles this New Role needs to contain.
In the Security Editor select the New Role and assign the read, write, create etc permissions to the required Items.
Now when users access those Items they must have Role A and Role B before given access - they will not need the New Role assigned to their account.
If you have a large number of roles to manage and combinations of those it will be very time consuming to manually create those combinations.

How to deactivate a liferay user for particular organization?

I have a requirement to deactivate a user for a particular organization.In liferay we deactivate the user directly by control panel under users tool.if i deactivate,The user will deactivate in portal level so it is applicable to all organizations not to particular organization.so can i do manual code for this or is there any alternative by default?
User Management in Liferay is global - to the whole portal. You authenticate to the portal, thus a deactivated user can't be authenticated to the portal.
You can make users members of Organizations or site - and this membership (or other organization- or site-level roles) can be used to provide them with permissions.
If you want them to be able to sign in, don't deactivate them. If you don't want them to access a certain organization, make the content of that organization available to members only - and exclude the user from the members of that organization.
OK you could do this in code level ,
User singleUser=UserLocalServiceUtil.getUser(userId)
singleUser.setStatus(WorkflowConstants.STATUS_DENIED);
UserLocalServiceUtil.updateUser(singleUser);
So basically setting User Status to either WorkflowConstants.STATUS_DENIED, WorkflowConstants.STATUS_EXPIRED or WorkflowConstants.STATUS_INACTIVE will do the work of deactivating particular User.
But you need to research on the aftermath effect of these status field.

How to implement Field Level Security in Microsoft Dynamics CRM 2011

I am getting a problem in implementing Field Level Security in CRM 2011. I am very new to this technology hence not able to resolve this problem.
This is the steps i have done -
1.Created an Entity names Inquiry.
2.On Form Under Entity created a field named 'Password' with EnableSecurity set to 'true'.
3.Then Moved to Administration -> Field Security Profiles -> Created a Profile named 'Inquiry'. Under Users Tab selected a User(Mike) and kept the Field Permissions as it is i.e 'No'.
4.Now on Login for User(Mike) the 'Password' should be seen encrypted. but it does not display as encrypted.
Steps used to Create User -
1.Under Users & groups created new user and assigned 'Service administrator'.
Please tell me if i missed out sum step or if i have done something wrong.
I think user Mike has System Administrator security role.
This security gives always full access to all secured fields, you can find more information here:
How Field Security Can Be Used to Control Access to Field Values in Microsoft Dynamics CRM
section Which Security Roles Allow You to See Secured Fields?
Hey i got the solution to my question.Posting it so that it may help the beginners like me.
All i did was -
Steps used to Create User -
1.Under Users & groups created new user and did not give the user administrator permissions.
2.Then Under Settings->Administration-> Users -> Selected the user and opened the Form.
3.Then choose Manage Roles from Ribbon menus and selected 'System Customizer' as the Security Role.
Rest process same for applying field security.
5.In the end logged in as a System Customizer and was able to see the changes.
Thank you #Guido Preito for the help.

Cognos Planning 10 -- Setting up user security

I am editing user security and am trying to give a user access to an e.List item. I select the user using the [...] button and successfully find that user by searching in our AD domain.
After I select the user and press OK, that user does not come into the CAC, just this error The filter will only accept groups and roles. Users will not be added to the filter. I don't see any filters here at all.
Have you seen this before and is it possible to set up security by users?
Thank you,
WE
Answer from ericlfg on http://www.cognoise.com/community/index.php/board,15.0.html:
Hi William,
The message you are receiving is by design. In order to add a specific user, rather than a group or role, that use needs to be a member of some kind of hierarchy in your security provider.
Ex: If you're using cognos groups and roles with a Role called "Test". You would populate this test role with members from your namespace. In the CAC, you would then select the Test group when you click on the elipsis and then that will allow you to select your individual user (or alternatively the Test role).
The same would be true if you're trying to add members directly from your 3rd party authentication provider. The individual users need to be part of a roll-up role or group in order to add that roll-up role or group to the filter. Once added to the filter you can select the individual users.
Hope this helps.

Resources