I have three custom entities; Project, ProjectStageExternal and ProjectStageInternal,I have added a workflow which will create ProjectStageInternal and ProjectStageExternal records when admin creates a Project record.
Now I have a security roll named customer. Users having this roll only read the Project and ProjectStageExternal records.
The problem is workflow is not working when ownership is changed to users having customer security roll. Its showing this following error: The selected user does not have sufficient privileges to be assigned records of this type.
what am I missing here?
Thanks.
That security role has basically no permissions on those entities, so the users wont be able to do anything with them.
If you want someone to be able to assign (or have a workflow assign on their behalf) you need to grant the assign permission and probably write as well.
If you dont want to grant them those permissions, change the workflow's Scope to organisation and assign it to an admin user. That means the workflow will run with the admins permissions and security roles.
Only providing Read Privileges to the user/team whom the record is to be assigned will work perfectly fine !!
Related
I have a SPFx webpart which is a form for users to submit requests which will run the group and teams provisioning code.
The code works fine when the user is logged in as a 'Global Admin', but when a normal user with minimum permission levels uses the form, the provisioning is not allowed and is faced with these errors:
Creating group is not allowed:
Tenant admin has not enabled Unified group creation error
Creating teams is not allowed:
Teams disabled in user license admin error
Is there a way to run the code regardless of the user context? or any ways to elevate the privilege of the webpart or block of code with admin permissions?
https://learn.microsoft.com/en-us/sharepoint/dev/spfx/use-aad-tutorial
You will need to specify that specific api permissions your application needs.
basically starting from here: https://learn.microsoft.com/en-us/sharepoint/dev/spfx/use-aad-tutorial
specifically, the graph api permissions that you will need is at least Group.ReadWrite.All, Directory.ReadWrite.All in order to create a team.
Hopefully this helps a bit.
Is there a way to run the code regardless of the user context?
Yes. You could implement Get access without a user to use Application permission to create the resources. It will allow you to create a group without a user.
You can also check with your admin if the ability of creation Groups for users has been disabled. See Manage who can create Groups.
And it's strongly recommended to check if the Teams license is assigned to the user.
I need to give permissions to edit/create/destroy pages in a node to a group of users.
I've created a group and added a test user to that group.
I can't seem to give permission to the Pages application so see if i can see the node.
I also added game this role permissions at the node level too.
Ideally this editor role would be able to create new sub pages, which also means being able to upload media.
Your new user must have editor privilege level (you can edit user in Users application). If you want to provide ability to see content in Pages app you have to grant the user with Browse tree and Read permission (content module). To satisfy your scenario you need to grand user with Modify and Create permissions, too (maybe Design?).
Just FYI: The approach provided by Brenden (cloning the role) is very handy but there a is chance you grant the user with permission you don`t want to provide (inappropriate permissions for original role).
I've found the most efficient method is review the out of the box roles provided by Kentico and clone the one which fits closest to your needs. Then modify your cloned role to add/remove abilities and permissions.
If you're unsure of what each role can and cannot do, create a new test user with one of the roles assigned to them and log in as them. Do the same for all the roles you want to test until you find the one closest to what you're looking for.
So I am very interested in using Cloudkit but the documentation on anything over the basic features is horrible. I am looking to establish two basic user types: standard user (someone that can read records only) and an Admin user (can create and modify records). I setup security roles to reflect this and changed the access modifiers on each of the record types to include these roles. However, I cannot find anywhere how to change a user from one role to the other. I have implemented an Admin login of sorts in the app. Once they enter in the appropriate credentials, I want to allow that user to start editing records.
Does anyone know how to do this?
Thanks
I think it's still not possible to assign a security role to a user using code. Then this answer is still valid: How do I access security role in cloudkit
Is there a way to combine access rights for a Sitecore item?
For example, I have a page that I would like to lock down to users who are a member of two different roles rather than just just one, and a user who has just one of the roles should be denied access.
I know you can have roles within roles but wondering if there was a simpler way to achieve this?
I'm using Sitecore 7.2.
If you are trying to check this in code, you can easily do so using
var user = AuthenticationManager.GetActiveUser();
return user.IsInRole("Role1") && user.IsInRole("Role2") ? "Granted":"Denied";
But if you are trying to achieve this in Sitecore Security on an item, then an AND of those 2 roles will be assigned. Ex: If I allow access to an item in Role1 but deny in Role2, the user with Roles 1 and 2 will have his/her access denied.
The simplest way to approach this is to define a new role with appropriate access rights and assign the relevant users to it, either manually or by script. That keeps your access rights transparent. You could code your way around the issue, but you could end up creating an admin nightmare, where it's near to impossible to see which roles and users have access to which items. E.g. what would you expect to see in the Access Viewer when looking at one of the roles, or at a user with one or both of the roles? There's a big difference between assigning access rights programmatically and evaluating them programmatically.
One way that you could achieve it via the Security Editor is by utilising Sitecore's Roles in Roles functionality.
Essentially you will want to create a New Role in the Role Manager that will contain the two roles, Role A and Role B. Select your New Role in the Role Manager and click Member Of button. In the modal click Add and select the two roles this New Role needs to contain.
In the Security Editor select the New Role and assign the read, write, create etc permissions to the required Items.
Now when users access those Items they must have Role A and Role B before given access - they will not need the New Role assigned to their account.
If you have a large number of roles to manage and combinations of those it will be very time consuming to manually create those combinations.
I want to have user rights split into two. Some of the policies at the client's side mention that we should have a seperate user who has only the rights to add users and nothing else, and the Site Administrator should not be able to add users.
As of now, the Site Admin is used to Add users and to manage other configuration. Can we remove the User Addition role from Site Admin?
Is there a way to create a new User Role by writing some code?
I don't think it is possible to remove any permissions from the site administrator. You could do something wild like add security code to your master page, however. That could detect the current user and the current page, and throw an error if the site administrator were in the wrong place.
You can create a custom permission level, provided your permission sets summarise to one of the options offered by the SPBasePermissions enumeration. Unfortunately there is no specific 'add user' permission, only ManagePermissions. For reference anyway, here's a basic code sample.
I think the best approach is that given by strongopinions where a piece of code runs to check who the user is if they visit the Add User page.