The inherited roles are the roles which appear as shown in the image:
So my questions are:
What are inherited roles? Please explain.
What are the use-cases in which roles would appear in this section for a User?
Thanks in advance.
You can (for example) be member of a UserGroup which is assigned a role. This would not be editable on the user profile, but an effective role that is good to see if it's there. The other "independent" roles (e.g. through an organization) should also appear there.
Inherited roles can be configured in:
Control Panel > Roles > Select a particular role > Assign Members > Select the Sites tab
Inherited Roles
Inherited roles really not existed in the liferay but we can see these roles in the user my account page roles section .these roles specially appear when the user can be member of user group which is assigned a role.
We can say if any roles which associates with User Group and the user is member of respective user group then role can be visible as part of inherited roles section.
Simply we can say that user directly not associated with role instead of that User Group will be associated with role and the user will be member of User Group then the roles are become as inherited role to users who are belong to User Group.
Related
I am making an application where users can join multiple azure groups. This works fine. But a user should be able to have a role only within that specific group. So a user can have different roles in different groups.
Does anyone know how I can assign roles that only exist within a group?
and then get the role for a user within a specific group via the graph api?
To Assign the role to a user please "Add directory role member"to assign a particular role in a group.
For different types of roles that you can assign to a user please refer "Azure AD built-in roles"
Hope this helps.
I need to create multiple users in same AD and need to isolate the resources created by one user from other user.Is it really possible.since I am new to Azure I am not aware that this is really possible.It would be great if some one render their hands to advice on this.
There is no absolute isolation, there are only certain restrictions.
The users created in the AAD tenant are all the Members by default, they have the default permissions e.g. Read all properties of groups, Read properties of registered and enterprise applications. So if user A created some resources e.g. group, application, the user B will also be able to read the properties of them.
There are some restrictions, like Manage properties, ownership, and membership of groups the user owns, Manage application properties, assignments, and credentials for owned applications. This means some properties of the resources can just be managed by the Owner of them.
For more details about the default user permissions, you could refer to https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions
And if the user is assigned as the admin role in the tenant, he will have more permissions than the default users, see https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles
Is there a way to combine access rights for a Sitecore item?
For example, I have a page that I would like to lock down to users who are a member of two different roles rather than just just one, and a user who has just one of the roles should be denied access.
I know you can have roles within roles but wondering if there was a simpler way to achieve this?
I'm using Sitecore 7.2.
If you are trying to check this in code, you can easily do so using
var user = AuthenticationManager.GetActiveUser();
return user.IsInRole("Role1") && user.IsInRole("Role2") ? "Granted":"Denied";
But if you are trying to achieve this in Sitecore Security on an item, then an AND of those 2 roles will be assigned. Ex: If I allow access to an item in Role1 but deny in Role2, the user with Roles 1 and 2 will have his/her access denied.
The simplest way to approach this is to define a new role with appropriate access rights and assign the relevant users to it, either manually or by script. That keeps your access rights transparent. You could code your way around the issue, but you could end up creating an admin nightmare, where it's near to impossible to see which roles and users have access to which items. E.g. what would you expect to see in the Access Viewer when looking at one of the roles, or at a user with one or both of the roles? There's a big difference between assigning access rights programmatically and evaluating them programmatically.
One way that you could achieve it via the Security Editor is by utilising Sitecore's Roles in Roles functionality.
Essentially you will want to create a New Role in the Role Manager that will contain the two roles, Role A and Role B. Select your New Role in the Role Manager and click Member Of button. In the modal click Add and select the two roles this New Role needs to contain.
In the Security Editor select the New Role and assign the read, write, create etc permissions to the required Items.
Now when users access those Items they must have Role A and Role B before given access - they will not need the New Role assigned to their account.
If you have a large number of roles to manage and combinations of those it will be very time consuming to manually create those combinations.
I have created a 'Site User' role which is appropriate for users who will be Viewers on every available portlet. For example a user with this role should be only allowed to view documents in Documents and Media portlet but not allowed to add a new document or edit an existed.
I have defined the proper permissions in my Site role, however users with this Site role are still able to create events or add documents etc.
All these users are also assigned with the Social Office User role but as I'm seeing there is no such permission granted from this role.
I'm wondering if this is a normal behavior or the only solution is to modify portlets in a way that they won't allow users without the 'Site Admin' role to perform certain actions.
They're most likely still assigned to the "User" role (portal wide), or gets the permission from being a "Site Member". As you can't remove permissions, only add them through roles, check these roles for their bundled permissions.
They're assigned as default to Site Member role as Olaf stated. Look this file:
https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/resource-actions/documentlibrary.xml
As Site Member you have :
<site-member-defaults>
<action-key>ADD_DOCUMENT</action-key>
<action-key>ADD_FOLDER</action-key>
<action-key>ADD_SHORTCUT</action-key>
<action-key>SUBSCRIBE</action-key>
<action-key>VIEW</action-key>
</site-member-defaults>
as default action permissions.
I'm using AzMan (1.0) for an ASP.Net web app, and I have a question about nested Roles.
Say I have the following roles:
MyApp
MyAppUser
MyAppAdmin
MyAppSupport
For the most part, all users (MyApp) can access the app, but some functions will be specific to the other roles.
I want to declaratively restrict access to the web pages to members of the MyApp role.
[PrincipalPermission(SecurityAction.Demand, Role = "MyApp")]
I will check User.IsInRole or use the AzMan API to check for operation permissions within my code.
The users are assigned to the lower level roles (user, admin, support) and those roles are added to the MyApp role.
The problem is that when I check if the user is a member of the MyApp role, they aren't, even though the role they are in belongs to the MyApp role. Is the only way to check this is to recursively go through all the roles? That'd mean I cant use the declarative security, or to do so I'd have to add all users to the top level group as well (not ideal).
It sounds like you're expecting composite Role Definition (where a Role Definition is defined to include other Role Definitions) to be supported in the call to IsInRole(). I think you'd get the results you want if you used Group inheritance and Role Assignment instead.
In other words, rather than depending on IsInRole to follow the Role Definition for "MyApp" to determine that the Role Definition "MyAppAdmin" is part of that definition, create the inheritance using Groups instead, and then assign one or more groups to your Role Definition using Role Assignment. You could create an "Administrators" group, which might be a member of the "Everyone" group.
I'm really thinking that your role names are really better group names. A role signifies certain capabilities, not a classification of users based on their rights. That's what a group is for.
For example, suppose that most users (not admins or support) have read-only access to your app. I tend to call that role "Viewer" and I assign it the tasks or operations that allows users in that role only the ability to view, not edit, any data. I would assign everyone to that role (whether I do that with just one group or several doesn't really matter). The "Support" role allows users assigned to it to perform certain operations (or tasks grouping operations). Only some people would be assigned to that role (again, maybe they are assigned individually, or I have a group named "Customer Support Reps" -- doesn't matter).
In my app, I could check IsInRole("Viewer") and everyone who is a user will be in that role. But if I check IsInRole("Support"), only the people in the "Customer Support Reps" group assigned to that role would return True.