We need a solution for one of our deployment in bugzilla.
Example of our scenario are as below :
Group : Staff,Students
project/product bugs : projectA , projectB
We need to know is there any way to :
1) Restrict the group of user from accessing the project.
Example= Students cannot access or view bugs in projectA.
2) Restrict other group of user from confirming or change the bug status
Example= Students cannot change the bug status of projectB from NEW to RESOLVED
3) Some members set of group can only file a bug but not close the file
Example= StaffA can only file a bug in ProjectA but cannot closed it whereas StaffB can file the bug and also can close the bug
From what I have search/Google, there are no documentation available which can explain this function in bugzilla.But maybe I have overlooked somehow.
Our current bugzilla is version 3.2rc1
Thanks in advance.
You didn't really say which version of Bugzilla you are using, so the URLs are for the latest release, 4.2. However, the same concepts apply to most recent versions. For instance, we use 3.6 and control whether certain users can change certain things in the same ways that I describe below.
1) Restricting users who are not in a group from seeing bugs is what Bugzilla's group security does:
http://www.bugzilla.org/docs/4.2/en/html/groups.html
One wrinkle in your case is that group security controls positive access rather than negative access. That is, it allows specifying which groups can view bugs in a product rather than groups that cannot. To keep members of students from viewing bugs in projectA, you'll need to have a group that can access projectA and devise a way to keep users in students out of that group.
Alternatively, you could put some custom code into Bugzilla::User::can_see_bug, Bugzilla::User::visible_bugs, or Bugzilla::Bug::check_is_visible to exert firmer control that users who are in group students can never see bugs in projectA
2) You can exercise a lot of granularity in allowing changes:
http://www.bugzilla.org/docs/4.2/en/html/cust-change-permissions.html
We do something like this. We have a set of users to whom we want to grant read-only access unless we have explicitly allowed read-write access. To do this, we have a group called allspecialusers to which these users belong based on email address. We have another group called approved_specialusers to which some of those users are added manually.
So, in our Bugzilla::Bug::check_can_change_field, we have code like:
if ($user->in_group('specialusers') &&
!$user->in_group('approved_specialusers')) {
$$PrivilegesRequired = 3;
return 0;
}
You can do what you want by checking if the bug is in product projectB and the user trying to make the change is in group students
Related
I've been asked if the internal sales site i built can support multiple event calendars. What they would like is a calendar for each group and a global. So the global calendar will shows global and events from each group. The Group Calendars would only show their relevant events.
So i added folders to my Event node, and added some test pages. They show in the global event since it's path is ./%. Great.
For a group (Compliance), it's path is /events/compliance/%. This works, and the Compliance calendar only shows events in within the specified folder.
But.
Each event node's url is based on the global path so /event/compliance/event-1.aspx. This takes the user out of the group section and breaks the user flow. I'd like the group specific events to still apear with their URL stucture. So like this, /Our-Company/Compliance/Calendar-of-Events/event-1.aspx.
I could have the group specific events with their node, but then i loose all the vents on the global calendar. So is there a way for a single calendar to pull events from multiple locations within the tree?
You have a couple options:
Use linked pages. This would allow you to have a global location and simply have a "copy" in a different location (for navigation purposes really). Nice part is if update one of those linked pages, it updates them all so no worries about outdated content.
Categorize your events. Little more effort involved with this one but will work the same.
Set the WHERE statement to filter on the NodeAliasPath. You'd do something like this
Path = /%
Where = "NodeAliasPath LIKE '/GlobalEvents/%' OR NodeAliasPath LIKE '/Groups/Compliance/Events/%'"
3 is probably your best bet and if you want to make it more dynamic you can use macros in your where condition.
I agree with Brenden especially #2. #2 is going to give you the most flexibility and control over querying global items into multiple areas, but also gives you a single management location. We use that method on almost all of our projects and is both easy to manage but also easy to teach your content contributors how to use it the best.
The only other recommendation I would give is also include some kind of flag field where you can prioritize those items on a calendar list view. We often have a requirement that things do not only show up by date order, but also that certain calendar events take priority in sorting. Where you might not use that upfront, having that available down the road is some good forward thinking.
I am working on Notes in MS CRM 2011.
I have many roles over many entities.
I want role based security to notes for any entity records.
let me explain what i want:
Suppose i have an entity namely E1.
Role R1 and R2 has read and write access to E1.
But i want that user having role R2 can only upload and view notes for any record of entity E1.
Hope now my requirement is clear to all of you.
Please suggest me how can i achieve it using MS CRM 2011.
I can think of two ways to do this.
You can create a plugin on create/update of the annotation(note) and check if the note is related to entity E1 and check the roles of the user making the change and see if they only have the R2 role. If that is the case you can throw an InvalidPluginExecutionException with a message like 'You do not have permissions to edit/create these records'.
You can try using role based forms or JS to hide the notes area for R1 users.
You probably want to use a combination of #1 & #2. The users can still access the notes via advanced find and thus will be able to edit those notes. The plugin will prevent that fringe case as well.
*Edit
There are a couple more things that you might be able to deal with the advanced find records. You can remove the annotation entity from advanced find via the unsupported method described here.
Otherwise there is one more thing you can do if you want to prevent those results showing up at all, and you want to stay supported. You can write a plugin on Post-RetrieveMultiple of the annotation entity to strip out the results directly from the return result. There are a couple downsides to this though.
You are executing your plug-in every time the retrieve multiple is called on the entity. So this code will need to be as efficient as possible since that delay will be noticeable by the end user whenever they retrieve these records.
Things like advanced find will display odd results. For example if your paging is set to 50 records and you strip out 10, they will only see 40 records on their page and the total record count will include the records you are stripping out.
Through roles i don't know a way to do that, because you configure the access to notes generic, so applies to all entities. You have to access with Javascript navigating in DOM. Check a example:
document.getElementById("notescontrol").contentWindow.document.getElementById("NotesTable")
You can check this with the help of a develeper tool in your browser.
Depending on the user, report data is missing when viewed via the dashboard.
-In security settings I gave organization-wide read/write permission.
-The reports are based on a two custom data objects with a master/child relationship (which is also set as read/write.)
-The report folder is also set as "read/write" and all users have permission.
Anything else that I forgot to check?
Thanks!
What error do you experience? "Insufficient privileges"? Or maybe report loads fine but just shows 0 rows?
When drilling down to the detailed report you need to make sure that
viewing user has at least Read permission in his Profile on both the master and child object
he must also has read permission to all fields used in the report (columns as well as filters. And if any of them is a formula -> check their source fields too).
Does the report use "My Opportunities" in the filters? Or unrealistic date criteria? If the dashboard wasn't refreshed in a while even date filters can cause you grief.
In some cases the Roles hierarchy is saved with the report - if the user sits in different branch of the role hierarchy than the dashboard's running user, you might have to flip it to your top level Role for example. Run the report, examine top part for Role names, adapt if needed and save it.
Perhaps the best way is to debug it is to login as this user and try to recreate this report from scratch. If you can't even select proper report type - this looks like scenario 1. If fields are missing - 2.
I'm programming a new application with many users, a few roles and specific permissions for those roles. For that I want to create the following tables:
Users (ID,Login, password,..)
Roles(ID,Rolename)
User_Roles(User_ID, Role_ID)
Permissions(ID,PermissionName)
Permission_Roles(Permission_ID, Role_ID)
My idea was to build a function, which allows to check if a user has a specific permission to access a form. I would do that by creating Permissions/Rules like 'canReadFormX', 'canEditFormX' which would allow me to use one main function to check and perfom those specific rules and a function per form to call it.
Is that a way to go (or rather did I understand everything correctly regarding RBAC) or is that just far to complicated? Any advise is very appreciated!
It seems fair to me, and similar to what we have already set, for the first 3 tables.
You then have to solve the 'action' problem, ie to distribute permissions to use your appl's actions. I am not sure that your 'Permissions' proposal will cover all the situations, as you have to deal with 2 major categories of actions:
The 'Open form' actions, that you already have identified: you effectively have to define 2 levels of authorisation for each form: the 'view' right, and the 'update' right.
All other actions, such as form specific buttons or menus, that will allow you to run a specific action other than just opening a form (execute a report, make a specific calculation, automatically import or update data, etc).
One solution/My advice is to maintain 2 tables for this:
A 'Forms' table
An 'Actions' table
And the corresponding link tables:
A 'Form_Role' table
An 'Action_Role' table
With such a configuration, you are fully covered. You can even decide which role has the right to see a specific report on a specific form, as long as the corresponding action is accessed through a specific control or menu on the form.
Both Forms and Actions tables are very interesting as they both participate in your application metamodel...
EDIT: By the way, if you are on a domain, you can use user's domain credentials to control his\her access rights to your system. In this case you do not need to store a password in your RBAC system.
As MSDN states, then WriteSecurity has 1 of 3 states possible:
1 — All users can modify all items.
2 — Users can modify only items that
they create.
4 — Users cannot modify any list
item.
But if I want behavour nr. 2 plus users can modify items that are assigned to them? Well if I grant a user full permissions (put in owners group) for list, then those can edit any item (not good). So why wouldn't it work by setting item level permission "full control" just for AssignedTo user (good)? I did, but that didn't help - access denied.
I want exactly the functionality as stated in question "Automatically set list item permission, after new item is created", quoting:
Every users (Supervisor and team members) can see any tasks.
Supervisors can edit any tasks
Team members can only edit their own tasks (tasks that were assigned to them, or created by them)
but although answer has been accepted, the solution does not provide a way for users to edit items assigned to them or items created by user.
Help is appreciated, thank You!
Your only way to do this is using Item-Based Permissions. E.g. have a Workflow or Event Handler change the permission on each file/object based on your requirements.
The solution you quote from the other task is simply setting 2 for SPList.WriteSecurity which still doesn't give users the possibility to edit something they have not created, but were assigned to - in this case you will need to give these users permission, e.g. by listening on the "Assigned To" field with an Event Handler (OnItemUpdated) and give the respective person the needed permission.
Furthermore the solution talks about just setting higher permissions for the users who should always be able to edit items (managers), which is a solution, but you do not have the granularity you usually want in situations like these.