I am working on a new liferay implementation. I have all of my users in an external system, and have used the external env. to authenticate through my own authentication system. I also store roles in this same system. I have been able to successfully pass these to liferay so that all of my users roles are available in liferay.
I would like to create an organization or community that is associated with a role. For example if I have a role called 'myusers' in my external system, I would like to tie that role to an organization or community in liferay. Then when a user logged in to liferay with that role, they would be able to be part of that organization or community. Is this possible in liferay? I know it's kind of backwards to the normal flow in liferay of adding roles to users and then adding user to a community or organization.
You can modify the below code to check if the user belongs to a role and then add him to the appropriate organization.
To add a user to all Organizations:
public final static void addAllOrganizationstoUser(long userId) throws SystemException, PortalException {
// gets all organizations
List<Organization> organizations = OrganizationLocalServiceUtil.getOrganizations(ALL_POS, ALL_POS);
long[] users = new long[]{userId};
// register user to orgs
for (Organization organization : organizations) {
UserLocalServiceUtil.addOrganizationUsers(organization.getOrganizationId(), users);
}
}
What I ended up doing was using the expando functionality built into liferay. Doing this I allow for entering a list of roles that should map to that organization. This allows me to look at the roles of my users when they login and determine what organizations they should be a member of. I then programatically add/remove the users from the organizations based upon the roles defined in the expando attribute and the roles assigned to the user.
Related
I need to create multiple users in same AD and need to isolate the resources created by one user from other user.Is it really possible.since I am new to Azure I am not aware that this is really possible.It would be great if some one render their hands to advice on this.
There is no absolute isolation, there are only certain restrictions.
The users created in the AAD tenant are all the Members by default, they have the default permissions e.g. Read all properties of groups, Read properties of registered and enterprise applications. So if user A created some resources e.g. group, application, the user B will also be able to read the properties of them.
There are some restrictions, like Manage properties, ownership, and membership of groups the user owns, Manage application properties, assignments, and credentials for owned applications. This means some properties of the resources can just be managed by the Owner of them.
For more details about the default user permissions, you could refer to https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions
And if the user is assigned as the admin role in the tenant, he will have more permissions than the default users, see https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles
I'm developing an application, where users are able to store their notes.
The roles hierarchy is the following:
user role could create, read, update and delete their own
notes.
admin role inherits user role and has access to
all users notes.
The issue is, that most of ACL tutorials, are describing generic cases, regarding how to declare permissions for a roles like user, admin, manager etc.
There is a lack of information regarding the cases, when we need to protect specific user notes from changing by other users. How to handle this in the scope of ACL?
I have a requirement to deactivate a user for a particular organization.In liferay we deactivate the user directly by control panel under users tool.if i deactivate,The user will deactivate in portal level so it is applicable to all organizations not to particular organization.so can i do manual code for this or is there any alternative by default?
User Management in Liferay is global - to the whole portal. You authenticate to the portal, thus a deactivated user can't be authenticated to the portal.
You can make users members of Organizations or site - and this membership (or other organization- or site-level roles) can be used to provide them with permissions.
If you want them to be able to sign in, don't deactivate them. If you don't want them to access a certain organization, make the content of that organization available to members only - and exclude the user from the members of that organization.
OK you could do this in code level ,
User singleUser=UserLocalServiceUtil.getUser(userId)
singleUser.setStatus(WorkflowConstants.STATUS_DENIED);
UserLocalServiceUtil.updateUser(singleUser);
So basically setting User Status to either WorkflowConstants.STATUS_DENIED, WorkflowConstants.STATUS_EXPIRED or WorkflowConstants.STATUS_INACTIVE will do the work of deactivating particular User.
But you need to research on the aftermath effect of these status field.
How do I auto-assign a user to an organization when they register to a liferay portal?
You can automatically assign new users to sites, roles and user groups, but not organizations.
Anyway, there are surely many ways to achieve what you want with just a few lines of code.
For example, you can develop a hook plugin which overrides the addUserWithWorkflow method of the UserLocalService service, so you can add a new organization ID to the organizationIds parameter before calling super.addUserWithWorkflow(...).
Hope it helps!
I learned that the Silverlight Business Application template allows you to create users.
But you can also create users with the Web Site Administration Tool.
What I see is that the Administration tool allows you to create roles, and allows assigning users to those roles, whereas the pre built interface that the template offers only allows to create users which assigns them to the "Registered Users" role automatically.
I guess that if I want to offer the ability of creating roles and managing the relationship "roles-users" from the application, I should program the interface in the application. is that so?
I see that the pre-built interface the business template offers is very limited.
The built-in interface of the SL business application aims to allow a new user to create an acount and log on/off. It doesn't concern itself with actual user rights. You have to implement this separately.
I usually implement this by adding a "Settings" view in the SL app where I put a datagrid and populate (from the aspnetdb.mdf) the registered users as rows and the role names as columns.
Then for each row I put a checkbox to allow a "PowerUser" to assign each new user to roles.
To do this you have to first create (through SL or Web Site Administration Tool) at least one user ("PowerUser") and 2 roles: "NormalUserRole", "PowerUserRole".
Then you assign PowerUser to the PowerUserRole and grant him access to the Settings Page.
So:
Anone (no assigned role)-> can create a new user account and log on/off. No other rights
UserRole -> can work on site
PowerUserRole -> can assign roles to users