I'm using AzMan on Windows Server 2003, and I've written a management application that completely hides AzMan and the MMC from the security team.
However, I'm having a hard time implementing one of the features in the MMC.
I have a role called User, and a role called Branch User which contains nothing but the User role. I want to assign the User role at the all data (Role Assignments) level, and the Branch User role at the scope level.
However, I can't find a way to programmatically assign the Branch User role to a scope without it losing its definition. I can assign the role (by calling CreateRole on the scope) but it seems to just create a new blank role. When I right click it in the MMC, click on properties, and then Show Definition, it doesn't have anything.
Also, if I try to then call AddTask on that IAzRole object to add User to it, it doesn't quite work as expected. It will add all the tasks in the User role to my Branch User role, but not the role itself.
Is there a way to do this?
Yes, on WIN2k3 that is the correct way. Unfortunately in AzMan versions before Vista/Win2k8, a role definition is a Task with the task.IsRoleDefinition set to 1. It has it's own well named class in newer versions.
Basically CreateRole() is creating a Role Assignment, not a Role Definition (this doesn't necessarily need to have the name Branch User, it could be anything). A Role Assignment contains the links between definitions of roles/tasks/operations and members/users.
You are then adding the Role Branch User to the Role Assignment using app.AddTask().
To do this only for a particular Scope you need to call app.OpenScope (or app.CreateScope, if new) which returns an IAzScope object. You can then do all the above on scope.CreateTask or scope.CreateRole.
Related
I have a project in Identity management for which I am hoping someone can point me in the right direction. It's role-based provisioning, basically I need to know how to provision a specific application based on certain user attributes (e.g. job title, dept) and then to automatically raise a provisioning request for that application. The application is a disconnected application and will be provisioned manually.
What we are trying to achieve is that once a user has been created in OIM and if he or she meets those criteria, the OIM will generate the request for the application so they can be provisioned for them. Is there a way to implement this within OIM?
You can just use the scheme where a role in OIM has a membership rule to automatically grant a user the role if some of user's attribute match specific condition.
Then you can create an Access Policy to provision a disconnected resource and attach it to this created role. Usually disconnected resource provisioning will create a SOA workflow where there is a human task to complete the provisioning operation.
All you need is a Role with desired membership rule and an Access Policy attached to it. Role and membership rule can be created with OIM Role creation wizard. You can create a policy from admin console and associate your role and resource with it. Do provide default required parent form fields (at least IT Resource).
In case you want to add default entitlements edit the child form and add those.
Is there a way to combine access rights for a Sitecore item?
For example, I have a page that I would like to lock down to users who are a member of two different roles rather than just just one, and a user who has just one of the roles should be denied access.
I know you can have roles within roles but wondering if there was a simpler way to achieve this?
I'm using Sitecore 7.2.
If you are trying to check this in code, you can easily do so using
var user = AuthenticationManager.GetActiveUser();
return user.IsInRole("Role1") && user.IsInRole("Role2") ? "Granted":"Denied";
But if you are trying to achieve this in Sitecore Security on an item, then an AND of those 2 roles will be assigned. Ex: If I allow access to an item in Role1 but deny in Role2, the user with Roles 1 and 2 will have his/her access denied.
The simplest way to approach this is to define a new role with appropriate access rights and assign the relevant users to it, either manually or by script. That keeps your access rights transparent. You could code your way around the issue, but you could end up creating an admin nightmare, where it's near to impossible to see which roles and users have access to which items. E.g. what would you expect to see in the Access Viewer when looking at one of the roles, or at a user with one or both of the roles? There's a big difference between assigning access rights programmatically and evaluating them programmatically.
One way that you could achieve it via the Security Editor is by utilising Sitecore's Roles in Roles functionality.
Essentially you will want to create a New Role in the Role Manager that will contain the two roles, Role A and Role B. Select your New Role in the Role Manager and click Member Of button. In the modal click Add and select the two roles this New Role needs to contain.
In the Security Editor select the New Role and assign the read, write, create etc permissions to the required Items.
Now when users access those Items they must have Role A and Role B before given access - they will not need the New Role assigned to their account.
If you have a large number of roles to manage and combinations of those it will be very time consuming to manually create those combinations.
I have three custom entities; Project, ProjectStageExternal and ProjectStageInternal,I have added a workflow which will create ProjectStageInternal and ProjectStageExternal records when admin creates a Project record.
Now I have a security roll named customer. Users having this roll only read the Project and ProjectStageExternal records.
The problem is workflow is not working when ownership is changed to users having customer security roll. Its showing this following error: The selected user does not have sufficient privileges to be assigned records of this type.
what am I missing here?
Thanks.
That security role has basically no permissions on those entities, so the users wont be able to do anything with them.
If you want someone to be able to assign (or have a workflow assign on their behalf) you need to grant the assign permission and probably write as well.
If you dont want to grant them those permissions, change the workflow's Scope to organisation and assign it to an admin user. That means the workflow will run with the admins permissions and security roles.
Only providing Read Privileges to the user/team whom the record is to be assigned will work perfectly fine !!
I'm using AzMan (1.0) for an ASP.Net web app, and I have a question about nested Roles.
Say I have the following roles:
MyApp
MyAppUser
MyAppAdmin
MyAppSupport
For the most part, all users (MyApp) can access the app, but some functions will be specific to the other roles.
I want to declaratively restrict access to the web pages to members of the MyApp role.
[PrincipalPermission(SecurityAction.Demand, Role = "MyApp")]
I will check User.IsInRole or use the AzMan API to check for operation permissions within my code.
The users are assigned to the lower level roles (user, admin, support) and those roles are added to the MyApp role.
The problem is that when I check if the user is a member of the MyApp role, they aren't, even though the role they are in belongs to the MyApp role. Is the only way to check this is to recursively go through all the roles? That'd mean I cant use the declarative security, or to do so I'd have to add all users to the top level group as well (not ideal).
It sounds like you're expecting composite Role Definition (where a Role Definition is defined to include other Role Definitions) to be supported in the call to IsInRole(). I think you'd get the results you want if you used Group inheritance and Role Assignment instead.
In other words, rather than depending on IsInRole to follow the Role Definition for "MyApp" to determine that the Role Definition "MyAppAdmin" is part of that definition, create the inheritance using Groups instead, and then assign one or more groups to your Role Definition using Role Assignment. You could create an "Administrators" group, which might be a member of the "Everyone" group.
I'm really thinking that your role names are really better group names. A role signifies certain capabilities, not a classification of users based on their rights. That's what a group is for.
For example, suppose that most users (not admins or support) have read-only access to your app. I tend to call that role "Viewer" and I assign it the tasks or operations that allows users in that role only the ability to view, not edit, any data. I would assign everyone to that role (whether I do that with just one group or several doesn't really matter). The "Support" role allows users assigned to it to perform certain operations (or tasks grouping operations). Only some people would be assigned to that role (again, maybe they are assigned individually, or I have a group named "Customer Support Reps" -- doesn't matter).
In my app, I could check IsInRole("Viewer") and everyone who is a user will be in that role. But if I check IsInRole("Support"), only the people in the "Customer Support Reps" group assigned to that role would return True.
I'm using ASP.NET Membership and noticed there isn't a method in the Roles class to modify a role (its name for instance), only to create and delete them.
Is it possible or it's not supported?
EDIT: #CheGueVerra: Yes, nice workaround.
Do you know (for extra credit :) ) why it's not possible?
There is no direct way to change a role name in the Membership provider.
I would get the list of users that are in the role you want to rename, then remove them from the list, delete the role, create the role with the new name and then Add the users found earlier to the role with the new name.
public void RenameRoleAndUsers(string OldRoleName, string NewRoleName)
{
string[] users = Roles.GetUsersInRole(OldRoleName);
Roles.CreateRole(NewRoleName);
Roles.AddUsersToRole(users, NewRoleName);
Roles.RemoveUsersFromRole(users, OldRoleName);
Roles.DeleteRole(OldRoleName);
}
That will change the name of the role for all users in the role.
Follow-up: Roles, are used to ensure a user plays only his part in the system, thus User.IsInRole(ROLE_NAME), will help you enforce the BR securities that apply, for a user and the roles he is in. If you can change the role names on the fly, how are you going to validate that the user is really in that role. Well that's what I understood, when I asked about it.
rtpHarry edit: Converted pseudocode sample to compilable c# method
Renaming a Role in the ASP.NET Membership model programatically would be a Bad Thing™, because the Role names are used in the configuration file to define permissions. If there were a programmatic way to change the Role name (which persisted the change to the database), you would immediately break any Role-based security configurations in web.config for any web apps using the database, and there'd be no way to guarantee that a single web app could alter the configuration of every web app using that Membership DB.