Is it possible in Microsoft Intune to set up this policy that every time a user wants to download, copy, or delete something, the admin has to get the notification?
Is it possible to prevent the user from installing any app or software unless the admin grants permission? If the user wants to install something, the admin must grant permission.
If anyone has knowledge on these two types of policies, please send the required settings. It will be so helpful for me.
I tried using the AppLocker but it is blocking ever app installation so I need customized restriction
Is it possible in Microsoft Intune to set up this policy that every time a user wants to download, copy, or delete something, the admin has to get the notification?
On mobile devices, you can block downloads or copies by application protection policy (same for W10). Or if you have a license for DLP, you can use the technology to audit events. Don't forget the cloud apps.
Is it possible to prevent the user from installing any app or software unless the admin grants permission? If the user wants to install something, the admin must grant permission.
We don't use this option but in device configuration, there is some restriction option that can block these features
Related
Is anyone aware of any Google API with the user scope (NOT the Admin API in the Directory SDK) that allows you to retrieve the custom employee attributes?
The G+ API seems to skip these
https://developers.google.com/+/web/api/rest/latest/people#resource
Our issue is that we don't want to grant access to the developer console, but rather do this PER-USER. I.E. a user logs into our app and we display to her the custom attributes for her G Suite account, but we do this as her (not as an approved API scope via the dev console).
Leaving this answer for anyone like me who finds this question.
The Directory API allows a user to query the custom attributes for their account even without any admin permissions at all.
https://developers.google.com/admin-sdk/directory/v1/reference/users/get
You need to ensure that projection is set to full and viewType is set to domain_public.
You may need to check the permissions for reading the custom attributes to ensure that a user is allowed to see theirs. We do this in the Google Cloud Directory Sync.
I have to sync account information across 3 different platforms. I wrote a password script that will update a users account information in LDAP, our Student Information System, and in gmail (for edu). I had no issues with older migration api, but that is going away in the coming months.
I wrote a new library to use oauth2 and the adminSDK to manage my user accounts. Im using a service account and specifying a superadmin account to preform account creations and password updates. This works perfectly fine with normal accounts. However, it seems that I cannot reset my own password (Im an admin).
So far the things that my library can do are: search, create, update, and delete NON-ADMIN accounts. Things that do not work: promote an account to admin, undelete an account, change admin account information (password for example).
Changing admin account info results in: "Not Authorized to access this resource/api" error.
Is there any way to get around this issue? If not, this severely cripples my ability to use the new API to manage my users. well, the admin users anyway. I need it to work for all users, even the hand full of administrators. I simply don'y see the point of a service account impersonating an admin, and then does not have all the proper rights to change account info on all accounts, especially when the previous API allowed it.
please advise.
I can also provide my library for anyone interested in using it.
-Jerry
I figured out my issue.
When I started this project, I created a google account for this project and assigned it superadmin role.
I was revisiting my project today and I was getting the same errors when trying to update admin accounts. I signed into the project's admin gmail account.... and accepted the terms...
now my library works perfectly. yay.
I'm building a lightweight web interface to SSRS where web app users are mapped to web app roles, which in turn are mapped to SSRS users.
The reason for this convoluted scheme is not up for debate: In short, AD groups can't be used, the site uses Forms auth and there are a fixed number of roles.
Web Role | SSRS User
Admin | AdminUser
Supervisor | SuperUser
User | BasicUser
Guest | GuestUser
The goal is to enumerate all reports a user has permission to view, and allow the user to view the report with the ReportViewer control.
More importantly, it's to simplify the UX for users, both admins and the rest: preventing admins from having to use the Report Manager website (ie, selecting checkboxes rather than hand-typing which web-role-users have access to which reports), and providing a simple UI from which users can see and execute all their reports.
Everything works OK when the user is the AdminUser.
However, I'm having difficulty calling the web service when the user isn't included in a Policy on the Home/Root folder with at least the Browser SSRS role. (The permissions granted to user 'computer\username' are insufficient for performing this operation.)
This is problematic for a couple reasons:
If every user must be a Browser to connect to the web service and enumerate reports they have access to view/execute, then all users will have access to all new reports/folders by default. (Children automatically inherit new permissions)
If a report exists in a nested folder that does not inherit permissions and the user is not a browser of, but the user is a Browser on the nested report, ListChildren() will not return that report.
It seems this leaves me with 2 less than ideal options:
Don't call the web service with the different users. Instead, enumerate reports with ListChildren() using only the admin user. Then, for each report, call GetPolicies(), and from that collection of policies, determine what reports the user is able to view.
Make the call with different users. Live with the pitfalls of newly-published reports being accessible to everyone by default, until permissions are changed. Also live with the pitfalls of nested reports not showing unless the user has access to that path. If an admin wants a nested report within a folder with explicit permissions to be available to a user who can't see that folder, the policies on all ancestor folders and their children must be modified.
#1 is obviously very unwieldy and inefficient. But #2 has significant drawbacks and becomes just as onerous & inefficient when setting permissions in certain situations.
Is there a better way? Have I missed something obvious?
[edit]
A 3rd option is to query the ReportServer database directly using a query like this. This has the benefit of returning everything the user has access to, regardless of whether or not it exists in a subfolder the user cannot access (aka, cannot use the web service's ListChildren method to retrieve). However, if using AD groups, I would have to know which groups the user is a member of, whereas the web service would do this for me. This option feels like a bit of a hack to me, but it could work.
As it turns out, we ran an end-route around this issue by dropping the requirement to restrict report access by web role, and made the path we query in the web service a web.config setting that can change, thus allowing report authors to 'hide' reports in a parent folder if the need arises in the future.
The best solution would have been to query the ReportServer database directly.
However, the client changed their mind & didn't want to restrict reports based on web user role in the end, so problem solved!
I have a user who's been assigned the sitecore/Analytics Reporting role (member of Sitecore Client Users), and when I log in with that user I can see Marketing Center, Engagement Analytics and Executive Dashboard. I now want to give this user read access to a content item, but I can't make it work.
First of all, the sitecore/Analytics Reporting role already has read access to the content editor etc (inherited from the Everyone role), so why can't I see it? I created another role with explicit read access to the content item and assigned it to the same user, but I still can't see it. Does anyone know what I need to do for the user to see the content item?
I seen this a few times before with older Sitecore versions. Doing a Sitecore cache clear or IIS reset resolved it at that time.
After checking with Sitecore support they told me you have to add Sitecore Client Designer to your role (even though the Access Viewer shows you have read access you still won't be able to see it until you've added this role).
I am wondering if you have a users permission to publish_stream and you want to publish_action from now on does publish_stream cover both or do we need to re-request the users permission?
If so whats the easiest way of detecting wether they have this permission granted etc.
User journey suggestions welcome.
The login system I have in place is users can use with facebook or their account credentials.
But some users sign up without facebook and then connect later. I don't create the session every time they login as I only need the publish_stream permission which works without needing a live user session with facebook to post when the user does specific actions. There is one column in the table which specifies wether the user is connected or not.
Suggestions welcome.
Thanks!
-Stefan
As of now, publish_stream includes publish_actions permissions.
see https://developers.facebook.com/docs/publishing/#publish_stream
The publish_stream permission is a superset of publish_actions allowing everything that publish_actions allows plus more.
publish_stream and publish_actions are two separate permissions. publish_stream does not include publish_actions.
To publish actions to the open graph, you will need to get this new permission for new users and for existing users.
You can check the permissions a user has granted your app by GETing /me/permissions from the Graph API.
In the latest version of the permissions dialog, users will have the option to NOT grant publish_stream - its always an optional permission. If the app requests publish_actions, this permission is considered required.
Once Timeline has launched beyond Developer Beta, you should not need to ask for publish_stream. If you want to publish a feed story, use the Feed Dialog.
Publish_stream is Deprecated Permissions from v2.2, that's why u can not use, just only publish_action u can still use,
https://developers.facebook.com/docs/facebook-login/permissions
regards
djavalatte.com
You must request publish_stream as a new permission because the prompt is much different. It is more around "Add to timeline" and a straight up permission.
To know if you have the permission, you can do many things. The easiest is to try and publish and see if it succeeds. but that will skew your metrics in insights. Better is to use the access token info endpoint and check the scopes you have there.
I have successfully published actions to the timeline with only the publish_stream permission. I cannot say if this is will be the case when it is fully launched or if it's only working because of the developer's beta. We can know for sure once we're 48 hours away from the official launch by checking out the beta tier. http://developers.facebook.com/support/beta-tier/