I would like to know the exact details and impact of the specific security roles, that can be assigned in the Power Platform. I am not able to find such documentation. Does anyone know where to find it?
Also, I am especially interested in this on called "Solution", located under "Customizations".
Actually, there is no official doc mentioned about these details (Each privilege listed under customizations).
For any user who wants to run powerapps app (canvas app or model-driven app), he/she must own minimum privilege of the environment resource. You could find more details from following link:
Minimum privilege to run an app
BR
Kris
Related
I have several projects in GCP which are publically accessible and will become commercial services. Since I found myself with many projects, I thought that I would try out the Google Cloud organization feature. However, I cannot complete the creation due to odd requirements.
Google puts forward a "Checklist" to set up Google Cloud for the organization. If I go under IAM & Admin -> Identity & Organization, the only option there is to go to the checklist to complete it. However, the checklist includes mandatory steps like creating VPCs and a certain Resource hierarchy, which are things that I don't need/want. I am the only developer and don't want to pay more for services that I don't use. I cannot remove these options. As such, the organization seems to be "unconfigured" from the point of view of Google.
At the same time, I'm wondering if it really changes anything and if there is any benefit for me to use an organization.
Edit: I am not following any documentation per se, as there is a quite detailed interactive "tutorial" which takes you through all the configuration steps directly on GCP. The problem is precisely that I cannot chose an option not in the tutorial for some steps. To give you an idea, see this blog post, specifically Step 5.
I'm looking to get help on the GCP billing. I know we can get cost info based on the service and project, however, is it possible to get info based on the access email ID? because I'm planning to give access to my colleagues and I want to know how much each one their access cost and against which service.
Something like: Date, Email ID, Service, Cost
With respect to another project, how should we know which access cost us so much?
We are running ~30 sandbox projects internally, each allocated to a specific person that can test and run his/her stuff on GCP.
I strongly suggest you create isolated workspaces (projects) for your colleagues so they don't accidentally delete/update services of other people. You will get a separate billing report for each project as well.
I am also setting up a billing alert for all my colleagues so they get an early notification if they left something running on their testbench.
There are three ways I think you could do that kind of cost segregation, I will number them in order of complexity.
1.- Cloud Export Billing, For this one the best practice is to segregate your resources and users by "Labels", as administrator, you may ask the users to use them and assign them to any resource they create, e.g. If they create a new VM instance, then you will be able to filter by field the exported table and create the reports as you want.(Also your GCP billing dashboard will show these "labels" segregations)
2.- Use Billing API to curl directly the information you need to get from it,you can manage to use in the request the information you need like SKU, User, Date and description.
3.- Usage Reports. This solution is more GSuite scope,and I can't vouch that will work as the documentation say but you can take a look to it, there is an option to get "Usage reports", this usage reports can be made from GSuite to any resource below, GCP included if you already have an organization.
AWS allows users to choose CDN(CloudFront) distributions and I did find a documentation about it on their site.
However, on Google Cloud Platform(GCP), I did not find anything saying that users can choose which distributions they like.
I currently don't have a GCP account so I cannot test it myself due to some registration issue. So can anyone please tell me, is it possible to choose distributions? Since I'd like to exclude certain area while using.
I believe there is no geoblocking option in GCP. But there is price differentiation based in destination.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I'm creating users for a practice project and came up with three - author, reviewer, publisher.
author - should be able to create, edit and delete items.
reviewer - should only be able to read and approve items.
publisher - should only be able to read all items and publish those that have been approved.
I read in an article that these roles would suffice for a content author - Sitecore Client Authoring & Sitecore Client Users, and so assigned the same to author.
When logged in as author, the insert option is greyed out !!!!. So, I logged in as admin again and tried giving access to the Home item (read, write etc) for author, but it says access denied.
Please clarify for me the following:
1. The users I thought of, are they correct or work good in a real scenario?
2. Why am I not able to give access for author to the Home item.
3. Is creating a custom role necessary. Should there not be a sitecore standard role(s) already for these users which are common for every project.
4. Kindly suggest the roles that I should assign for my author, reviewer and publisher
This question doesn't really fit the guidelines for SO, but to answer your questions:
It's uncommon to have a dedicated publisher. More common is to have workflow that automatically publishes once content is approved i would expect. You can likely get away with just 2 roles.
Those roles should be enough but check the doco, please clarify whether your admin user is getting the 'access denied' message or your author. Admin users should not be denied anything; likely your security setup is causing the problem (item permissions, not roles)
Standard roles are granular to allow you to tune your setup. There are a number of sample sites you can get (like launchsitecore.net) that can show you how to use these roles, plus there's documentation. You can also post to community.sitecore.net
There's a combination of roles and privileges required to achieve this too detailed for SO. Refer to documentation, various blogs, or a sample site to see how to use the security features in a real world application.
You can set it using the Workflow feature and altering security rights on the workflow level. The simplest workflow structure should be like:
Initial step 1
Submit command (moves item to step 2)
Awaiting Approval step 2
Approve command (moves item to step 3)
Reject command (moves item to
step 1)
Awaiting Publishing step 3
Publish command (moves item to step 4)
Reject command (moves items to
step 2)
Published final step 4
Auto Publish action (standard action that will publish item automatically as soon as item appears in the final state)
All 3 roles should be a member of at least Sitecore\Author role. It allows basic access to item editing features. Do not forget to explicitly allow Write etc access using the Security Editor application. If it doesn’t work for some reason check current rights using the Access Viewer application, once you select some particular security account and item, you should be able to inspect allowed and denied rights with explanation on the right side.
Then you need to set access on the workflow level (for instance, a reviewer can execute the Approve and Reject commands in the “Awaiting Approval” state, and can’t - in other states. Same for author and publisher).
Useful docs (valid for Sitecore 8.x as well):
https://sdn.sitecore.net/Reference/Sitecore%207/Security%20Reference.aspx
https://sdn.sitecore.net/Reference/Sitecore%207/Workflow%20Reference.aspx
I'm using NetQueryDisplayInformation (I've already tried the NetUserEnum function) to get the set of user accounts on the local machine. I can get all the accounts this way - but I only want the accounts associated with actual human beings, and not, for example, hidden accounts used for software updates.
After reading the MSDN documentation on the relevant structures and similar Stack questions, I see nothing that can allow me to filter to just the accounts that I need.
Ideally, someone will have a simple and reliable solution that:
Doesn't involve using undocumented registry entries
Doesn't rely on enumerating user folders on disk
I'm not going to try to build an exhaustive list of non-real-user accounts
For technical reasons, WMI is not an option
Any ideas?
[Much later]
Got the answer, but not here - just enumerate the groups for each user. "Real human" accounts will be a member of one or more of Administrator, Power User, User, Guest.
You may be able to use the NetUserEnum function. It should return a list of all the user accounts on the system. I've not had to use this function personally so I can't provide any spectacular code examples, but the MSDN information sounds like what you are looking for.
You can use NetQueryDisplayInformation API, combine with bitwise check on user info flag.
I have exactly the same requirements, so I cook sample code (modified from MSDN GROUP query).
The user flags I used are:
UF_NORMAL_ACCOUNT
UF_ACCOUNTDISABLE
UF_PASSWD_NOTREQD ---> this ensure we get Human account, Human account always requires password.
working code at: http://www.cceye.com/list-system-normal-user-account-only/