I am looking for advice on a not so particular situation.
I currently have roughly 20000 stores.
All stores have admins, managers and user roles.
An admin can create/manage any roles
A manager can create/manage only user role
A user can login and access custom functionality.
Any persona can be assigned to 1 or multiple store and can have 1 or multiple roles for that particular store.
Ie:
StoreA has userA as Admin and userB as Manager
StoreB has userA as User and userB as Admin
At first, I converted my stores to be groups. But since roles are binded to the group, I would have still have 3 roles for each group (20000 groups and 60000 roles - Group StoreA, Roles: StoreA_Admin, StoreA_Manager, StoreA_User, etc...). Not sure if it is the right decision, And I am not sure about the performance.
Then, I kept the stores as groups, but instead of creating roles, I created custom multivalued attributes that saves the group uid. That worked in carbon, as well as the API, but the console doesn't like the multivalued fields. And if another role is introduced, I would have to create another field.
Any thought on how to approach this situation ?
We can map your story to IS groups and roles as follows.
Please note that groups and roles are treated as two separate resources since IS-5.11.0.
Refer to:
https://is.docs.wso2.com/en/5.11.0/setup/migrating-what-has-changed/#group-and-role-separation
https://medium.com/p/93d42fe2f135
That separation is not clearly visible in the management console. So you can use the console application to create groups and roles.
Group used to represent a collection of users in the user store. One user can belong to zero or more groups.
Role is a collection of permissions. A role can have zero or more permissions.
We can assign a role either to a group/ a user.
Due to this statement:
A user can log in and access custom functionality.
We don't need to assign any role to normal business users specifically.No specific role is required to login into the business application via identity server basic authentication. In case your business application has a role-based access control need to assign a role to business users as well. Otherwise, every user will get login permissions upon successful authentication, it should be enough to do business operations in the application.
In your case, if any store's admin has the same set of permissions and any manager has the same set of permissions, you can't just evaluate the permissions and authorize the requests.
For eg: If user B is the manager of store A and admin of store B, he has inherited both admin and manager roles related permissions. But user B performs a request on store B, you have to authorize the request based on only the roles related to store B.
Related
I am new to AWS...
We have a home grown user authentication and authorization.
We define authorizations(roles) in company terms, role1 allows you to do tasks1 and tasks2. Role2 allows one to perform tasks3 only.
I can see how I can use Cognito for my user/password management.
Unclear if I use cognito for roles verification, i.e authorization.
Thoughts?
In a Cognito User Pool one can define both Users and Groups, which can be leveraged to drive fine-grained RBAC permissioning. You can define a custom attribute in the User model (e.g., "department" or "role") and map this attribute to Groups.
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html
Each group can optionally be associated with an IAM role, so it's possible to restrict access to AWS resources (e.g., certain DynamoDB tables) by group -- as an additional layer of security.
However, if you don't need/want to map users to different IAM roles, maybe just handle authentication completely from within your application.
Our organization has set up WSO2 API Manager 2.1, with a secondary user store binding to our organization's LDAP. We need all users from our organization to have a subscriber role by default.
We would prefer for there to be no need for users to use "Self Sign Up"-- and additionally, "Self Sign Up" appears to create new accounts, however all of our accounts are already in the secondary user store.
How can we configure the system to grant the subscriber role by default?
Is there any common ldap user group for the users? For example users who need to log in to the store belongs to X group. If so, you could assign subscriber related permissions for that group from API manager instead of assigning permissions to the 'everyone' role. (If you have configured the groups related ldap queries correctly you should be able to view them in the API manager carbon console. refer https://docs.wso2.com/display/IS550/Configuring+a+Read-write+LDAP+User+Store)
I'm trying to build a web app that can be accessed by any user that signs up with facebook.
I want to use AWS Cognito to speed up the development for users management.
It has to have 3 type of users:
Normal users - any user that logs in with facebook
Editors - users that have a different access level (IAM role?), they can call a specific AWS Lambda function, that normal users can't call.
Administrators - users that can modify the status of normal users to make them editors or admins
Can someone please point me in the right direction? I've set up AWS Cognito Identity Pool but I'm not sure if I have to set up a User Pool or how do I assign a different role or policy to a user to make him an admin or editor (different access levels for other AWS resources), if I can get in my web app the users list from Cognito (only for an authenticated admin) and how do I allow him to modify other users roles.
Some tutorial, documentation or at least a short description of how can I do this would help me a lot.
Optional: let users to not only sign up with facebook but also with email/pass, and have the same functionality.
You should be able to use 'Role Based Access Control' feature of Cognito federated identities. This is the relevant part of the doc:
http://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html
If you are only using Facebook, you can use Facebook sub to assign appropriate role.
If you are using username and password based sign-in with user pool, you can use group support and create editors group and assign appropriate permissions.
Instead of managing Administrators with federated identities or user pool, probably directly using IAM user will be a better idea. This IAM user will have full permission to modify/add identity pool rules or user pool groups.
I'm attempting to develop an application architecture almost exclusively on top of AWS services.
This application has both User and Organization "entities". As one might except, a User may be an admin, role-x or role-y of one or more organizations. (role-x and role-y are just placeholders for some role with some set of specific permissions. A User may also be standalone (that is, not have a role on any Organization).
Our current thinking is to use DynamoDB to store organization and user specific data. For users this may include some basic information (address, phone number, whatever), and for organizations it may include fields like "mission statement", "business address" and so on.
An admin of an organization would be able to edit all organization fields, whereas a role-x might only be able to update "mission statement" while reading all other fields.
Since I mentioned that a single user may have roles on many different organizations, that might look something like:
user1:
organizations:
123: 'admin'
456: 'role-x'
789: 'admin'
It's also worth noting that these role assignments are modifiable. New or existing users may be invited to take on a specific role for an organization, and an organization may remove a user from a role.
This is a fairly straightforward type of layout, but I wanted to be very clear about the many-to-many nature of the user, org and roles.
I've been reading IAM and Cognito documentation, as well as how it relates to fine-grained control over DynamoDB items or S3 buckets - but many of the examples focus on a single user accessing their own data rather than a many-to-many role style layout.
How might one go about implementing this type of permission system on AWS?
(If policy definitions need to be updated with specific Identities (say, for an Organization), can that reliably be done in a programatic way - or is it ill-advised to modify policies on the fly like that?)
The above answer is outdated.
AWS has added Cognito-Groups recently. That provides more flexibility
You can use technique described in the article to achieve that:
https://aws.amazon.com/blogs/aws/new-amazon-cognito-groups-and-fine-grained-role-based-access-control-2/
Unfortunately the kind of permission system you are trying to implement is not possible with Cognito at the moment. With Cognito you can currently create unique identities for your users in an identity pool. Users can authenticate using any external provider such as Facebook, Amazon, Google, Twitter/Digits or any OpenId Connect Provider. Users can also authenticate through your own backend authentication process. After the user authenticates, Cognito creates a unique identity for that user. There’s a concept of an identity, but there’s no concept of groups. All users/identities within a one identity pool can get credentials from roles associated with that identity pool. Currently you can specify two roles: One role for authenticated identity and one role for unauthenticated identity. There’s no such feature at the moment where you can specify multiple groups for each identity and specify role on that group.
For more information on Cognito, you can refer to
https://aws.amazon.com/cognito/faqs/
http://docs.aws.amazon.com/cognito/devguide/getting-started/
We are using Sitecore 8 update 3 with Active Directory integration. I am trying to copy a Role and the respective users tied to it from our Dev environment over to Prod
example:
role: Sitecore/IHaveAccess
users: ad/dk123, ad/dk234, ad/dk345...
I tried two different methods:
Method 1: Generate package:
By creating a package that described on the page 19: https://sdn.sitecore.net/upload/sitecore6/65/package_designer_admin_guide-a4.pdf
When I installed the package on the new environment, the role was added but none of the users was under the Role.
Method 2: Serialization:
I serialize the item, but when viewing in Notepad++ is does not contain any users. When I serialize a user who was in the group, I do see the group.
Any thoughts why we have the issue?
Unfortunately, the membership information is stored against the user and not the role (the same for roles within roles). In this instance, the membership information is stored against the AD user. You are storing that a user is a member of role x and not that role x contains member y.
This means that you would need to package up both the role, and the corresponding users. I'm not sure of how this would work using AD though, since you are essentially trying to sync back user related data via Sitecore. I would ensure at your AD provider is not set as readonly in the connection string or it's setup. Since you only have a one-way sync, there's no way to store that information back in AD and have it persist.
Personally, I would set up my roles differently to allow the management to be easier, but it depends on your exact requirements obviously:
Create a Sitecore role, assign all your permissions and security against this roles (sitecore\IHaveAccess)
Create a matching AD role (ad\IHaveAccess) and add this as a member of your Sitecore role
Add your AD users to your AD Group. They will gain the correct permissions through Role In Role. If you already have AD Groups set up, you simply add existing Groups to the new Group even.
Using this, at most you have to add your AD roles back into your Sitecore roles (this shouldn't be the case you added the AD roles as a member of the Sitecore role so the membership is stored in Sitecore). It also has the advtantage that your users/roles/membership is centrally located within one system.