I am very upset with this oracle apex, their is no proper practical example or demonstration on Oracle Apex
I have built one application where I have 4 pages -> Home , My account , Calculate gross
If my Role : Admin and Name : Raj … I should have access to all my above pages
If my Role : user and Name : Bob … I should have access only to page : Home and Calculate gross and remaining pages should be hide
Following is my table details : employee
Name , Age , Role
Raj , 24 , Admin
Bob , 26 , User
Note : I am using SSO login
You should create authorization schemes - it is done within "Shared components" section. For example, you can create the one whose name is "full_access", its type is "PL/SQL function returning Boolean".
Code depends on what "role" and "name" actually represent; I presume that they are stored into some table. In that case, and if you created Apex users whose username matches name you mentioned (e.g. Raj and Bob), that would be
declare
l_role t_users.role%type;
begin
select t.role
into l_role
from t_users
where name = :APP_USER; --> APP_USER is username of currently logged user
return l_role = 'Admin'; --> if role is "Admin", function would return TRUE
end;
(Feel free to improve it.)
Then go to the page itself, check its (page's) properties - scroll down to the "Security" section and set the "Authorization scheme" property to "full access".
Doing so, any APP_USER whose role isn't "Admin", won't have access to that page.
Related
I've finally gotten Azure Single Sign-On (SSO) connected to Apache Superset running via docker-compose, following the Flask docs. Users in my company's Azure group can create and access Superset accounts by logging in with Azure and they are assigned roles based on their identity. This is good.
The usernames they get assigned, however, are long Azure ID strings. These are undesirable in displays. Here's what my account looks like on the List Users screen and on my profile:
How can I modify either my Azure application SSO setup or my Superset config to have Superset populate usernames like SFirke for the account usernames, instead of values like 3ee660ff-a274 ... ?
The security part of my config.py looks like this, almost identical to the Flask template:
OAUTH_PROVIDERS = [
{
"name": "azure",
"icon": "fa-windows",
"token_key": "access_token",
"remote_app": {
"client_id": "CLIENT_ID",
"client_secret": "CLIENT_SECRET",
"api_base_url": "https://login.microsoftonline.com/TENANT_ID/oauth2",
"client_kwargs": {
"scope": "User.read name preferred_username email profile upn groups",
"resource": "RESOURCE_ID",
},
"request_token_url": None,
"access_token_url": "https://login.microsoftonline.com/TENANT_ID/oauth2/token",
"authorize_url": "https://login.microsoftonline.com/TENANT_ID/oauth2/authorize",
},
},
]
EDIT: Looks like the way to go is writing a custom userinfo retrieval method, there's a template on the Flask page linked above and an example used for Superset in this Github comment. I think I would use a line like "id": me["preferred_username"] or "id": me["upn"], based on the field names in the Microsoft docs.
But Microsoft notes that this value can change over time and should not be used for authorization changes. Since the oid value is immutable, and it is hardly visible to the typical user, I plan to just stick to it.
I would like to set or to modify display names of members subscribed to groups I'm managing (see attached picture).
I need to do that by Groups Migration API or GAM. But members object don't include that information!
I try to execute following command:
gam update group test-group add member user "Pippo Paperino" pippo.paperino#email.-it
this don't work. :-(
Does anybody knows how to do that?
{
"kind": "admin#directory#member",
"etag": "\"enlFCt4L0xxxzRNl5h_fsrc/PLoDCCsd1WkZFMzGD8Xvw7uzSCQ\"",
"id": "109503944206647999229",
"email": "pippo.paperino#email.it",
"role": "MEMBER",
"type": "USER",
"status": "ACTIVE",
"delivery_settings": "ALL_MAIL"
}
enter image description here
A member of a Group can be a user or another group.
If the member of the group is a user, the display name corresponds to the name the user has in the Google Account (the fullName, which is formed by concatenating the givenName and the familyName): check User resource . You cannot update the display name in Groups directly. If you want that display name to change, you would have to call Users.update in Admin SDK > Directory API, and provide a new user's familyName and givenName. But bear in mind that this will change the user's name everywhere, not just the display name in that group.
If the member of the group is another group, the display name corresponds to the name property in the Group resource. If you want to update that display name, you would have to call Groups.update and provide your desired display name. Of course, this will change the display name not just in that group, but everywhere.
Reference:
Members
Groups
Users
I hope this is of any help.
I tried to create a new Google Cloud project from the command line with:
$ gcloud projects create PROJECT_ID --folder=FOLDER_ID
But I got the error:
ERROR: (gcloud.projects.create)
INVALID_ARGUMENT: field [parent] has issue [Parent id must be numeric.]
- '#type': type.googleapis.com/google.rpc.BadRequest
fieldViolations:
- description: Parent id must be numeric.
field: parent
- '#type': type.googleapis.com/google.rpc.Help
links:
- url: https://cloud.google.com/resource-manager/reference/rest/v1/projects
Looking at gcloud project create --help, it says:
--folder=FOLDER_ID
ID for the folder to use as a parent
How do I get the folder ID?
Unlike the PROJECT_ID (which must must start with a lowercase letter and can have lowercase ASCII letters, digits or hyphens), a FOLDER_ID is not the name of the folder -- instead, it's a number (hence the "Parent id must be numeric") error.
You can find the ID of your folder by searching for it by name in the Google Cloud console, it'll be in a box with a "Folder ID" label.
I have User and Buyer participants on the network. Generally, the buyers cannot READ the user's data but I want to make GrantAccess and RevokeAccess transactions so the Users to have the option to grant and revoke the READ access from Buyers
I haven't been able to find anything on how to do this, would appreciate any help.
You would run a 'tx_GrantAccess' transaction that firstly, updates a particular BUYER's record (eg. id buyer123 - a participant modeled with a field called access, which is set to true by this transaction).
I can use a condition match (as a boolean) on the target BUYER records (resources) and if the BUYER, say buyer123 (ie that's accessing the business network) has access=true then he can READ the USER records.
Transaction rule (needed by User to access the transaction classes)
rule rule_1 {
description: "grant access to User, for the 2 x Transactions themselves"
participant: "org.acme.example.User"
operation: CREATE
resource: "org.acme.example.tx_*"
action: ALLOW
}
User Access rule:
rule rule_2 {
description: "if granted access, allow READ of User by buyer"
participant(m): "org.acme.example.Buyer"
operation: READ
resource(v): "org.acme.example.User"
condition: (m.access)
action: ALLOW
}
where Buyer has a field (eg.
participant Buyer identified by id {
o String id
o Boolean access default=false
}
and your transaction tx_GrantAccess has a function that will set access to true on a particular Buyer's record and tx_RevokeAccess will set it to false etc.
how do I restrict dynamoddb user access to its own data owned by them.
I came access Using IAM Policy Conditions for Fine-Grained Access Control
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"${www.amazon.com:user_id}"
],
"dynamodb:Attributes": [
"UserId",
"GameTitle",
"Wins",
"Losses",
"TopScore",
"TopScoreDateTime"
]
}
}
problem with above condition is that my partition key is not the userId.
its something else.
here is what my DB looks like like
Hash : "Sales" # its just plain text Sales
Range Date # its date
attributes : Sale : [ # array of maps
{
name : abc,
userId : idabc,
some-other : stuff
},
{
name : xyz,
userId : idxyz,
some-other : stuff
}
]
any idea how to restrict access based on sale[x].userId ?
or any better design how to handle this kind of design ?
I use Date range to query 90% of the data.
other option is to use different table for each and every logical table.
like sales,expense,payroll etc but I don't want to create different tables
and it defeats the purpose or NoSQL I guess.
FYI I am using javascript sdk to access dynamodb from browser.
app has 3 different user types
customer (access to its own data)
merchants (its own data and access to its customer data)
admin (access to all the data)
I think for this I have to create 3 different userPools, correct me if I am wrong.
but cant restrict access to own data, if I use partition key as userId
then querying for merchants becomes difficult.
any suggestion on how do I handle this db design?
thanx