Could any one help me on how to filter a view’s node list based on the user role? For example, consider we have manager and developer roles and there are 3 node items in a view that are node1,node2,node3.Manager has access to node1, node2 & the developer has access to node3.Now,the view should show only node1,node2 when the manager logs in and sees the view.And when the developer logs in,he should be able to see only node3.Thanks in advance
I achieved RBAC using the node_check_access hook by creating a new custom module
Related
I have an AWS Amplify application that has a structure with multi-organizations:
Organization A -> Content of Organization A
Organization B -> Content of Organization B
Let's say we have the user Alice, Alice belongs to both organizations, however, she has different roles in each one, on organization A Alice is an administrator and has more privileges (i.e: can delete content or modify other's content), while on Organization B she is a regular user.
For this reason I cannot simply set regular groups on Amplify (Cognito), because some users, like Alice, can belong to different groups on different organizations.
One solution that I thought was having a group for each combination of organization and role.
i.e: OrganizationA__ADMIN, OrganizationB__USER, etc
So I could restrict the access on the schema using a group auth directive on the Content model:
{allow: group, groupsField: "group", operations: [update]},
The content would have a group field with a value: OrganizationA__ADMIN
Then I could add the user to the group using the Admin Queries API
However, it doesn't seem to be possible to add a user to a group dynamically, I'd have to manually create each group every time a new organization is created, which pretty much kills my idea.
Any other idea on how I can achieve the result I'm aiming for?
I know that I can add the restriction on code, but this is less safe, and I'd rather to have this constraint on the database layer.
Look into generating additional claims in you pre-token-generation handler
Basically you can create an attribute that includes organization role mapping
e.g.
{
// ...
"custom:orgmapping": "OrgA:User,OrgB:Admin"
}
then transform them in your pre-token-generation handler into "pseudo" groups that don't actually exist in the pool.
Can anyone explain why an aws glue Workflow would have empty default run properties and no graph, when accessed from an sdk? When I view the same workflow on the aws console I can see the ui representation of the graph and the run properties.
Yet when I access the same workflow via sdks (tried java and boto3) the Workflow object show empty default run properties and no graph. The accessor methods for these attributes return empty objects or null. For example
with the java sdk
myWorkflow.getGraph() returns null
I know the workflow has a several nodes and I have run and modified the workflow many times via the console.
I've tried to research if this is a permissions issue but I can't find anything to back that up and I don't get an error. Any insights would be appreciated.
So there is a "IncludeGraph" parameter in the getWorkflow request. The default of which is False. So to get the graph returned with your workflow you must set the parameter to true.
in Java:
......yourWorkflowRequest.withIncludeGraph(true)
in boto3:
.get_workflow(Name='the_workflow', IncludeGraph=True)
I have setup the cluster for WSO2-IS (2 instances on different machines) based on the information provided here - https://docs.wso2.com/display/CLUSTER44x/WSO2+Clustering+and+Deployment+Guide
Setup DB with a user store, shared registry, 2 local registries
Copied the DB driver jar to component lib
Updated the master-datasource.xml
Updated the registry.xml (made sure the master is read-only false and worker is read-only true)
Updated the AXIS2.xml and used WKA for membership scheme
Performed other changes as suggested in the link
Started the master with -Dsetup option and the worker without -Dsetup option.
Verified that the governance folder is shown as a symlink
I can see the interaction between both the nodes, there are Hazelcast messages related to node joining when the worker is started.
User created in 1 is able to login to the other instance, service provider are also automatically available when viewed through UI.
The problem is that when I create a secondary user store (JDBC) in the first node and goto the list in the second node - the secondary user store is not present and I cannot view the users in the user list too.
Am I missing something or is it the way the cluster is supposed to perform i.e. secondary user stores have to be shared in some other way?
Thanks,
Vikas
Secondary user store configurations are not synced between two nodes by default. Once you create a secondary user store from UI, it will create a file in following location.
[WSO2_IS]/repository/deployment/server/userstores/
These configuration file need to copy by manually or have to use some synchronization mechanism to copy file to other node. since this is not a frequent task better to copy this file.
Fore more information
https://docs.wso2.com/display/IS500/Configuring+Secondary+User+Stores
In my Sitecore workbox, there are several workflow states being displayed. (Draft, Awaiting, Approved)
How can I restrict acess only to one/few(Draft) workflow states for a particular role (e.g. Junior Manager) in Sitecore?
(I m using v6.5)
Yes, you can. To be able to see the various workflow states you'll need read access to that workflow state as well as write access to the item you want to approve/ reject.
From the Workflow Cookbook (chapter 3.1 and 3.2):
3.1The Content Editor and Workbox only displays workflow commands for
non-Administrator users when: The user has write access to the
associated item. and The user has write access to the command’s parent
workflow state. and The user has read access to the workflow command
itself.
3.2 Users who have read access to a workflow state can see that state in
their workbox as long as the state includes workflow commands for
which they have command execute access rights. If business
requirements state that a particular workflow state should be hidden
from a given set of users, you can restrict access to that state for
those users by: Hiding all the workflow commands in the state from the
users in question. or Explicitly hiding the workflow state itself from
the users in question. To explicitly hide a workflow state: Turn off
the inheritance access right for the workflow state item and do not
grant read access to the workflow state to the user and all the roles
assigned to the user. or Deny the user or one of the roles that the
user is assigned read access to the workflow state item.
I am trying to create a role within Sitecore which can publish content, but only within a specific area(s) of the site. I've added the standard Sitecore\Client Publishing role to my role, but I can't see how to prevent the role from being able to publish all areas of the site. I've looked at the Security editor and the Access viewer, but setting the write access of the sections only seems to affect the ability to edit those sections and has no effect on the ability to publish on those sections.
Workflow is the typical way this is handled. Giving roles access to approve (this could be called 'publish') content of certain sections of the content tree will be the best way to achieve what you are describing. Combine this with an auto-publish action to make it more user friendly.
One thing to keep in mind though using this method is referenced items (images from media library the content may be using for example). Take a look at the 'Publishing Spider' module on the shared source library http://trac.sitecore.net/PublishingSpider
EDIT: Update
I recently discovered this setting in the web.config: "Publishing.CheckSecurity". If set to true, this setting will only publish items if the user has read + write on the item and will only remove items from the web DB if the user has delete permissions.
I had a similar situation once and I created roles per section which only had read and write to that section and no where else (let say 'editor section 1') and another role which only had publishing permission for that section (let say 'publisher section 1'). Then added 'editor section 1' role to 'publisher section 1' role which gives you the role for publishing only specific section.
You do not need multiple workflows, same workflow with multiple roles can also achieve this goal
Answer to this is to set Publishing.CheckSecurity to true
You need to find this code inside web
<!-- PUBLISHING SECURITY
Check security rights when publishing?
When CheckSecurity=true, Read rights are required for all source items. When it is
determined that an item should be updated or created in the target database,
Write right is required on the source item. If it is determined that the item
should be deleted from target database, Delete right is required on the target item.
In summary, only the Read, Write and Delete rights are used. All other rights are ignored.
Default value: false
-->
<setting name="Publishing.CheckSecurity" value="false" />
Set the value="true"
But again you have to govern the security tightly, and assign user role properly. Failed to
do so you will experience buggy publishing.
Hope that will help