i have a model of messages and i want all users to access this model, both read and write,
but i want users to access only the instances that were created by themselves
and users of the same role. For instances created by themselves, the ACL can be
applied with the "$owner" principalId, but i want also users of the owner's role.
Is this possible in any way?
Also, this model has two "belongsTo" relations with the User model, one for the sender
of the message as the owner and another for the receiver as the owner, so a user can
get from the API both his outgoing and incoming messages.
Thanks in advance,
George.
I think the easiest way to achieve that is to create and register dynamic role resolver as it is shown in the documentation:
https://loopback.io/doc/en/lb3/Defining-and-using-roles.html#dynamic-roles
then you will have access to the user model and you can add your custom logic
Related
I am looking for advice on a not so particular situation.
I currently have roughly 20000 stores.
All stores have admins, managers and user roles.
An admin can create/manage any roles
A manager can create/manage only user role
A user can login and access custom functionality.
Any persona can be assigned to 1 or multiple store and can have 1 or multiple roles for that particular store.
Ie:
StoreA has userA as Admin and userB as Manager
StoreB has userA as User and userB as Admin
At first, I converted my stores to be groups. But since roles are binded to the group, I would have still have 3 roles for each group (20000 groups and 60000 roles - Group StoreA, Roles: StoreA_Admin, StoreA_Manager, StoreA_User, etc...). Not sure if it is the right decision, And I am not sure about the performance.
Then, I kept the stores as groups, but instead of creating roles, I created custom multivalued attributes that saves the group uid. That worked in carbon, as well as the API, but the console doesn't like the multivalued fields. And if another role is introduced, I would have to create another field.
Any thought on how to approach this situation ?
We can map your story to IS groups and roles as follows.
Please note that groups and roles are treated as two separate resources since IS-5.11.0.
Refer to:
https://is.docs.wso2.com/en/5.11.0/setup/migrating-what-has-changed/#group-and-role-separation
https://medium.com/p/93d42fe2f135
That separation is not clearly visible in the management console. So you can use the console application to create groups and roles.
Group used to represent a collection of users in the user store. One user can belong to zero or more groups.
Role is a collection of permissions. A role can have zero or more permissions.
We can assign a role either to a group/ a user.
Due to this statement:
A user can log in and access custom functionality.
We don't need to assign any role to normal business users specifically.No specific role is required to login into the business application via identity server basic authentication. In case your business application has a role-based access control need to assign a role to business users as well. Otherwise, every user will get login permissions upon successful authentication, it should be enough to do business operations in the application.
In your case, if any store's admin has the same set of permissions and any manager has the same set of permissions, you can't just evaluate the permissions and authorize the requests.
For eg: If user B is the manager of store A and admin of store B, he has inherited both admin and manager roles related permissions. But user B performs a request on store B, you have to authorize the request based on only the roles related to store B.
I read some questions and answers about my issue, but I still don't know the answer.
Can I use the userSub in AWS Cognito as primary key?
AWS Cognito: Difference between Cognito ID and sub, what should I use as primary key?
First, I will try to describe my case.
I want to create an application with spring boot as a resource server that uses oauth2. Then to save me some time with user management, I was hoping to use AWS Cognito since it allows me to create users as admin. I can set it up that it won't let other people sign up for themselves, which is crucial for me since my app will have restricted access; the admin will manage that.
Now to my question, which field of AWS Cognito can I use as the primary key for keeping user-specific data in my DB? I read that neither usernamenor sub is correct.
username can be changed, for example, and sub is globally unique, so it can't be restored. Is there any way to create a custom field where AWS Cognito will autogenerate UUID that I can use, and if I had to restore the user pool, I would have an option to set this field?
You can still go with username. If it is ever changed, just update your database to reflect this change.
You can also create a custom attributes in user pool. You can use that to store a self generated id. As for automatically generating this, you can have a post confirmation lambda trigger that will use adminUpdateUserAttributes to assign a unique id.
I'm pretty new in all the AWS Tools BTW. Anyhow, I already created the Cognito User Pool and I can create and login new users but I also need those fields in my RDS database.
Yesterday I was reading docs and tutorials about the problem but looks like there is a lot of ways to synchronise two data sources. I don't know if something like AppSync has the options to do that or I need to write a two steps lambda, so I'm looking for advice for more experienced users like you guys.
You can have only the basic required attributes for authentication in the cognito user pool such as username, name, email and phone number and the rest of the meta data in some other database such as RDS or DynamoDB.
Within dynamo or RDS you can create a one to one mapping of the username in cognito and the rest of the metadata. Like for example:
*username* -> pk
employee_id
address
user_type
first_name
last_name
marital_status
gender
From implementation point of view:
Expose lambda to create and update a user. Create a user in cognito using only the required attributes earlier defined using the cognito APIs, next insert the meta data for that user in the database of your choice. Same goes for your PUT API with a slight change that you will have to update user pool and user meta data in the database.
Short answer:
You can replicate Cognito User Pool data to a SQL table by listening to Cognito events (using AWS Lambda, for example).
Long answer:
I think you can have Cognito User Pools as authentication/user data Bounded Context, in other words a single source of truth for authentication and user data.
And other BC's in need of user data (for example Sales context) can use some kind of data replication architecture to sync user data as read only, for internal complex queries, or just decoupling from Cognito.
One example of data replication in this case could be listening to Cognito events (AWS Lambda can help with that) to replicate user data to a Bounded Context (just the part of the data you need for that context).
But remember that the replicated data is read only, the original Cognito data should be the single source of truth.
You can use AWS AppSync Lambda resolvers coupled with Cognito User Pools as the AuthZ choice for an AppSync API to satisfy your use case. Essentially when the user completes auth with cognito you will have the '$context.identity.claims' which contains the user attributes, and inside your lambda resolver you can write to your RDS DB.
Some reference docs:
Lambda Resolvers: https://docs.aws.amazon.com/appsync/latest/devguide/tutorial-lambda-resolvers.html
AppSync Auth with User Pools: https://docs.aws.amazon.com/appsync/latest/devguide/security-authorization-use-cases.html
Our organization has set up WSO2 API Manager 2.1, with a secondary user store binding to our organization's LDAP. We need all users from our organization to have a subscriber role by default.
We would prefer for there to be no need for users to use "Self Sign Up"-- and additionally, "Self Sign Up" appears to create new accounts, however all of our accounts are already in the secondary user store.
How can we configure the system to grant the subscriber role by default?
Is there any common ldap user group for the users? For example users who need to log in to the store belongs to X group. If so, you could assign subscriber related permissions for that group from API manager instead of assigning permissions to the 'everyone' role. (If you have configured the groups related ldap queries correctly you should be able to view them in the API manager carbon console. refer https://docs.wso2.com/display/IS550/Configuring+a+Read-write+LDAP+User+Store)
We are using RemoteUserStoreManagerService admin service to add subscribers (end application users) to WSO2 system. Web service automatically assign "Internal/everyone" role to such an user. Even if we provide a list of desired roles for user into WS function.
Can we change such behavior? Can we turn off auto-assignment or we need to use some different API for creating subscribers?
Main problem is, that "Internal/everyone" role for default has maximum system priorities, we want manually assign desired roles for subscriber.
It's the expected behavior that 'Internal/everyone' role get assigned to each and every user. The purpose of having this role is to assign the permissions for newly registered users (If you want the newly registered users to be capable of login and change their password etc.).
If you do not want such functionality, you remove all the permissions from this role.
Hope this helps.