I am currently trying to retrieve user events that grant admin or delegate privileges to accounts under our domain. I guessed such event names called GRANT_ADMIN_PRIVILEGE and GRANT_DELEGATED_ADMIN_PRIVILEGES is the one:
https://developers.google.com/admin-sdk/reports/v1/reference/activity-ref-appendix-a/admin-user-events?authuser=1
So, I filled the form in https://developers.google.com/admin-sdk/reports/v1/guides/manage-audit-admin?authuser=1#get_account_events to generate a request like GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/admin&eventName=GRANT_ADMIN_PRIVILEGE or GRANT_DELEGATED_ADMIN_PRIVILEGES.
The result is 200 OK, but without any data in it (Of course, I actually granted Privilege to my coworker in last 2 months).
So, is it right to think GRANT_ADMIN_PRIVILEGE or GRANT_DELEGATED_ADMIN_PRIVILEGES is the event name I am looking for to audit granting activities? Or is there something I am missing?
You may want to visit Reports API: Admin Activity – Delegated Admin Event Names which details the admin activity report DELEGATED_ADMIN_SETTINGS type's eventName parameters and properties. For more information, see also the Activities: list method.
Related
Can anyone provide me with working example how to show analytics (Visits, Page views, Page views per visit, etc) for logged users? As I understand there is no OOB solution, so I've tried to implement flexible dimensions, but didn't find any good examples and failed.
First of all you have to identify your logged in contact by calling the Sitecore.Analytics.Tracker.Current.Session.IdentifyAs() method, see more details here. When the contact logs in you can use their username to identify them upon the successful login.
Note, that the identification and authentication are separate unrelated events. Contacts are identified against the xDB and authenticated against the authentication mechanism used by the website.
When the contact identifies, it is saved to xConnect with a known identifier based on the information passed into theIdentifyAs() method: Identifier, Source and
IdentifierType will be set to ContactIdentifierType.Known (it is set to ContactIdentifierType.Anonymous for anonymous contacts). Then you can use IsKnown property on the Sitecore.XConnect.Contact that returns true if a contact has any known identifiers.
If you want to track some custom events for the logged in users to then use them for reporting needs you can add user interactions by calling the client.AddInteraction() extension method. I have given an example here.
If you want to extend the contact with your own custom data then you can create custom contact facets, read more here.
In order to implement your custom report with flexible filtering by logged in and not users, of course, you will need to define your custom dimensions and metrics, read more here.
I'm trying to get the reports for all the Suspended accounts with a field "SuspensionTime" like the "creationTime". I'm unable to fetch the "SuspensionTime" of an account though the API.
I'm using the following Documentation referred by the Google.
https://developers.google.com/admin-sdk/reports/v1/guides/manage-audit-admin
You can use the activities.list method from the Reports API. The thing with this is that it requires the userKey parameter, which means that you depend on knowing which admin performed the action. It is easier if you have only a couple of admin accounts doing user suspensions.
You would need to send "SUSPEND_USER" in the event name field, and "admin" in the applicationName field to get all the user suspensions performed by that admin, and you will get the date and time in the "time" file of the response.
Apart from the Activities API: https://developers.google.com/admin-sdk/reports/reference/rest/v1/activities/list?apix_params=%7B%22userKey%22%3A%22all%22%2C%22applicationName%22%3A%22admin%22%2C%22eventName%22%3A%22SUSPEND_USER%22%7D
If the suspension comes from Google you can inspect the Users Usage Reports: https://developers.google.com/admin-sdk/reports/v1/appendix/usage/user/accounts
The field disabled_reason usually contains the date of the suspension.
I have a requirement regarding authorizations such that if user is Admin/Editor, user can read/write page.
If user is visitor , he can read only the same page.
I created authorization scheme IS_ADMIN where exists sql query:
select 1 from users where role_id in(select role_id from roles where name ='Admin')
Now i applied this authorization scheme on page.
In Read only, i selected function body,plsql and write:
If apex_authorized.is_authorized ('IS_ADMIN')
RETURN FALSE
ELSE RETURN TRUE;
END IF;
I applied this assuming this would make the page read only for the user which is not admin.
But because of the authorization scheme and error message that i set, i am simply getting error when i log in with visitor role. The same error message that i gave for authorized scheme.
What is the best way to apply multi authorization scheme in this case?
Apex: 20.2
One way to solve this is to create a security model that is based on roles and responsibilities (as done in ERP systems). A role is granted to a user (eg ADMIN, VISITOR, etc) and a responsibility is linked to application functionality (eg VIEW_EMP, EDIT_EMP). Responsibilities are then granted to roles or to other responsibilities. The authorization schemes are created on the responsibilities (the app is unaware of the roles).
Example for an EMP form: requirement is that VISITOR can see data and ADMIN can edit data
Create responsibilities: VIEW_EMP and EDIT_EMP and matching authorization schemes.
Role VISITOR has responsibility VIEW_EMP.
Responsibility EDIT_EMP has responsibility VIEW_EMP (so that whoever has EDIT_EMP automatically gets VIEW_EMP).
Role ADMIN has responsibility EDIT_EMP.
In the form you set the auth scheme of the page to VIEW_EMP and the auth scheme of CREATE/SAVE/DELETE button and DML Page process to EDIT_EMP.
So when a user with VISITOR comes to the form he gets the data but the buttons are hidden. When an ADMIN comes to the screen he sees all.
It sounds like you want the authorization scheme to be IS_ADMIN_OR_VISTOR which would return true if the user was either an admin or a visitor. That allows both admins and visitors to access the page. Your read-only logic would then mean that visitors would see the page as read only and admins would see the page as editable.
I want to use the teiid data roles functionality. This works as I can enable write access etc. for an admin user only for example. Accessing the data by the oData API nicely shows an login dialog and all works. Now I want other users (anonymous users, users "not logged in") to be able to read certain tables. So I also created a data role "visitor" with read access to all tables, but this doesn't seem to work as I get the error message:
TEIID30492 User <anonymous> is not entitled to action <CREATE> for 1 or more of the groups/elements/procedures.'
Also enabling "apply this role to all users" and defining an anonymous user doesn't seem to work.
So it looks like I have to assign permissions to some kind of "anonymous user" to get this working. Any ideas? Thanks.
Creating two different vdb's with different permissions could also be a solution, but can be more maintenance etc.
I'm building a lightweight web interface to SSRS where web app users are mapped to web app roles, which in turn are mapped to SSRS users.
The reason for this convoluted scheme is not up for debate: In short, AD groups can't be used, the site uses Forms auth and there are a fixed number of roles.
Web Role | SSRS User
Admin | AdminUser
Supervisor | SuperUser
User | BasicUser
Guest | GuestUser
The goal is to enumerate all reports a user has permission to view, and allow the user to view the report with the ReportViewer control.
More importantly, it's to simplify the UX for users, both admins and the rest: preventing admins from having to use the Report Manager website (ie, selecting checkboxes rather than hand-typing which web-role-users have access to which reports), and providing a simple UI from which users can see and execute all their reports.
Everything works OK when the user is the AdminUser.
However, I'm having difficulty calling the web service when the user isn't included in a Policy on the Home/Root folder with at least the Browser SSRS role. (The permissions granted to user 'computer\username' are insufficient for performing this operation.)
This is problematic for a couple reasons:
If every user must be a Browser to connect to the web service and enumerate reports they have access to view/execute, then all users will have access to all new reports/folders by default. (Children automatically inherit new permissions)
If a report exists in a nested folder that does not inherit permissions and the user is not a browser of, but the user is a Browser on the nested report, ListChildren() will not return that report.
It seems this leaves me with 2 less than ideal options:
Don't call the web service with the different users. Instead, enumerate reports with ListChildren() using only the admin user. Then, for each report, call GetPolicies(), and from that collection of policies, determine what reports the user is able to view.
Make the call with different users. Live with the pitfalls of newly-published reports being accessible to everyone by default, until permissions are changed. Also live with the pitfalls of nested reports not showing unless the user has access to that path. If an admin wants a nested report within a folder with explicit permissions to be available to a user who can't see that folder, the policies on all ancestor folders and their children must be modified.
#1 is obviously very unwieldy and inefficient. But #2 has significant drawbacks and becomes just as onerous & inefficient when setting permissions in certain situations.
Is there a better way? Have I missed something obvious?
[edit]
A 3rd option is to query the ReportServer database directly using a query like this. This has the benefit of returning everything the user has access to, regardless of whether or not it exists in a subfolder the user cannot access (aka, cannot use the web service's ListChildren method to retrieve). However, if using AD groups, I would have to know which groups the user is a member of, whereas the web service would do this for me. This option feels like a bit of a hack to me, but it could work.
As it turns out, we ran an end-route around this issue by dropping the requirement to restrict report access by web role, and made the path we query in the web service a web.config setting that can change, thus allowing report authors to 'hide' reports in a parent folder if the need arises in the future.
The best solution would have been to query the ReportServer database directly.
However, the client changed their mind & didn't want to restrict reports based on web user role in the end, so problem solved!