I've created an application as "admin". Now, I create a "demo" user, and give him all roles and all permissions for this app. When I connect with "demo" I can't even see the application created by "admin".
Is this a feature ? or just a misconfiguration ? (but I don't see what config is left).
Yes, that's the default behavior. If you want to share applications/subscriptions among users, you have to enable the sharing feature. See Sharing Applications and Subscriptions docs for that.
Shared apps will be listed like this.
EDIT to make this the validated answer :
This whole paragraph from the documentation has to be written differently because it's wrong and very confusing. There is no "default" strategy of grouping, you have to alter the default configuration to activate it :
By default, the API Manager considers the organization name that you give at the time you sign up to the API Store as the group ID. It extracts the claim http://wso2.org/claims/organization of a user and uses the value specified in it as the group ID. This way, all users who specify the same organization name belong to the same group and therefore, can view each others' subscriptions and applications. The API Manager also provides flexibility to change this default authentication implementation
Related
I have an iOS app using AWS AppSync through GraphQL, setup through Amplify, using DataStore for the local/offline cache and DynamoDB in the backend.
The use case is that the user creates an "entity" and in that entity they can have multiple groups such as "admins", "authors", "readers", etc.. Each of those groups have different permissions that exist within the realm of the "entity".
Each User could create multiple "entities" and therefore there are multiple groups that may have the same name but are separately related to "entities" and are only permissions for that entity.
To put it another way. A user creates a blog. That user is the Owner of that blog. That user then invites a friend to be an "Admin" of that blog. That friend is now a part of the "Admin" group for that blog. That "Admin" group is only pertinent to that blog. Other users may create blogs of their own and add their friends to be "Admins" of their blogs. But each of these "Admins" are actually in different groups (even if the group names are all called "admin").
So I don't think Cognito User Pool groups will work since there is a limit of 500 groups I believe? (Assume we can make more than 500 blogs and therefore more than 500 groups would be needed).
Preferably there would be the option for the Blog owner to create groups and give them any kind of name. But if needed the groups could be all named the same (admin, author, readers, etc). But as such, I see one of three options but don’t know how to proceed.
A table within my schema that handles the groups. I actually have this concept ready but am uncertain how to implement it with the #auth tag in the GraphQL schema.
Some way to link the “entity” with the Cognito group. So that user is related to group and group is related to entity and there is a check for all three using #auth in the GraphQL schema.
Some sort of custom code for authorization. I thought using lambda as the authentication method would work but #auth (rules: [{allow:custom}] is not supported by DataStore. Therefore am I looking at having to write custom VTL code? (Which I'm completely unfamiliar with).
I'm hoping there's a solution through standard auth means and working within the GraphQL schema. If not, sample code on how to achieve this would be much appreciated.
I want to give GSAs direct access to modify Google users. I can't find current docs on this so assuming it's not possible right now?
It looks like this is only possible for working with groups:
https://workspaceupdates.googleblog.com/2020/08/new-api-cloud-identity-groups-google.html
I need to give a GSA access to read group membership and also modify user attributes.
Right now I:
create an admin a G Suite user
create a GSA with domain wide auth with these scopes
https://www.googleapis.com/auth/admin.directory.group
https://www.googleapis.com/auth/admin.directory.user
Impersonate the G Suite user with the GSA and modify user attributes like this:
service = create_directory_service("G SUITE USER")
service.users().update(userKey=uKey, body=myAttributes).execute()
Do I still need domain wide delegation to modify user attributes? Or is it supported now as well?
You can follow this guide to create a Service Account, turning on the Admin SDK API (which allows the service account to provision/manage the users), and authorizing it.
The Service Account created can be used then to provision/manage the G-Suite users, here is a guide on how to manage user accounts using the Directory API, which is part of the Admin SDK.
In short, yes it is possible to manage users too, by using Service Accounts, not just groups.
I have two different objects in my API, we can call them users as tasks. I want to shape the API so users can only access tasks associated with them, but admin can access all tasks. How would I check to make sure what they are requesting matches their username? I have login working as per http://code.tutsplus.com/tutorials/building-rest-apis-using-eve--cms-22961 but I'd like to be able to create a more encompassing API.
You might resort to User Restricted Resource Access
When this feature is enabled, each stored document is associated with the account that created it. This allows the API to transparently serve only account-created documents on all kinds of requests: read, edit, delete and of course create. User authentication needs to be enabled for this to work properly.
See the relevant documentation at the link above.
I'm building a lightweight web interface to SSRS where web app users are mapped to web app roles, which in turn are mapped to SSRS users.
The reason for this convoluted scheme is not up for debate: In short, AD groups can't be used, the site uses Forms auth and there are a fixed number of roles.
Web Role | SSRS User
Admin | AdminUser
Supervisor | SuperUser
User | BasicUser
Guest | GuestUser
The goal is to enumerate all reports a user has permission to view, and allow the user to view the report with the ReportViewer control.
More importantly, it's to simplify the UX for users, both admins and the rest: preventing admins from having to use the Report Manager website (ie, selecting checkboxes rather than hand-typing which web-role-users have access to which reports), and providing a simple UI from which users can see and execute all their reports.
Everything works OK when the user is the AdminUser.
However, I'm having difficulty calling the web service when the user isn't included in a Policy on the Home/Root folder with at least the Browser SSRS role. (The permissions granted to user 'computer\username' are insufficient for performing this operation.)
This is problematic for a couple reasons:
If every user must be a Browser to connect to the web service and enumerate reports they have access to view/execute, then all users will have access to all new reports/folders by default. (Children automatically inherit new permissions)
If a report exists in a nested folder that does not inherit permissions and the user is not a browser of, but the user is a Browser on the nested report, ListChildren() will not return that report.
It seems this leaves me with 2 less than ideal options:
Don't call the web service with the different users. Instead, enumerate reports with ListChildren() using only the admin user. Then, for each report, call GetPolicies(), and from that collection of policies, determine what reports the user is able to view.
Make the call with different users. Live with the pitfalls of newly-published reports being accessible to everyone by default, until permissions are changed. Also live with the pitfalls of nested reports not showing unless the user has access to that path. If an admin wants a nested report within a folder with explicit permissions to be available to a user who can't see that folder, the policies on all ancestor folders and their children must be modified.
#1 is obviously very unwieldy and inefficient. But #2 has significant drawbacks and becomes just as onerous & inefficient when setting permissions in certain situations.
Is there a better way? Have I missed something obvious?
[edit]
A 3rd option is to query the ReportServer database directly using a query like this. This has the benefit of returning everything the user has access to, regardless of whether or not it exists in a subfolder the user cannot access (aka, cannot use the web service's ListChildren method to retrieve). However, if using AD groups, I would have to know which groups the user is a member of, whereas the web service would do this for me. This option feels like a bit of a hack to me, but it could work.
As it turns out, we ran an end-route around this issue by dropping the requirement to restrict report access by web role, and made the path we query in the web service a web.config setting that can change, thus allowing report authors to 'hide' reports in a parent folder if the need arises in the future.
The best solution would have been to query the ReportServer database directly.
However, the client changed their mind & didn't want to restrict reports based on web user role in the end, so problem solved!
Django-Social in its feature list claims that it supports associating multiple authentication providers to a single user account.
I can't seem to figure out how to use that feature.
When I try to login using a new authentication provider it automatically seems to be creating a new account for each provider.
Any ideas?
Sarvi
Take a look to django-social-auth, it's simpler and easier to setup than Django-Socialauth.
Multiple account association is supported but limited to logged in users to avoid the decision of which user instance must be removed.
it supports associating multiple authentication providers to a single user account
By looking at the code for models.py here, socialauth has a UserProfile for each provider, associating them to the User object which you use for basic authentication. So indeed, what it claims is true.
It can be done manually through admin once you have logged in with multiple accounts. Then the Socialauth models for the accounts can be adjusted to point at the User they are required too and multiple accounts can point to the same user.
But I have not had a good enough look to work out how to let users do this automatically for themselves. It does not work out of the box if you sign in to another account if while already signed into an existing account.