I want to use the teiid data roles functionality. This works as I can enable write access etc. for an admin user only for example. Accessing the data by the oData API nicely shows an login dialog and all works. Now I want other users (anonymous users, users "not logged in") to be able to read certain tables. So I also created a data role "visitor" with read access to all tables, but this doesn't seem to work as I get the error message:
TEIID30492 User <anonymous> is not entitled to action <CREATE> for 1 or more of the groups/elements/procedures.'
Also enabling "apply this role to all users" and defining an anonymous user doesn't seem to work.
So it looks like I have to assign permissions to some kind of "anonymous user" to get this working. Any ideas? Thanks.
Creating two different vdb's with different permissions could also be a solution, but can be more maintenance etc.
Related
I am trying to setup elasticsearch/kibana in AWS and we've successfully created enough so we can access it using the 'elasticmaster' role. We can login and input data with this user.
However, we have users who will be creating reports, visualisations etc but we definitely do not want them creating data.
The permission set in kibana seems very odd and unintuitive. Can someone please let me know what permissions this "reporting" user would need. They'll want access to pretty much all the indexes, just read only but they will need permissions to create index patters, visualisations etc.
We're using ES 7.10.
I have a requirement regarding authorizations such that if user is Admin/Editor, user can read/write page.
If user is visitor , he can read only the same page.
I created authorization scheme IS_ADMIN where exists sql query:
select 1 from users where role_id in(select role_id from roles where name ='Admin')
Now i applied this authorization scheme on page.
In Read only, i selected function body,plsql and write:
If apex_authorized.is_authorized ('IS_ADMIN')
RETURN FALSE
ELSE RETURN TRUE;
END IF;
I applied this assuming this would make the page read only for the user which is not admin.
But because of the authorization scheme and error message that i set, i am simply getting error when i log in with visitor role. The same error message that i gave for authorized scheme.
What is the best way to apply multi authorization scheme in this case?
Apex: 20.2
One way to solve this is to create a security model that is based on roles and responsibilities (as done in ERP systems). A role is granted to a user (eg ADMIN, VISITOR, etc) and a responsibility is linked to application functionality (eg VIEW_EMP, EDIT_EMP). Responsibilities are then granted to roles or to other responsibilities. The authorization schemes are created on the responsibilities (the app is unaware of the roles).
Example for an EMP form: requirement is that VISITOR can see data and ADMIN can edit data
Create responsibilities: VIEW_EMP and EDIT_EMP and matching authorization schemes.
Role VISITOR has responsibility VIEW_EMP.
Responsibility EDIT_EMP has responsibility VIEW_EMP (so that whoever has EDIT_EMP automatically gets VIEW_EMP).
Role ADMIN has responsibility EDIT_EMP.
In the form you set the auth scheme of the page to VIEW_EMP and the auth scheme of CREATE/SAVE/DELETE button and DML Page process to EDIT_EMP.
So when a user with VISITOR comes to the form he gets the data but the buttons are hidden. When an ADMIN comes to the screen he sees all.
It sounds like you want the authorization scheme to be IS_ADMIN_OR_VISTOR which would return true if the user was either an admin or a visitor. That allows both admins and visitors to access the page. Your read-only logic would then mean that visitors would see the page as read only and admins would see the page as editable.
I am currently trying to retrieve user events that grant admin or delegate privileges to accounts under our domain. I guessed such event names called GRANT_ADMIN_PRIVILEGE and GRANT_DELEGATED_ADMIN_PRIVILEGES is the one:
https://developers.google.com/admin-sdk/reports/v1/reference/activity-ref-appendix-a/admin-user-events?authuser=1
So, I filled the form in https://developers.google.com/admin-sdk/reports/v1/guides/manage-audit-admin?authuser=1#get_account_events to generate a request like GET https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/admin&eventName=GRANT_ADMIN_PRIVILEGE or GRANT_DELEGATED_ADMIN_PRIVILEGES.
The result is 200 OK, but without any data in it (Of course, I actually granted Privilege to my coworker in last 2 months).
So, is it right to think GRANT_ADMIN_PRIVILEGE or GRANT_DELEGATED_ADMIN_PRIVILEGES is the event name I am looking for to audit granting activities? Or is there something I am missing?
You may want to visit Reports API: Admin Activity – Delegated Admin Event Names which details the admin activity report DELEGATED_ADMIN_SETTINGS type's eventName parameters and properties. For more information, see also the Activities: list method.
I'm using Sitecore 7.2 and trying to allow a user to set things like datasources and some custom parameters on sublayouts in page editor mode. The user is a member of sitecore\Designer and sitecore\Author, but when that user tries to edit the component properties, the fields appear grayed out/disabled.
I am able to enable these options by setting a user as an admin, but don't want to grant quite that much power to this particular user.
Here is how tried it and it works on Sitecore 7.2
Create a new user called cbarnes (and in your case if there are other content editors)
Create a new Role - call it say SP Content Editor Authoring
Make that role a member of sitecore\Author and sitecore\Designer. This way it inherits everything from those two roles.
Make the user cbarnes one of the members of that role.
Lastly go to the security editor and give Write permission on the item after selecting the SP Content Editor Authoring Role under Roles and Users section.
Login as cbarnes user and check if it work!
Let us know if this works for you. Happy Sitecoring!
I actually ran into this same issue today on a 7.2 project. While my user had both the sitecore\Designer and sitecore\Author roles as a part of a client-specific author role I created, they were not able to edit rendering parameters.
By default, users in these roles have read-only access the Sitecore\Templates folder. Within this folder I had an additional folder named "Rendering Parameters" where I stored all my rendering parameters templates. I added Write access to the client-specific role for my "Rendering Parameters" template folder and users in that role can now edit and save rendering parameters without elevated permissions.
Use "Access Viewer" tool from Sitecore start menu to define why your user does not have required rights.
By default both roles sitecore\Designer and sitecore\Author have field read and field write access to Layout template section fields. But, it seems that roles have only read access to item that you are trying to edit. You can add write access to that item.
For more details look at Security Administrator´s Cookbook
I'm building a lightweight web interface to SSRS where web app users are mapped to web app roles, which in turn are mapped to SSRS users.
The reason for this convoluted scheme is not up for debate: In short, AD groups can't be used, the site uses Forms auth and there are a fixed number of roles.
Web Role | SSRS User
Admin | AdminUser
Supervisor | SuperUser
User | BasicUser
Guest | GuestUser
The goal is to enumerate all reports a user has permission to view, and allow the user to view the report with the ReportViewer control.
More importantly, it's to simplify the UX for users, both admins and the rest: preventing admins from having to use the Report Manager website (ie, selecting checkboxes rather than hand-typing which web-role-users have access to which reports), and providing a simple UI from which users can see and execute all their reports.
Everything works OK when the user is the AdminUser.
However, I'm having difficulty calling the web service when the user isn't included in a Policy on the Home/Root folder with at least the Browser SSRS role. (The permissions granted to user 'computer\username' are insufficient for performing this operation.)
This is problematic for a couple reasons:
If every user must be a Browser to connect to the web service and enumerate reports they have access to view/execute, then all users will have access to all new reports/folders by default. (Children automatically inherit new permissions)
If a report exists in a nested folder that does not inherit permissions and the user is not a browser of, but the user is a Browser on the nested report, ListChildren() will not return that report.
It seems this leaves me with 2 less than ideal options:
Don't call the web service with the different users. Instead, enumerate reports with ListChildren() using only the admin user. Then, for each report, call GetPolicies(), and from that collection of policies, determine what reports the user is able to view.
Make the call with different users. Live with the pitfalls of newly-published reports being accessible to everyone by default, until permissions are changed. Also live with the pitfalls of nested reports not showing unless the user has access to that path. If an admin wants a nested report within a folder with explicit permissions to be available to a user who can't see that folder, the policies on all ancestor folders and their children must be modified.
#1 is obviously very unwieldy and inefficient. But #2 has significant drawbacks and becomes just as onerous & inefficient when setting permissions in certain situations.
Is there a better way? Have I missed something obvious?
[edit]
A 3rd option is to query the ReportServer database directly using a query like this. This has the benefit of returning everything the user has access to, regardless of whether or not it exists in a subfolder the user cannot access (aka, cannot use the web service's ListChildren method to retrieve). However, if using AD groups, I would have to know which groups the user is a member of, whereas the web service would do this for me. This option feels like a bit of a hack to me, but it could work.
As it turns out, we ran an end-route around this issue by dropping the requirement to restrict report access by web role, and made the path we query in the web service a web.config setting that can change, thus allowing report authors to 'hide' reports in a parent folder if the need arises in the future.
The best solution would have been to query the ReportServer database directly.
However, the client changed their mind & didn't want to restrict reports based on web user role in the end, so problem solved!