I need a list of all Roles.
I have seen that I can get all Roles by Domain or all Roles by a User.
I thought that I could get all Domains, and then do a loop to get all Roles for each Domain.
But it seems you can get a Domain by name only, and I cant hardcode them because there will be new ones from time to time.
So, any idea how I can get all Security Roles? The names as a string would be enough.
Thanks.
You can use :
Roles.GetAllRoles()
from the namespace Sitecore.Security.Accounts
If you want to get all users from a Role you can use:
IEnumerable<User> _roleUsers = Sitecore.Security.Accounts.RolesInRolesManager.GetUsersInRole(Role.FromName("Your role name"), true);
The accepted answer isn't quite right. The GetAllRoles() method is in the RolesInRolesManager class. It can be called as follows:
using Sitecore.Security.Accounts;
...
IEnumerable<Role> roleList = RolesInRolesManager.GetAllRoles();
Related
I have an AWS Amplify application that has a structure with multi-organizations:
Organization A -> Content of Organization A
Organization B -> Content of Organization B
Let's say we have the user Alice, Alice belongs to both organizations, however, she has different roles in each one, on organization A Alice is an administrator and has more privileges (i.e: can delete content or modify other's content), while on Organization B she is a regular user.
For this reason I cannot simply set regular groups on Amplify (Cognito), because some users, like Alice, can belong to different groups on different organizations.
One solution that I thought was having a group for each combination of organization and role.
i.e: OrganizationA__ADMIN, OrganizationB__USER, etc
So I could restrict the access on the schema using a group auth directive on the Content model:
{allow: group, groupsField: "group", operations: [update]},
The content would have a group field with a value: OrganizationA__ADMIN
Then I could add the user to the group using the Admin Queries API
However, it doesn't seem to be possible to add a user to a group dynamically, I'd have to manually create each group every time a new organization is created, which pretty much kills my idea.
Any other idea on how I can achieve the result I'm aiming for?
I know that I can add the restriction on code, but this is less safe, and I'd rather to have this constraint on the database layer.
Look into generating additional claims in you pre-token-generation handler
Basically you can create an attribute that includes organization role mapping
e.g.
{
// ...
"custom:orgmapping": "OrgA:User,OrgB:Admin"
}
then transform them in your pre-token-generation handler into "pseudo" groups that don't actually exist in the pool.
I tried to create new AWS key pairs and the option to create disappeared
Does anyone know why?
It would be worth checking the IAM permissions associated with the User who is trying to create the key pair. Contact the Administrator (presumably you?) and investigate. I would suggest creating a Group with Permissions and adding them to that.
I performed an experiment and added aDeny policy to my IAM User that prevented me from being able to create a keypair.
I then tried to launch an instance and the option to create a keypair (in the dialog box you show above) was still available. So, the display does not vary according to permissions.
Therefore, something else is causing your situation. I would recommend trying it in a different browser. Also, check the underlying HTML to see whether the option is coded on the web page. Something is causing it to disappear.
I just try with AWS cognito for authentication my web application.
I am using Warrant library https://github.com/capless/warrant
I have many users which belong to my group (Ex: G1, G2, G3)
However, I cannot find the way to get list of users for specific group.
Can anyone tell me how to get list users in specific group?
Thank in advance.
I've just passed by the same situation as you, because I'm using warrant to. The problem is that warrant is an high level library, so it doesn't have capacity to manipulate all features that cognito can provide.
So, if you can try to solve this problem without using warrant, my solution is to use boto3 identity provider api, an low level feature that works with various usefull features of cognito.
Check these low level functions in AWS API documentation
So, using these functionalities, I made the code bellow to list all users at some group:
import boto3
cognito_cl = boto3.client('cognito-idp')
res = cognito_cl.list_users_in_group(
UserPoolId=<some_pool_id>,
GroupName=<some_group_name>
)
group_users = res.get('Users', 'empty')
Then, if you access group_users variable, you can see the list of all users in this group, just like all of their attributes.
Hope that I have helped you even after so long.
Is it possible to create a policy with multiple statements when using a CloudFront custom policy for signed cookies (not signed URLs)?
I have read the documentation, and although all the examples just have one statement, I cannot see an explicit rule regarding the number of statements allowed.
If it's not possible to have multiple policy statements, it will be difficult to give a particular user signed-cookie access to say, five random files using only the CloudFront security. Any tips on how to do that would be appreciated.
This question is cross-posted here: https://forums.aws.amazon.com/thread.jspa?threadID=223440&tstart=0
FYI
I have faced with the same problem, and contacted with the official AWS support team.
Hello, thanks for offering us a great service.
I am an software engineer from Japan.
Can we have multiple custom policies, like below syntax?
{
"Statement": [
{ ... },
{ ... },
{ ... },
]
}
I have searched on the web, and found ones who are trying to
do the same thing and forums/Q&A as well.
However we found no answer from AWS official support teams
nor documents saying about that.
JSON syntax is array, so it seems to work with
multiple statements but do not work.
So, if it does not work, would you add a sentence
about that on the official document?
And then, I got the answer yesterday:
I just heard back this morning.
You're correct, adding more than one statement
to a custom policy is not supported.
I'm updating the documentation now.
So, I think in few days the documentation will be updated that you can not set multiple policy statements for CF Custom Policy for Pre-Signed Cookies.
It's upsetting there is nothing in the docs that says you can only have one item in the Statement array, but that's AWS docs for ya!
Anyways, a way around this limitation, is to set multiple cookies at different path levels. You'll need to generate a signed cookie for each path you want and set each cookie in whatever app you are using. You can imagine an endpoint in your api that generates all of the necessary cookies, sets them all in the header, and your front end then sets all of those cookies.
More specifically you'll want to create one CloudFront-Key-Pair-Id cookie with your cloudfront access key id, and scope that cookie path to the highest level that you're policies will be set to.
Use the AWS CloudFront SDK to sign a cookie for each Resource. Create a pair of CloudFront-Policy and CloudFront-Signature cookie for each path that corresponds to the Resource path.
Say I have the following two Resources and want to give access to both of them:
https://cfsub.cloudfront.net/animals/dogs/* https://cfsub.cloudfront.net/animals/cats/*
I'd create:
1 CloudFront-Key-Pair-Id cookie with a path of /animals
1 CloudFront-Policy cookie with the base64 policy generated from running the dogs custom policy through the cloudfront signer. This cookie should have a path of /animals/dogs.
1 CloudFront-Policy same thing for cats
1 CloudFront-Signature cookie with the signature generated from running the dogs custom policy through the cloudfront signer. This cookie should have a path of /animals/cats
1 CloudFront-Signature same thing for cats
All of these cookies should have a domain set to your cloudfront domain cfsub.cloudfront.net
Send all those up to your web app or mobile app.
I can't give definite information on this subject, it is an explicit question which someone at Amazon can give relevant information on.
That said, I believe CloudFront policies may include multiple statements. Their schema is similar to IAM policies but I don't think it'll work exactly how you're expecting.
With IAM policies, you're able to attach multiple statements to one policy but they are OR'd across the statements:
Generally, each statement in a policy includes information about a single permission. If your policy includes multiple statements, a logical OR is applied across the statements at evaluation time. Similarly, if multiple policies are applicable to a request, a logical OR is applied across the policies at evaluation time... IAM Policy Documentation
In the documentation you linked to, the Statement key's value is an array which you can include multiple statements in but they'll be OR'd across them. There is further information on how the policies are evaluated which will help in limiting access to the files you're working on.
Giving access to five random files will be a challenge which I do not believe is accomplishable with CloudFront access policies alone. The conditions available aren't designed with this use case in mind.
As Rodrigo M pointed out, using the AWS API from a script can accomplish what you're attempting to do. Unfortunately that is the only route I can imagine which will accomplish what you're attempting.
If you find a way to accomplish this task using only CloudFront policies (without other AWS services), I'll be quite interested in the solution. It'd be a creative policy and quite useful.
I have similar requirement and tested AWS CloudFront with canned policy include multiple resources to restrict access to different urls.
The policy is a valid json object, it looks like below:
{
"Statement":[
{
"Resource":"https://qssnkgp0nnr9vo.cloudfront.net/foo/*",
"Condition":{
"DateLessThan":{
"AWS:EpochTime":1492666203
}
}
},
{
"Resource":"https://qssnkgp0nnr9vo.cloudfront.net/bar/*",
"Condition":{
"DateLessThan":{
"AWS:EpochTime":1492666203
}
}
}
]
}
After I signed policy and send request to CloudFront it turned out AWS CloudFront does not support it. It got a 403 response said it was a Malformed Policy.
HTTP/1.1 403 Forbidden
<?xml version="1.0" encoding="UTF-8"?><Error><Code>MalformedPolicy</Code><Message>Malformed Policy</Message></Error>
AWS officially supports only one statement in one singed policy. However, There is a workaround if you need 4 or less statements. For each statement you can create a separate pair of a CloudFront-Policy cookie and a CloudFront-Signature with its own path. The size of this pair of cookies would be around 600-900 bytes. Since the Cookie header has a limit of around 4Kb, you definitely can't use more than 5 pairs. Using 5 pairs has a high change to reach the header limit.
The department I'm in recently changed it's name. However, in Sitecore, I have some groups whose name contains the old department name. I'm having trouble finding any way to rename these groups to use the new department name. There is no edit or rename option in the Role Manager.
Is there any way to rename a group after it has been created? Or is the only option to recreate that group, and All its permissions (quite the task)?
Sitecore stores permissions for items in clear text and they are not linked to the role with anything but the name so if you rename a role that you have used it on items then when you rename it authors will no longer have any right.
If you haven't used the role then you can go and change it in the aspnet_Roles table as #Bryan advises.
There is one more way. You can create a new role and give it the name you want and add the original role to it. This way authors will get the same permissions but have the new role.
The question and the answer in the post above deals with Sitecore 6 I believe.
For people who might stumble on this post:
We have successfully renamed Roles in Sitecore 7.2 by updating database without any issues.
Following are the tables need updated with new RoleName:
- aspnet_roles: update the new RoleName
- RolesInRoles: update MemberRoleName and TargetRoleName
Hope this helps someone!
If you are using the out-of-the-box Role provider, that's just standard ASP.NET Roles. There is some discussion about this here.
If you want to get adventurous, you could just edit the role name in your Core DB, table name is aspnet_Roles. Not sure what repercussions this wold have though. But hey, I like adventure. Let us know how it works. :)