Is it possible to manage which group is allowed to create and assign users in defined groups? Example of scenario is that currently logged user can create new users, but he can assign group membership only to groups that are created by him. If there is a group created by other user, current user shouldnt be able to access that group. Also this user should be able to see just users in his own group.
Related
How do I find a list of all groups that I am a member of for an organization in GCP? I am able to go to the IAM > Groups page and see a list of member users for an individual selected group, but I have not been able to find a list of all of the groups that I am a part of.
I found the View a user's group memberships article that walks through the steps of seeing a user's group memberships, but this requires an admin account. I am not an admin and only want to see my own group memberships. How can I do this?
For general google workspace groups, there is this page that shows an overview for the currently logged in account:
https://groups.google.com/my-groups
I am looking for advice on a not so particular situation.
I currently have roughly 20000 stores.
All stores have admins, managers and user roles.
An admin can create/manage any roles
A manager can create/manage only user role
A user can login and access custom functionality.
Any persona can be assigned to 1 or multiple store and can have 1 or multiple roles for that particular store.
Ie:
StoreA has userA as Admin and userB as Manager
StoreB has userA as User and userB as Admin
At first, I converted my stores to be groups. But since roles are binded to the group, I would have still have 3 roles for each group (20000 groups and 60000 roles - Group StoreA, Roles: StoreA_Admin, StoreA_Manager, StoreA_User, etc...). Not sure if it is the right decision, And I am not sure about the performance.
Then, I kept the stores as groups, but instead of creating roles, I created custom multivalued attributes that saves the group uid. That worked in carbon, as well as the API, but the console doesn't like the multivalued fields. And if another role is introduced, I would have to create another field.
Any thought on how to approach this situation ?
We can map your story to IS groups and roles as follows.
Please note that groups and roles are treated as two separate resources since IS-5.11.0.
Refer to:
https://is.docs.wso2.com/en/5.11.0/setup/migrating-what-has-changed/#group-and-role-separation
https://medium.com/p/93d42fe2f135
That separation is not clearly visible in the management console. So you can use the console application to create groups and roles.
Group used to represent a collection of users in the user store. One user can belong to zero or more groups.
Role is a collection of permissions. A role can have zero or more permissions.
We can assign a role either to a group/ a user.
Due to this statement:
A user can log in and access custom functionality.
We don't need to assign any role to normal business users specifically.No specific role is required to login into the business application via identity server basic authentication. In case your business application has a role-based access control need to assign a role to business users as well. Otherwise, every user will get login permissions upon successful authentication, it should be enough to do business operations in the application.
In your case, if any store's admin has the same set of permissions and any manager has the same set of permissions, you can't just evaluate the permissions and authorize the requests.
For eg: If user B is the manager of store A and admin of store B, he has inherited both admin and manager roles related permissions. But user B performs a request on store B, you have to authorize the request based on only the roles related to store B.
I am doing an assignment on AWS and one of the requirement is to list the group names to which he/she belongs.
I am using cognito and I have one group named admin_list and added three users in it. Now I want that when ever any of the user from the list logins then there should be a display message displaying a list of groups in which he/she is present.
I'm creating a group for the organization from IAM & Admin. There is a "Group email address" input box, but I don't know what kind of email address they are asking for. Should I put a group email address that already being used? Or is this for the new email address that GCP will create? If so, when and how can I use this new email address?
Let me summarize our discussion at the comment section. Let's start with IAM Overview where at the section Google group you can see:
A Google group is a named collection of Google Accounts and service accounts. Every Google group has a unique email address that's associated with the group. You can find the email address that's associated with a Google group by clicking About on the homepage of any Google group. For more information about Google Groups, see the Google Groups homepage.
Google Groups are a convenient way to apply an access policy to a collection of users. You can grant and change access controls for a whole group at once instead of granting or changing access controls one at a time for individual users or service accounts. You can also easily add members to and remove members from a Google group instead of updating an IAM policy to add or remove users.
More information you can find at the documentation page Managing groups in the Cloud Console, for example instructions how to create, edit or delete a group.
Group email address is a unique identifier in form of the email address, similar concept you can see for a service account such as sa-name#project-id.iam.gserviceaccount.com.
I am using django admin back end for creating user groups. I created a group called admin and assigned several permissions to it.
But when I assign this group admin to a user the permissions of that group are not automatically assigned to the user.
The django docs say that:
A user in a group automatically has the permissions granted to that group.
For example, if the group Site editors has the permission can_edit_home_page,
any user in that group will have that permission.
Can someone please tell me if I understood it correctly or not? Or do I need to write some code myself to assign permissions of a group to a user.
I am using django rest framework and south and postgres as database.
Also I checked using the django shell that,
when I assign a user specific permissions manually they get assigned. Also when I assign a group specific permissions they also get assigned to that group.
But when I assign a group to a user, the group gets assigned but the the groups permissions are not.
The group permissions do not get copied to the user as user permissions, but the user should still have all the groups permissions.
Example:
User Anton
- can add X
Group Admin
- can change X
- can delete X
Anton can only add X as long as he is not in the Admin Group. When he is member of the Group he will be able to change/delete X. If you view the user permissions in django-admin they will still look the same though.