I'm newbie on apex, and made an application that demands the app admin to insert users - in customized groups, on apex workspace - Manage Users and Groups. My application uses Authorization Schemes based on these customised groups, instead of create an Access Control List. I guess this is more useful, because It's could be possible to make more and different groups, and more flexible access control of pages, reports, buttons etc. But this kind of implementation could bring some security issues on my office. I wonder if is possible to create a page that refers, and also mantains (CRUD) to this workspace users, at workspace groups?
Related
I am building a web app where different companies will upload their own audio files with some additional information. I am building it using Django, Postgres and hosting it on AWS. Users belong to different companies will only be able to access their data when they log into the website.
The website allows those users to upload content, search content and access content.
My question is, what's the best practice to handle those uploaded content? Is it better to create different schema for each company or putting all the content together and allow users to access different content based on the company id that each entry associates with?
putting all the content together and allow users to access different content based on the company id that each entry associates with?
Personally, I would do this, for several reasons:
It's easier to maintain. Adding new companies probably just means a new ID, rather than a new schema and some tables.
You can add security with application code or with database views.
You can have other company specific functionality that uses the same design.
I would also suggest enforcing the data security on the database side, by only allowing the application to query from certain views, where the views are limited by company ID. This means that you won't accidentally SELECT from a base table and forget the company filter, causing the user to see data that isn't theirs.
This is just my opinion - happy to be proven otherwise.
I'm building a lightweight web interface to SSRS where web app users are mapped to web app roles, which in turn are mapped to SSRS users.
The reason for this convoluted scheme is not up for debate: In short, AD groups can't be used, the site uses Forms auth and there are a fixed number of roles.
Web Role | SSRS User
Admin | AdminUser
Supervisor | SuperUser
User | BasicUser
Guest | GuestUser
The goal is to enumerate all reports a user has permission to view, and allow the user to view the report with the ReportViewer control.
More importantly, it's to simplify the UX for users, both admins and the rest: preventing admins from having to use the Report Manager website (ie, selecting checkboxes rather than hand-typing which web-role-users have access to which reports), and providing a simple UI from which users can see and execute all their reports.
Everything works OK when the user is the AdminUser.
However, I'm having difficulty calling the web service when the user isn't included in a Policy on the Home/Root folder with at least the Browser SSRS role. (The permissions granted to user 'computer\username' are insufficient for performing this operation.)
This is problematic for a couple reasons:
If every user must be a Browser to connect to the web service and enumerate reports they have access to view/execute, then all users will have access to all new reports/folders by default. (Children automatically inherit new permissions)
If a report exists in a nested folder that does not inherit permissions and the user is not a browser of, but the user is a Browser on the nested report, ListChildren() will not return that report.
It seems this leaves me with 2 less than ideal options:
Don't call the web service with the different users. Instead, enumerate reports with ListChildren() using only the admin user. Then, for each report, call GetPolicies(), and from that collection of policies, determine what reports the user is able to view.
Make the call with different users. Live with the pitfalls of newly-published reports being accessible to everyone by default, until permissions are changed. Also live with the pitfalls of nested reports not showing unless the user has access to that path. If an admin wants a nested report within a folder with explicit permissions to be available to a user who can't see that folder, the policies on all ancestor folders and their children must be modified.
#1 is obviously very unwieldy and inefficient. But #2 has significant drawbacks and becomes just as onerous & inefficient when setting permissions in certain situations.
Is there a better way? Have I missed something obvious?
[edit]
A 3rd option is to query the ReportServer database directly using a query like this. This has the benefit of returning everything the user has access to, regardless of whether or not it exists in a subfolder the user cannot access (aka, cannot use the web service's ListChildren method to retrieve). However, if using AD groups, I would have to know which groups the user is a member of, whereas the web service would do this for me. This option feels like a bit of a hack to me, but it could work.
As it turns out, we ran an end-route around this issue by dropping the requirement to restrict report access by web role, and made the path we query in the web service a web.config setting that can change, thus allowing report authors to 'hide' reports in a parent folder if the need arises in the future.
The best solution would have been to query the ReportServer database directly.
However, the client changed their mind & didn't want to restrict reports based on web user role in the end, so problem solved!
I need to hide the "web" database being displayed in the toolbar(databases) in Sitecore desktop for certain user roles(We don't need these people to give access to web database). How can I do this?
What I did was go into the Core database and hide the Database selector completely (in our case there's no need for them to change databases - we only have Core, Master, Web).
In the Core database, you can go to /sitecore/content/Applications/Desktop/Tray/Database and remove read rights there. I believe what I did was create a new role which removes inheritance there, so if you do have users that need it they can get a different role which explicitly allows it.
We have 50 apex applications which currently any user can access any of the 50 applications by using the website links on our intranet page.
How can you determine which users can access certain apex forms - I'm assuming lots of different apex groups will need to be made and people will need assigned to each group?
This is ok but i can see it getting out of hand trying to manage all the groups. I thought there must be a better way though of preventing users from accessing applications?
Any ideas on how to prevent users credentials working on some applications?
You can use authorization schemes, which can be applied at any level (e.g. the whole application, individual pages, regions, items, etc.).
http://docs.oracle.com/cd/E23903_01/doc/doc.41/e21674/sec_authorization.htm
Basically I am looking for the following:
Groups can be created by users of the site.
Users can apply to join a group.
Every group has a group administrator which can approve or reject applications to join a group. Also, they can remove members from a group.
Content can be created which is associated with the group. Only group members can create content. Users who are not group members can view this content but not create/modify the content.
Are there any Django applications which can help implement these requirements?
The only one that I'm aware of is part of the Pinax project. It doesn't meet all of these out of the box, but can be expanded pretty easily to get these features.