I am using django admin back end for creating user groups. I created a group called admin and assigned several permissions to it.
But when I assign this group admin to a user the permissions of that group are not automatically assigned to the user.
The django docs say that:
A user in a group automatically has the permissions granted to that group.
For example, if the group Site editors has the permission can_edit_home_page,
any user in that group will have that permission.
Can someone please tell me if I understood it correctly or not? Or do I need to write some code myself to assign permissions of a group to a user.
I am using django rest framework and south and postgres as database.
Also I checked using the django shell that,
when I assign a user specific permissions manually they get assigned. Also when I assign a group specific permissions they also get assigned to that group.
But when I assign a group to a user, the group gets assigned but the the groups permissions are not.
The group permissions do not get copied to the user as user permissions, but the user should still have all the groups permissions.
Example:
User Anton
- can add X
Group Admin
- can change X
- can delete X
Anton can only add X as long as he is not in the Admin Group. When he is member of the Group he will be able to change/delete X. If you view the user permissions in django-admin they will still look the same though.
Related
I am looking for advice on a not so particular situation.
I currently have roughly 20000 stores.
All stores have admins, managers and user roles.
An admin can create/manage any roles
A manager can create/manage only user role
A user can login and access custom functionality.
Any persona can be assigned to 1 or multiple store and can have 1 or multiple roles for that particular store.
Ie:
StoreA has userA as Admin and userB as Manager
StoreB has userA as User and userB as Admin
At first, I converted my stores to be groups. But since roles are binded to the group, I would have still have 3 roles for each group (20000 groups and 60000 roles - Group StoreA, Roles: StoreA_Admin, StoreA_Manager, StoreA_User, etc...). Not sure if it is the right decision, And I am not sure about the performance.
Then, I kept the stores as groups, but instead of creating roles, I created custom multivalued attributes that saves the group uid. That worked in carbon, as well as the API, but the console doesn't like the multivalued fields. And if another role is introduced, I would have to create another field.
Any thought on how to approach this situation ?
We can map your story to IS groups and roles as follows.
Please note that groups and roles are treated as two separate resources since IS-5.11.0.
Refer to:
https://is.docs.wso2.com/en/5.11.0/setup/migrating-what-has-changed/#group-and-role-separation
https://medium.com/p/93d42fe2f135
That separation is not clearly visible in the management console. So you can use the console application to create groups and roles.
Group used to represent a collection of users in the user store. One user can belong to zero or more groups.
Role is a collection of permissions. A role can have zero or more permissions.
We can assign a role either to a group/ a user.
Due to this statement:
A user can log in and access custom functionality.
We don't need to assign any role to normal business users specifically.No specific role is required to login into the business application via identity server basic authentication. In case your business application has a role-based access control need to assign a role to business users as well. Otherwise, every user will get login permissions upon successful authentication, it should be enough to do business operations in the application.
In your case, if any store's admin has the same set of permissions and any manager has the same set of permissions, you can't just evaluate the permissions and authorize the requests.
For eg: If user B is the manager of store A and admin of store B, he has inherited both admin and manager roles related permissions. But user B performs a request on store B, you have to authorize the request based on only the roles related to store B.
I am an Azure customer researching GCP. I have only previously used GCP to manage "Sign in with Google".
Today I setup a new Google Identity and then ran partway through the Identity & Organisation "wizard" steps before stopping when it wanted me to make virtual cloud networks(!?) -- seemed excessive, I'm just trying to kick the tyres.
Anyway, the wizard made me setup several groups. Now, under IAM & Admin > IAM, View by [Principals], I can see a table and two of my groups are listed with their roles.
When I visit Groups on the left, I see another table with 7 groups listed, 2 that were system created and 2 that were also listed on the IAM page.
Why would IAM hide the other 3? There doesn't seem to be a way to add them or edit their roles, and there are no paging controls and no filters applied.
Assuming you're viewing IAM under Project Level, Only users or Groups has been created/managed on Project Level end will be shown on your IAM Page.
On Group Page, It will show other groups on other project as well under the selected Organization. Only Group Owners can be modify/managed Group accounts.
Viewing and editing group details
To view and edit the details of a group, including the group name, description, and membership, follow these steps:
In the Cloud Console, go to the Groups page.
Find the group whose details you want to view, click the Moremore_vert button in that row, and then click View group details.
To edit the group name or description, type your new name or description in the Group name or Group description field and click Save.
To edit the group's membership, do the following:
To add members: Click person Add members at the top of the page. Enter the names of the members you want to add, choose their Google Groups roles, then click Add to add them to the group.
Note: When you add a member to a Google group, they inherit all IAM roles granted to that group, regardless of their Google Groups role.
To remove members: Select the checkboxes next to the names of the members you want to remove, then click delete Remove members at the top of the page.
To remove members: Select the checkboxes next to the names of the members you want to remove, then click delete Remove members at the top of the page.
For more docs and guides, You can refer on links below:
Manage access to projects, folders, and organizations
Managing groups in the Cloud Console
Understanding roles
You need to add the groups manually. Although you might expect all the groups to be listed so that you can manage their roles, they are not; it doesn't work like that.
Click ADD at the top of the IAM page and enter the email address of the group - do not expect auto-complete here, Google have not added that basic feature either.
Select a role (add any more roles) and click SAVE.
Is it possible to manage which group is allowed to create and assign users in defined groups? Example of scenario is that currently logged user can create new users, but he can assign group membership only to groups that are created by him. If there is a group created by other user, current user shouldnt be able to access that group. Also this user should be able to see just users in his own group.
We are using Sitecore 8 update 3 with Active Directory integration. I am trying to copy a Role and the respective users tied to it from our Dev environment over to Prod
example:
role: Sitecore/IHaveAccess
users: ad/dk123, ad/dk234, ad/dk345...
I tried two different methods:
Method 1: Generate package:
By creating a package that described on the page 19: https://sdn.sitecore.net/upload/sitecore6/65/package_designer_admin_guide-a4.pdf
When I installed the package on the new environment, the role was added but none of the users was under the Role.
Method 2: Serialization:
I serialize the item, but when viewing in Notepad++ is does not contain any users. When I serialize a user who was in the group, I do see the group.
Any thoughts why we have the issue?
Unfortunately, the membership information is stored against the user and not the role (the same for roles within roles). In this instance, the membership information is stored against the AD user. You are storing that a user is a member of role x and not that role x contains member y.
This means that you would need to package up both the role, and the corresponding users. I'm not sure of how this would work using AD though, since you are essentially trying to sync back user related data via Sitecore. I would ensure at your AD provider is not set as readonly in the connection string or it's setup. Since you only have a one-way sync, there's no way to store that information back in AD and have it persist.
Personally, I would set up my roles differently to allow the management to be easier, but it depends on your exact requirements obviously:
Create a Sitecore role, assign all your permissions and security against this roles (sitecore\IHaveAccess)
Create a matching AD role (ad\IHaveAccess) and add this as a member of your Sitecore role
Add your AD users to your AD Group. They will gain the correct permissions through Role In Role. If you already have AD Groups set up, you simply add existing Groups to the new Group even.
Using this, at most you have to add your AD roles back into your Sitecore roles (this shouldn't be the case you added the AD roles as a member of the Sitecore role so the membership is stored in Sitecore). It also has the advtantage that your users/roles/membership is centrally located within one system.
I know that Users can have their own permissions and permissions inherited from their groups. I want to be able to remove a permission from a User that was granted to them by their group, but maintain their association to the group. Is there an idiomatic way of doing this?
Example: User Bob is in the Voter group. I want to revoke Bob's voting permission, but keep him in the Voter group.
If this behavior is important for you, you could extend authentication backend to support checking a blacklist of user permissions, or assign Bob a higher-priority permission 'no voting' and check it whenever voting permission is required...
But normally, splitting Voter group to Voter and another group such as ForbiddenVoter, and assigning Bod that group, could be more logically correct and easier to achieve.