I need to hide the "web" database being displayed in the toolbar(databases) in Sitecore desktop for certain user roles(We don't need these people to give access to web database). How can I do this?
What I did was go into the Core database and hide the Database selector completely (in our case there's no need for them to change databases - we only have Core, Master, Web).
In the Core database, you can go to /sitecore/content/Applications/Desktop/Tray/Database and remove read rights there. I believe what I did was create a new role which removes inheritance there, so if you do have users that need it they can get a different role which explicitly allows it.
Related
My company has decided to use FreeIPA in order to make available Single Sign On feature for our employees. I am not familiar at all with Kerberos/LDAP and similar because i have never used those technologies before.
We have 70 users - they have Windows OS machines and SSO should be used for several Python (Django) web apps, WordPress web sites and possibly for Roundcube web email and OpenVPN access. They don't have access to web servers at all so SSH accounts are not important for this story.
Our python web app has database table with users' data which is in relation with some other tables and it is very important for us to have every single user added to those tables (via our web app interface) because otherwise our app will not work properly.
Having that in mind, i would like to know if there is a way somehow to reference user from FreeIPA's database to our web app's and wordpress' databases, example below:
Not every user has access to every web app and not every user has the same privileges in those apps.
We have already defined user privileges in every web app separately and everything works perfect, so main aim is just to make avaliable SSO for our users. I don't want to bother with user groups and privileges in FreeIPA system, will be i able to avoid that?
When user gets Kerberos ticket i want those web apps to recognize his/her account which is referenced to corresponding user account in FreeIPA database, and so has certain privileges in those apps.
In this scenario it is obvious that i will have to add every new user two times - in FreeIPA database and in web app's database, but that's not a problem, i just want to connect/reference those user accounts somehow.
EDIT to Michael Ströder's answer:
As i see, i would have to add every existing user manually to FreeIPA with "--uid" command because FreeIPA gives those attributes to every user automatically. I agree, i would not use user names for UID but only integers. So, i have imagined to make it like this - i would have to link every user's uid number to application's DB user's table ID column. Let say, if John has UID #7 he should also have ID #7 in WordPress wp_users table, and that looks fine to me. I think i could easily manage this in my custom python app, but i'm unsure how to manage this in WordPress, is there some plugin that could be use for such things? I've found AuthLDAP but i'm not sure if that is the right way to do it? Thanks in advance
The usual way is to have unique and persistent user names (String), usually stored in attribute uid in FreeIPA (or other LDAP servers) and use this as key in your application's DB table.
Note that uid does not contain the POSIX-UID (Integer) which is actually stored in attribute uidNumber.
I'd strongly recommend not to derive user names stored in uid from personal names because these often change. Also you should never reuse user names.
FreeIPA also has attribute nsUniqueId which contains a UUID generated during creation of the entry. It will not be modified during life-time of the entry. If you want to use that you have to take care that entries are not deleted/re-created by an external identity management systems all the time.
(Other LDAP servers are using standard attribute entryUUID).
I'm newbie on apex, and made an application that demands the app admin to insert users - in customized groups, on apex workspace - Manage Users and Groups. My application uses Authorization Schemes based on these customised groups, instead of create an Access Control List. I guess this is more useful, because It's could be possible to make more and different groups, and more flexible access control of pages, reports, buttons etc. But this kind of implementation could bring some security issues on my office. I wonder if is possible to create a page that refers, and also mantains (CRUD) to this workspace users, at workspace groups?
Making Faster Navigation Between APEX Site-Designer Pages
I am having a few difficulties here as this may be a setting that I took for granted in other previous versions of Oracle APEX as before it may have been a default setting, but now the default has changed. Can anyone help me figure it out? I also explain why it was useful for me before...
How do you enable the Oracle APEX instance to permit logging in to the site-designer pages for a single workspace (Application Builder, SQL Workshop, Team Development modules, etc.) using the same user id through more than one browser window?
Note, I do this to save time from navigating between each section of the site-designer (even quick load times can slow down developing an application page or region because of constant shuttling back and forth to make small changes originally missing).
Example Use Case:
Oracle APEX Release: Application Express 4.2.6.00.03
Database Platform: Oracle 11g R2
Client-Agent(Browser): Firefox Release 33
Note, this was a fresh install from a lower version that was upgraded
several times up to the current APEX release.
LOG IN to Site-Designer with an account that has DEVELOPER or ADMIN level user privileges.
USE your own values for WORKSPACE, USER, PASSWORD.
CREATE a new PAGE level OBJECT (REGION, FORM, REPORT, etc.) and stop in the middle of the set-up wizard.
RIGHT-CLICK on a TOP LEVEL Menu item such as SQL WORKSHOP. Open it in a NEW WINDOW;
CREATE an object like a TABLE which can be used by the DESIGN WIZARD open in step 3.
The reason for trying to keep different browser sessions open for the same USER account allows users to go back to another section of the design tool to build other objects or app/page elements that were overlooked before initiating a design wizard process.
Observed Behavior:
The new session will allow the user to make a new database object, but when clicking back on the previous window with the session that is running the original wizard, the server prompts for a new log in because that session has been closed.
Thanks!
The solution I found when facing a similar situation was opening Apex in a couple of different web browsers in parallel, so i have Safari for the SQL workshop, and Chrome for the page designer..
so instead of ctrl-tab i use cmd-tab (or alt-tab for PC)
Our IT said it has something to do with session state..
I'm building a lightweight web interface to SSRS where web app users are mapped to web app roles, which in turn are mapped to SSRS users.
The reason for this convoluted scheme is not up for debate: In short, AD groups can't be used, the site uses Forms auth and there are a fixed number of roles.
Web Role | SSRS User
Admin | AdminUser
Supervisor | SuperUser
User | BasicUser
Guest | GuestUser
The goal is to enumerate all reports a user has permission to view, and allow the user to view the report with the ReportViewer control.
More importantly, it's to simplify the UX for users, both admins and the rest: preventing admins from having to use the Report Manager website (ie, selecting checkboxes rather than hand-typing which web-role-users have access to which reports), and providing a simple UI from which users can see and execute all their reports.
Everything works OK when the user is the AdminUser.
However, I'm having difficulty calling the web service when the user isn't included in a Policy on the Home/Root folder with at least the Browser SSRS role. (The permissions granted to user 'computer\username' are insufficient for performing this operation.)
This is problematic for a couple reasons:
If every user must be a Browser to connect to the web service and enumerate reports they have access to view/execute, then all users will have access to all new reports/folders by default. (Children automatically inherit new permissions)
If a report exists in a nested folder that does not inherit permissions and the user is not a browser of, but the user is a Browser on the nested report, ListChildren() will not return that report.
It seems this leaves me with 2 less than ideal options:
Don't call the web service with the different users. Instead, enumerate reports with ListChildren() using only the admin user. Then, for each report, call GetPolicies(), and from that collection of policies, determine what reports the user is able to view.
Make the call with different users. Live with the pitfalls of newly-published reports being accessible to everyone by default, until permissions are changed. Also live with the pitfalls of nested reports not showing unless the user has access to that path. If an admin wants a nested report within a folder with explicit permissions to be available to a user who can't see that folder, the policies on all ancestor folders and their children must be modified.
#1 is obviously very unwieldy and inefficient. But #2 has significant drawbacks and becomes just as onerous & inefficient when setting permissions in certain situations.
Is there a better way? Have I missed something obvious?
[edit]
A 3rd option is to query the ReportServer database directly using a query like this. This has the benefit of returning everything the user has access to, regardless of whether or not it exists in a subfolder the user cannot access (aka, cannot use the web service's ListChildren method to retrieve). However, if using AD groups, I would have to know which groups the user is a member of, whereas the web service would do this for me. This option feels like a bit of a hack to me, but it could work.
As it turns out, we ran an end-route around this issue by dropping the requirement to restrict report access by web role, and made the path we query in the web service a web.config setting that can change, thus allowing report authors to 'hide' reports in a parent folder if the need arises in the future.
The best solution would have been to query the ReportServer database directly.
However, the client changed their mind & didn't want to restrict reports based on web user role in the end, so problem solved!
I have some Extranet users. Each user has a dedicated page/item, that is maintained by the Admins. The Admins should manually be able to "connect"/reference the current item to a single extranet user. I am think of something like using a valuelookup type or similar on the template.
But how could i accomblish this, as the users are stored in ASP.NET membership, and not directly in Sitecore, as they were in previous versions of Sitecore.
I think you've got the right idea. Either store the users's full name (Domain\UserName) in the item, or store the item ID in the user's profile. If you go the Profile route, be sure and update Sitecore's User template in the Core DB so that you can see the value in the user manager.
There's also a Sitecore table you could use called IDTable which is normally used for mapping Sitecore item IDs to external data. That might be your best solution since user Profiles can be annoying... will also be the most efficient in terms of finding/indexing this data. Look at the Sitecore examples of importing data to get an example using this API.