I know that Users can have their own permissions and permissions inherited from their groups. I want to be able to remove a permission from a User that was granted to them by their group, but maintain their association to the group. Is there an idiomatic way of doing this?
Example: User Bob is in the Voter group. I want to revoke Bob's voting permission, but keep him in the Voter group.
If this behavior is important for you, you could extend authentication backend to support checking a blacklist of user permissions, or assign Bob a higher-priority permission 'no voting' and check it whenever voting permission is required...
But normally, splitting Voter group to Voter and another group such as ForbiddenVoter, and assigning Bod that group, could be more logically correct and easier to achieve.
Related
I am looking for advice on a not so particular situation.
I currently have roughly 20000 stores.
All stores have admins, managers and user roles.
An admin can create/manage any roles
A manager can create/manage only user role
A user can login and access custom functionality.
Any persona can be assigned to 1 or multiple store and can have 1 or multiple roles for that particular store.
Ie:
StoreA has userA as Admin and userB as Manager
StoreB has userA as User and userB as Admin
At first, I converted my stores to be groups. But since roles are binded to the group, I would have still have 3 roles for each group (20000 groups and 60000 roles - Group StoreA, Roles: StoreA_Admin, StoreA_Manager, StoreA_User, etc...). Not sure if it is the right decision, And I am not sure about the performance.
Then, I kept the stores as groups, but instead of creating roles, I created custom multivalued attributes that saves the group uid. That worked in carbon, as well as the API, but the console doesn't like the multivalued fields. And if another role is introduced, I would have to create another field.
Any thought on how to approach this situation ?
We can map your story to IS groups and roles as follows.
Please note that groups and roles are treated as two separate resources since IS-5.11.0.
Refer to:
https://is.docs.wso2.com/en/5.11.0/setup/migrating-what-has-changed/#group-and-role-separation
https://medium.com/p/93d42fe2f135
That separation is not clearly visible in the management console. So you can use the console application to create groups and roles.
Group used to represent a collection of users in the user store. One user can belong to zero or more groups.
Role is a collection of permissions. A role can have zero or more permissions.
We can assign a role either to a group/ a user.
Due to this statement:
A user can log in and access custom functionality.
We don't need to assign any role to normal business users specifically.No specific role is required to login into the business application via identity server basic authentication. In case your business application has a role-based access control need to assign a role to business users as well. Otherwise, every user will get login permissions upon successful authentication, it should be enough to do business operations in the application.
In your case, if any store's admin has the same set of permissions and any manager has the same set of permissions, you can't just evaluate the permissions and authorize the requests.
For eg: If user B is the manager of store A and admin of store B, he has inherited both admin and manager roles related permissions. But user B performs a request on store B, you have to authorize the request based on only the roles related to store B.
So, I was trying to build IAM service like Amazon IAM, but simpler. Company has users, groups, and policies. As you can imagine users, groups, and policies has many-to-many relation between each other.
Actions:
Policies can be added to groups
User can be added to groups or policies
Now the issue is, if User try to login then I have to make 3 request:
Get group and policies from user partition
Get all policies form group in that list
Get all policies
Then I have to do 3 roundtrip for every login. Is there a better way to do this? or design the relations differently.
I would denormalize this.
The effective policy of the user should be an attribute in the user document.
The effective policy should be recalculated async after the user is added or removed from a group or a policy is attached/detached to/from the user.
I have one group in AWS as Incident-Security-operation, this group has only read-only permission to all the AWS account. But I want to give full permission or administrator to one account and read-only permission and to the rest of the accounts. Can you please help me to write permission with the condition for the particular account. I tried ArnLike and ArnEqual but didn't work for me. We integrated with AD for SSO
Regard IAM users and group, best practice for this use case is to implement two IAM groups eg Incident-Security-operation and Incident-Security-operation-admin, and give permissions to each as needed. Then you assign users to each group as needed.
This approach fosters much better security posture than conditioning permissions in a single policy.
From an operational standpoint, its much easier, and more transparent, to move users between the appropriate IAM groups, than to manage conditional logic in the policy syntax. Using IAM groups also means user membership in each group is easily auditable.
Is it possible to manage which group is allowed to create and assign users in defined groups? Example of scenario is that currently logged user can create new users, but he can assign group membership only to groups that are created by him. If there is a group created by other user, current user shouldnt be able to access that group. Also this user should be able to see just users in his own group.
I am using django admin back end for creating user groups. I created a group called admin and assigned several permissions to it.
But when I assign this group admin to a user the permissions of that group are not automatically assigned to the user.
The django docs say that:
A user in a group automatically has the permissions granted to that group.
For example, if the group Site editors has the permission can_edit_home_page,
any user in that group will have that permission.
Can someone please tell me if I understood it correctly or not? Or do I need to write some code myself to assign permissions of a group to a user.
I am using django rest framework and south and postgres as database.
Also I checked using the django shell that,
when I assign a user specific permissions manually they get assigned. Also when I assign a group specific permissions they also get assigned to that group.
But when I assign a group to a user, the group gets assigned but the the groups permissions are not.
The group permissions do not get copied to the user as user permissions, but the user should still have all the groups permissions.
Example:
User Anton
- can add X
Group Admin
- can change X
- can delete X
Anton can only add X as long as he is not in the Admin Group. When he is member of the Group he will be able to change/delete X. If you view the user permissions in django-admin they will still look the same though.