I want to set permission for viewing contracts based on groups
For Example I have organization with 5 User.(A,B,C,D,E)
Here
A is in group 'Division Head'
B is in group 'Manager'
and C,D & E all are in group 'My Employees' .
What I need to is
If A is logged into application he can see the contracts of all employees of his division(A to E)
If B is logged into application he can see the contracts of the employees who are all reporting to him that is C,D and E.
If any of employee logged into application they can See only his / her contract alone.
You can see this type of permissions in sale contracts.You can see three types of group for sales.
1.Manager
2.User
3.User -see all leads
Provide the first group, manager for the user A, then the third group, see all leads for the user B and second group for the users C,D and E.
It sounds like record rules are supposed to handle that type of thing, but I haven't used them. You might have to add some related fields or functional fields if the table doesn't already have enough information to test the relationships you want to test.
Related
This is a basic customer card:
As you can see there is a "Salesperson" linked to the customer, but in many situations customers can have multiple salespersons.
In this field I can only select one salesperson.
The problem created by this situation in the company is that sales people can't find customers that are not linked to them.
How can I assign multiple salesperson to customers?
If your salespeople are in fixed groups e.g. person A and B handle the same group of customers and C and D handle another group of customers, you could use the Responsibility Center feature.
Create a Responsibility Center for each group of customers and assign it to those customers. Then set the Sales Resp. Ctr. Filter on the User Setup for each Salesperson.
Using this field, obviously, you can't. You need to use some other field like department or customer group I don't know. Or if I remember correctly the was a table like ’My Customers’ where every user can build a list of customers he's interested in.
I am building a project using AppSync and GraphQL to enable Restaurants to track orders. There are four DynamoDB tables (one for each of the following entities): Restaurants, Staff, Tables and Orders. Each Restaurant can have many members of Staff, who are each allocated to one or more Tables. Each Table can have many orders, but an order can only belong to one table (see the System Design diagram for a visualisation of these relationships).
Problem
My issue is that I need very fine-grained hierarchical access control, with 3 main concerns:
Staff belonging to one Restaurant must not be able to Create, Read, Update or Delete any entities belonging to other Restaurants.
All staff in a Restaurant can view all tables in the Restaurant. However, they can only view orders belonging to a table if they are allocated to that table (e.g. a StaffTableJoin object which connects that particular Staff member to that table exists.) OR they are a Restaurant admin (see part 3)
A member of Staff who is a Restaurant Admin can view all orders belonging to any table in the restaurant.
A cognito user is created for each member of staff, and their permissions should be assigned based on the relationships between entities in my DynamoDB table.
Solutions Considered
I have visited the Authorization and Authentication page in the AWS docs to explore options for restricting permissions. So far, I have considered using COGNITO_USER_POOLS and AWS_LAMDBA authorization.
For the approach using COGNITO_USER_POOLS, I would create a Cognito User Group for each Restaurant. When new members of staff register, they are assigned to their restaurant's user group. I would then add an groupsCanAccess field to each entity in each database. My resolvers would check that the requesting user belongs to a group which is allowed to access each resource. However this would only address concern 1, as all staff in a restaurant would then have the same permissions to access their restaurant's resources.
For the approach using AWS_LAMBDA, I am not too sure how this would work, but I considered creating an Authorization lambda which checks which restaurant the requesting user belongs to. For instance, if the User was requesting an Order, I would need to check which table the order belongs to, then check if a StaffUserJoin exists (connecting the requesting User to the table). This approach seems very difficult (maybe impossible).
Any advice that could be offered is much appreciated, as I have been struggling with this for a long time. It seems like a common use case, where permissions are needed based on an object hierachy. Thanks in advance :)
I am using the newest version of superset and it has the row-level security option in the UI. Can anyone help me and let me know or give a little walk through that how can I implement it in the UI and use it. There is hardly much documentation there.
Row level security essentially works like a WHERE clause. Let's assume that we build a dashboard using table called tbl_org that look likes:
manager_name department agent
Jim Sales Agent 1
Jim Sales Agent 2
Jack HR Agent 3
Jack HR Agent 4
Say, we need to show Jim only the rows/records where he is a manager on the dashboard when he logs in. The same for Jack. This is when RLS is useful.
The Superset UI provides three fields that need to be filled.
Table: The table on which we want to apply RLS. In this case would be tbl_org
Roles: The role or roles to which you want this rule to apply to. Let's say we use the Gamma role.
Clause: The SQL condition. The condition provided here gets applied to the where clause when the query is executed to fetch data for the dashboard. So for example, if you use the condition manager_name = Jim this will result in the query: SELECT * from tbl_org where manager_name = Jim
If you want dynamically filter the table based on the user who logs in you can use a jinja template:
manager_name = '{{current_username()}}'
For this, the usernames created in Superset need to match the manager_name column in tbl_org
if you want [manager_name = '{{current_username()}}'] make sense,
you have to add ["ENABLE_TEMPLATE_PROCESSING": True] in the config.py.
Row Level Security (RLS) allows an admin to force a WHERE predicate into the query SQL statement that is sent to the DB on the user's behalf.
This can be used to limit the query results to rows that explicitly meet or do not meet specific criteria, and as such, cause the list or rows returned to the user to be filtered. The criteria can be applied based on the target table(s) and user role(s).
I hope you are all safe and not too crazy yet :)
Here is my use case:
Company A signs up and creates an account and can add 5 additional users / employees to be able to login and see all that companies info and no other. Now Company B signs up and can add 15 additional user / employees as they have a higher tier plan and same thing they can't see the other company. Since this is not highly sensitive data, I'll just use a low level isolation ie. "SELECT * FROM 'table' WHERE tenant_uuid = 1"
This is the first time looking at the whole multi-tenant thing, and I sorta get that but I am struggling to see how I can have multiple users tied to the one account.
The only thing I can think of is an abstract user that has a FK to the company. The company would be created with the owner user attached to the company, a custom model manager will accomplish this and then the owner can go in and add his employees.
Is this my solution or has anyone seen or used something different? any help in the matter would be greatly appreciated.
I am trying to do user and group specific database entries in my Django-REST-Framework backend. I am conceptually lost. Here's the idea I have so far:
On the database objects I want to retrieve, add a group attribute as well as a creator attribute. When I query the database, depending on the situation, I will filter by creator=request.user or group=request.user.groups.all().
However I do know that the above group part doesn't work. And I imagine I could loop through every group the user belongs to and check the group against each one. However this (to me) seems like a conceptually terrible idea. Lets say the user belongs to 20 groups and the database has 100000 entries - that's up to 2 million checks for one retrieval. That can't be okay. So my question is - how should I do this type of by group retrieval?