Read only user in Alfresco - alfresco-enterprise

We are on Enterprise - 6.1.0 and want to create a read only user. I've come across documentation that states we should be able to assign a Consumer role to this user, however there are no Consumer groups out of the box.
Let me know how this can be created.
Thanks in advance!

Related

What role do I need to assign to my user to read and write to my CosmosDB container?

When I connect to by database and try to read some data from a container, I get a 403 error that says my principal doesn't have Microsoft.DocumentDB/databaseAccounts/readMetadata permission.
I have gone through all the roles available in the Azure portal, but none of them do the trick.
For some absolutely wild reason, the roles available in the UI are not enough to start reading data from Cosmos. Instead, you need to assign a special, hidden role that exists in the system to read or write data.
See here:
https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac#metadata-requests
Specifically, it's the roles 00000000-0000-0000-0000-000000000001 for read and 00000000-0000-0000-0000-000000000002 for read+write. The same article has an explanation of how to add these from Azure Powershell:
https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac#using-azure-powershell-1
I nearly lost my mind trying to figure out why I couldn't read my own data, given I had given several role kinds to my user, none of which worked. I have no idea why the Azure team decided to hide the required roles from the UI. Hopefully they see this answer and shed some light.

api-platform: Limit the records a user can see based on access logic

I would like to use Symfonys API platform for a BI application. I know it is great in security and flexibility, but I need something I have not yet found in documentation or here on stackoverflow.
I have multiple databases and each db contains data of multiple customers.
Now I want to limit which customers a logged in BI user can see. If a BI user is limited to see only data of a subset of customers (that relation is present in the DB), how can I make sure this user will only see data related to those customers, and not any other?
I could use a customer ID as entrypoint, would since it should contain data of all customers and the list of customers is dynamic, this will not work.
I know there must be a way to have that security on kernel level/Event Listener but was unable to find this.
Thanks in advance for any help!

List Plans of all groups in my organization using Microsoft Graph SDK

I'm using Microsoft Graph SDK for .NET Core. I'm trying to get a list of all Office 365 plans in all Azure Active Directory groups within my organization.
I have been reading through a lot of questions, but haven't found a clear answer to my problem: As it's stated in the official documentation, you cannot list plans in a group using client credentials (application permissions), which is the exact authentication method I'm using. Given this, how can I achieve my objective?
As per documentation, the only way to list plans in groups is to use Delegated Permissions, but in that case, and according to the Microsoft Graph permissions:
either the user or an administrator consents to the permissions that the app requests and the app can act as the signed-in user when making calls to Microsoft Graph.
If the signed-in user is a regular user then the application will only access the groups that user is a member of. Bear in mind that there may not be a single user that is a member of all groups.
Is there a way to get my application to list all plans in all groups within my organization?
You can now use application permissions.
Outdated Reply:
Planner currently does not support application permissions. Depending
on what your scenario is, you have couple of options. One option is to
create a user account to be used by your app, and add that user to all
the groups. Then you'll be able to query the plans with the
credentials of that user.

Permission error on user management

We just set up elasticsearch, logstash and kibana on our swisscom application cloud instance. Now when I log in into kibana with the full_access_username and full_access_password I can do almost everything except adding new users and manage existing ones under settings - user management.
There I always get a message saying:
You do not have permission to manage users. Please contact your administrator.
Does anyone of you has an idea on how to fix that?
We d like to have different users and give them permissions on some indices and attributes only.
Thanks in advance for your help.
As Swisscom provides their Elasticsearch Service as managed, you have some limitations in terms of administrative functions. At the time of writing this includes cluster and user management as well as watches.
You can provide new users by creating service-keys cf create-service-key <service-instance-name> <service-key-name>.

Reporting on information held in Realms

Am a little new to using Realm, but learning fast. I've seen that when using the Realm object server the default setting is that a new Realm is created for each new user. I also see that with quite some effort a Global realm can be created and permissions given to it, so that many users can access that realm. As I'm working on an app where users create orders, then the first approach seems more secure; each user would have access only to the orders created in that users Realm.
My question is, in this situation how would I be able to report on total order information across users e.g. total order quantities/amounts for September for all orders taken?
I haven't been able to find any reporting system or information about this. Any advice or hints & tips that would help me solve this would be really appreciated.
So after making many checks and hearing back from the guys at Realm, it seems that it is not currently possible to get summary info across Realms.
One solution suggested would be to create a "summary" realm and write total info to is as Im creating the other realms, which doesn't sound like a good solution.
So the only solution currently, that will allow you to get summary information across e.g. orders for different people, is to store the information in one Global Realm and set the permissions so that all users can access it.
A final note, Realm have told me that they plan to bring out an enhancement, that will help solve this issue, by letting you set securities for users within Global Realms. Hopefully that comes out soon :-)

Resources