I trying to set a permission for a user such that this user can only access a specific value of a dimension, other values are denied on this dimension.
Tried this but does not seem to work
:schema [Sales]
-tuples DC { [Countries].members}
+tuples DC { [Countries].[UK]}
Here is a working example authorizing the [France] member only. Please refer to the online documentation for more details. Quoting this documentation:
Permissions are defined using "lines"; each line is either granting access (+) or denying access (-) to the defined MDX entity(ies). Within a scope, the first '+' means all entities are DENIED first whereas the first '-' means all entities are AUTHORIZED first.
So the following example is starting with a [+] within the [Sales] schema scope:
+schema [Sales]
:schema [Sales]
+tuples DC [Customers].[Geography].[Region].[Europe].[France]
Hope that helps.
Related
I'm trying to find inactive members in my GitLab-CE instance via the Gitlab API (v4).
One of the criteria for "(in)activity" is, whether a given user is member of any project or group.
While this information seems to be readily available via the webinterface (Groups and projects tab on the user's overview page in the admin area), I cannot find that information via the API.
The only way i currently found is, to iterate over all projects (resp. groups) and check whether the user is member thereof.
This strikes me as very slow (as there are probably zillions of projects), so I'm looking for a more direct way to query the system for all projects where user is member-of.
As in doc(https://docs.gitlab.com/ce/api/members.html), you can use:
GET /groups/:id/members
GET /projects/:id/members
to get only members added directly in a group/project
or:
GET /groups/:id/members/all
GET /projects/:id/members/all
to get all members (even those inherit from groups above)
---EDIT regards to #Nico question ---
In order to know if a user is a member of a project the solution tested by #umläute is to iterate over project members then all subgroup untill it reaches the user:
Given \fu\bar\project_p
With project_p.id = 1
bar.id = 10
fu.id = 100
Is user 'Nico' a member of project_p ?
GET /projects/1/members returns ('Paul') / No
GET /groups/10/members returns ('Marc', 'Jean') / No
GET /groups/100/members returns ('Nico') / Yes
Instead Gitlab provide an other API :
GET /projects/1/members/all returns ('Paul', 'Marc', 'Jean', 'Nico') / Yes
I need to implement role based authorization in my app before we launch for production. I have a function that checks whether the user is accessing data from only their company. I need to also make sure that a user with the role "SuperUser", "Tester", or "Manager" can also access the data even though they aren't part of the company. I've looked at other role based implementations but they don't seem to address this scenario of having to check either the company or the role.
I have the rule that has the OR statement here:
allow read: if exists(/databases/$(database)/documents/companies/$(company)/users/$(request.auth.uid))
|| hasRole(['SuperUser', 'Manager', 'Tester']);
And I have this as the function for hasRoles:
function hasRole(roles) {
return get("/databases/$(database)/documents/companies/Seva Development/users/$(request.auth.uid)").data.roles.hasAny(roles);
}
When I add this function the user is denied access, even when the left side of the OR statement is true. I can only assume something is wrong with the function, but I've been unable to find where from firebase documentation.
The document I'm trying to access looks like this:
How can I modify this function to allow me to check if the user is part of our organization and has one of the specified roles?
This works if you have the role but aren't part of the company:
allow read: if isUserCompany(company)
|| hasRole(['SuperUser', 'Manager', 'Tester']);
But it will fail if you are part of the company and don't have the role. What I can't figure out, is that this works if you are part of the company but don't have the role:
allow read: if isUserCompany(company)
So the left side works, the right side works. But they don't work together.
It also works if I write:
allow read: if isUserCompany(company) || false;
Which makes me assume the problem must be with the hasRole function if the role doesn't exist. I tried writing a function to check for the role first, but it still failed.
The problem is that you're passing a string to get() instead of a path. Note the reference documentation for get() says the argument is a Path. According to the docs for Path:
Paths can be created in two ways. The first is in the "raw" form
beginning with a forward slash /:
/path/to/resource
The second is by converting from a string using the path() function:
path("path/to/resource")
If you want to compose a string to become a path (because you have a space in there somewhere), you'll have to use the path() function. Or, you can use the bind() function to insert the values that have spaces in them. Using path():
function hasRole(roles) {
return get(path("databases/" + database + "/documents/companies/Seva Development/users/" + request.auth.uid)).data.roles.hasAny(roles);
}
Note that the leading slash is missing from the string form of the path, and all variables need to be added by concatenation.
Or you can just remove the space from "Seva Development" and just use the raw form of the path.
I am working on sensenet API. I faced an issue with setPermission on sensenetAPI security.
As per concern, when I create a document I would like to give See, open, Save and RunApplication permission as a default for newly created document to the user(User is taken from the function parameter).
To achieve this I use below code
public static void SetCollabUserSecurity(string myUserEmailId, Node myNodetToSetSecurity)
{
var domainName = "Builtin";
var strUsername = GetNameFromEmail(myUserEmailId);
User user;
using (new SystemAccount())
{
user = User.Load(domainName, strUsername);
if (user != null && user.Enabled)
{
var myUser = user;
myNodetToSetSecurity.Security.SetPermission(myUser, true, PermissionType.See,
PermissionValue.Allow);
myNodetToSetSecurity.Security.SetPermission(myUser, true, PermissionType.Open,
PermissionValue.Allow);
myNodetToSetSecurity.Security.SetPermission(myUser, true, PermissionType.Save,
PermissionValue.Allow);
myNodetToSetSecurity.Security.SetPermission(myUser, true, PermissionType.RunApplication,
PermissionValue.Allow);
}
}
}
While I am using this function, my process for creating document becomes time consuming. It takes around 40 second time for execution.
So in case of, if I would like to share the same newly created document with multiple users, lets say there are 3 user and I want to give the above permission to all of them then my single function call takes 120 second (2 minute) time to simply assign permission.
Is there any Odata REST API call available or any sensenet library call available through which I can assign...
1) multiple permission to multiple user for single document or
2) multiple permission to single user for single document
Can anyone help to come out from this issue?
Thanks!
C# api
On the server there is a c# api for managing permissions, please check this article for details. You may use the AclEditor class for setting multiple permissions in one round. Please note that you have to call the Apply method at the end to actually perform the operation.
// set permissions on folder1, folder2 and file1 for two users and a group
SecurityHandler.CreateAclEditor()
.Allow(folder1.Id, user1.Id, false, PermissionType.Open, PermissionType.Custom01)
.Allow(folder2.Id, user2.Id, false, PermissionType.Open)
.Allow(file1.Id, editorsGroup.Id, false, PermissionType.Save)
.Apply();
As a side note: in most cases it is better to work with groups than users when assigning permissions. So it is advisable to give permissions to a group and put users into the group as members instead of assigning permissions to users directly.
Also: it is easier to maintain a simpler security structure, for example if you assign a permission on the parent container (e.g. a folder) instead of on individual files. Of course if you have to set permission per file, then it is fine.
OData api
The same api is available from the client through the REST api. Please take a look at the SetPermissions action in this article or the similar api in the JavaScript client library of sensenet.
I am using the ASP.NET Identity framework, with the EntityFramework provider (IdentityDbContext).
I attempt to create a user by calling UserManager.CreateAsync(..).
It returns an object of type IdentityResult, with the following values:
{
Succeeded: false,
Errors: ["Name AndrewShepherd is already taken."]
}
The error is valid - there is indeed another user called "AndrewShepherd" in the database. This is not a name the user picked; instead I am generating this name from the Outh2 account information provided by their Google account. (Google Accounts don't enforce unique names, just unique email addresses).
Since the problem is a duplicate name, I can simply try appending a number to the name and trying again. I would programmatically attempt to create AndrewShepherd_1, AndrewShepherd_2, AndrewShepherd_3 until I am either successful or get a different error.
But how do I programatically determine that the problem was a duplicate name?
Options are:
Perform a pattern match on the error string. This solution is guaranteed to break when the next version of ASP.NET Identity has a differently worded error messages or we internationalize the website.
Run the check before creating the user. I would call UserStore.FindByNameAsync to determine if the name had already been taken before invoking UserManager.CreateASync(..). This would have a small concurrency risk if two different sessions are attempting to add the same user name at the same time.
It would be some much easier if we could simply perform a check like this:
if(identityResult.Errors.Where(e => e.ErrorCode == IdentityErrors.DuplicateName).Any())
Is there a way I can perform a unique user check then add a user, that's safe in a concurrent environment?
As an alternaive, you can check if the user name is exist in your DB like that. If user name is already taken, you can change new user name like AndrewShepherd_1, AndrewShepherd_2, AndrewShepherd_3.
using (YourProjectName.Models.DefaultConnection db = new Models.DefaultConnection ())
{
if (db.AspNetUsers.Select(q => q.UserName).Contains("usernameThatYouWantToCheck"))
{
/*Your code*/
}
}
I'm trying to create a Ldap schema for our users and groups (using ApacheDS but that should not matter)
Currently i have something like this
(dc=company, dc=com)
- ou : groups
- GroupOfNames: cn=users
-GON: cn subgroup A
* member : uid = user1
- GroupOfNames: cn=Admins
* member : uid=admin
- ou : users
- InetOrgePerson uid="admin"
- InetOrgePerson uid="user1"
Now the problem is I'm trying to connect a portal to use this schema for authentication/group membership.
The Portal wants the "user" to 'know' the groups it's member of (which is probably more efficient)
So I would need to have something like
- InetOrgePerson uid="admin"
* memberOf : "cn=admin,cn=groups,cd=company,dc=com"
But inetOrgPerson does not allow any kind of memberOf attribute .... so my question is:
What kind of Ldap Object class can I use instead of inetOrgPerson that would allow a memberof attribute.
inetOrgPerson. You don't need a memberOf attribute. Just execute a search of the GroupOfNames 'member' attribute. This is how it is normally done.
Well, the server does matter. Since there is no standard for getting group membership in the users entry.
I don't know if Apache DS supports the "memberOf" attribute. OpenDJ (opendj.org) or OpenDS, SunDSEE do support it via the "isMemberOf" attribute (and could be configured to return either name).
The isMemberOf (or memberOf) is an operational attribute and thus must be explicitly requested in the search query.