I am implementing a solution where a Fiware user can see his roles assigned to him.
Currently using https://github.com/ging/fiware-cloud-portal code to enhance this feature. Here I am referencing the inbuild function JSTACK.Keystone.params.access.user.roles. I am getting the role as member, however, there are other roles assigned to the user.
The above code is a comment which I want to implement. However, there is no cloud_role parameter available.
Can anyone help in this code as how to get all the roles of Fiware account users?
Related
I have a project that uses Firebase analytics. I want to assign a user for just viewing analytics Data.
Recently, Google added Permissions option that can add user with email address and role, but I could not find out which user is fit for that.
this is adding user progress:
first click permission in project page:
then select "add user" and then you should enter an email address and role type:
Is there any documentation that describe these user roles and scopes?
If you click on the Learn More hyperlink visible in the 2nd screenshot you provided, it'll take you to the Understanding Roles documentation that talks about the roles and the permissions.
It seems that there are two types of roles, Primitive and Predefined (which is still in Beta).
Primitive Roles
Roles that existed prior to Cloud IAM, Owner, Editor, and Viewer will continue to work as they did before. These roles are concentric; that is, the Owner role includes the permissions in the Editor role, and the Editor role includes the permissions in the Viewer role.
Predefined roles
Beta: The Beta Cloud IAM roles described in this section might be changed in backward-incompatible ways and are not recommended for production use. They are not subject to any SLA or deprecation policy.
In addition to the primitive roles, Cloud IAM provides additional predefined roles that give granular access to specific Google Cloud Platform resources and prevent unwanted access to other resources.
The list of roles for each and a description for their permissions are also described there.
I would like to implement claims based authorization in a Web Api project. I understand the idea of claims and can manually add a claim to a user and authorize a request based on it. However, I don't know how I should manage the claims, assign them to users and update them in future.
For example, say I have a Product entity and ProductCreate, ProductRead, ProductUpdate and ProductDelete claims for the CRUD operations on this entity. So I have a few questions:
I can store the claims in the DB, but what is the best way to add the "default" claims to a user on registration?
If I add new functionality to list the products which is only authorized if the user has the ProductList claim - new users would get this claim, but how would I add this claim to all existing users in the system?
Should there be a limit on the number of claims associated with a user? In a larger system with many entities, a user could end up with hundreds of claims
As I said, I know how to physically add the claims to the user etc., but it's more the bigger picture of the process of how you would manage claims and users in a real world example.
Thanks!
UPDATE
Thanks Brendan, I appreciate your help! I don't know if I'm misunderstanding something fundamental or if the answer is staring me in the face - either way, I'm not getting it.
So I have web api and would like to give granular access to the different controller methods. As the Admin, I want to be authorized on all calls so I should have all claims. Registered users should have read access to some methods and you as a moderator should have update and create access to some. My understanding is that these claims should be stored in a DB (SQL server in my case) somewhere and "assigned" to the user when they register. Using Asp.Net Identity, each user's claims would be stored in the AspNetUserClaims table, so when they login they get all their claims in the token by default. Simples!
What I am missing is the process of how you would handle the claims that should be assigned to a user when they register, what claims should a Moderator get etc. and how would you add / remove privileges. It doesn't seem right to me to have this in the code as adding a new claim in the system would require a rebuild and new deployment.
Also, if I add new functionality which requires new claims for different types of user, how would I make sure that the next time an existing user logs in they get the new claims as well as the ones they were assigned when the first registered.
I hope I am making sense, I may be mixing up some of the Role-based thinking with some of the Claims-based thinking which could be the source of my confusion. I just haven't seen any examples of how you would manage an application with many, many claims in the real world.
Thanks again!
That's exactly the same question and issue i'm running into. All I found is info on how to create a claim using the manager classes but nothing on where to manage these claims.
There can be different combination of access to give to a user and if my UI is a disconnected UI from my API, I don't think i would want the ui to manage these claims for me.
Other than mucking and creating a claims manager class with a claims table did you figure anything built in that can be used?
I'm working on a Symfony app that will have some basic roles that can be assigned to users. Note, I'm not using the FOSUserBundle because I don't need more than half the features in it.
I have my users defined in the database, but I'd like to keep the role definitions out of the database. But several examples and other tutorials I've found keep the roles in the database, and use a ManyToMany relationship to assign them to users. This seems odd to me, since the actual use of the roles is hardcoded into the app.
For example, if I have a custom role ROLE_EDITOR, I have several routes and controllers that I may restrict to ROLE_EDITOR. Why would I "define" this role in the database? That means when developing my application and I add a new user role, I have to either write a script to programmatically insert a new role into the DB or do it manually, before the code is deployed that makes use of the role. I don't want admins to be able to add/edit/delete roles. It should be a design decision done programmatically.
In Drupal, there's a concept of Roles and Permissions. You define permissions in code and check against those, and then roles are defined in the database and are assigned permissions. But it seems that Symfony just has the concept of Roles.
I'm hoping someone can fill in a missing piece of information for me or something. How can I implement a system where the role assignments are done in the database, but the roles themselves are managed via code only?
My instinct is to just create a single entity that relates to User and has a string field for the ROLE_NAME. But this seems to go against the paradigm of having a real Role entity.
I'm trying to figure out how when using the default asp.net forms authentication stuff one can change the roles that a user has dynamically. In our case a user has access to many accounts and there roles can change per account. This doesn't seem like rocket science to me but I can't figure out I would do this. Does anyone have a experience trying to do this or a link that would be helpful?
UPDATE:
Just to clarify. We know at startup that User X has access to account #1 with roles 1,2,3 and account #2 with roles 1,2.
So first off I have to handle this part of the problem. Getting their roles based off their current account. For this I think I'd use a RoleProvider. The problem I'm trying to solve though is once ASP.Net has a User how do I tell it to invalidate that user or refresh that user so it would hit my custom RoleProvider (or what not) again.
Roles.AddUserToRole() should take care of adding the user to a role.
For removing: Roles.RemoveUserFromRole()
http://msdn.microsoft.com/en-us/library/system.web.security.roles.aspx
Our site has got two ASP.NET membership providers. The built in one, and a custom one (SqlMembershipProvider.
I am able to log into both no problems, but I don't necessary require the ability to have both logged in at the same time.
The issue I have is as follows:
User "person_a#site.com" logs into the built in provider. They then navigate to the section of the site where we require the custom provider.
On this page, I can check if they are authenticated, and get their username. I can then get a MembershipUser object form the custom providers GetUser method. (HttpContext.Current.User.Identity.Name)
It is possible (and very likely) that the username "person_a#site.com" could also exist in the users for the custom provider.
But, I don't want them to be logged in here, as they haven't authenticated against the custom provider.
So, is it possible to check which proivider HttpContext.Current.User was generated from.
Hope this all makes sense!!
Yes, if you notice on the RolePrincipal there is a property called ProviderName.
Typically when people roll their own providers they omit usage of this field.
In your case, simply modify your custom provider to identify itself, if it does not already, and check that property of the user.