I found some helpful information in this post [Adding google groups to roles ] which helped me realize I have to have permissions to at least read group membership in order to get a group to properly assign to a role under access permissions (or role assignment). The only way I could get the small group icon next to the group e-mail address was to add myself (developer account) to that group. I do not want to be added to every group in my domain which I assign to roles in my appmaker apps but I can't seem to find the right access permissions to grant access.
I have a second group which I have NOT added myself to but have allowed all in the organization to view members and members e-mail addresses. Is there something I'm missing as appmaker does not appear to find the group (as indicated by the group icon) when adding it to a role?
Related
Is it possible to use firebase authentication to get google's organization information?
I want to control access to the application by organization.
What I want to achieve is
Get the organization of the user who is logged in to GSuite, and allow the user to use the application only if the organization matches the whitelist that we have prepared.
Furthermore, we want to control access by groups within the organization (for example, in a school, we want to change the APIs that teachers and students can access).
The problem is that you have to control access within the same domain...
I have created a secondary User store using LDAP. By default, all users of the secondary store have no permission. Is it a way to assign the suscriber role to all users in one operation or I have to do it manually for each user ?
Thanks
Since by default WSO2 uses groupId('Organization) of the user to share the Application in the Devpotal as mentioned here in the documentation: sharing applications
You can go to the Carbon UI and search for the LDAP users among which you want to share an Application. Next to the User click on the 'User Profile' tab. There you can edit the value next to the 'Organization' column. For this, your secondary user store should be 'ReadWriteLDAPUserStore'. Similarly, edit the value for each user in the secondary user store to the same value to share the Application among them.
In fact, in the ldap user store if you configure LDAP groups there are automatically created as a role and you can apply permissions to a role which will be apply to all users of your LDAP group.
But I didn't find a way to share applications between users of a LDAP group ...
Here is a better way to achieve it. In the official documentation it is mentioned that it allows the Applications to be shared if we have common roles, in as you said WSO2 treats AD groups as roles. Lets assume you have two users user1 and user2 in your LDAP store both of which are the part of AD group 'AD_Group'.
So mention the AD group name common to the users among which application needs to be shared : -
Also change the configuration as following in the deployment.toml file : -
[apim.devportal]
enable_application_sharing = true
#application_sharing_type = "default"
application_sharing_claim=http://wso2.org/claims/role
I am able to assign the roles to four custom group(Admin,Record manager,User,Info) as well as created the file plan category in particular agency(for instance, agency1).Then created the Agency admin(for instance,agency1 admin) for the particular agency(for instance, agency1).Based on the group needs to assign the contributor permission for admin as well as consumer permission for Record manager,user and info group.But If I create the another agency admin(for instance,agency2 admin).If I login to agency2 admin and assigned contributor permission,while viewing the file plan category got two categories agency1 and agency2.
Need to restrict the access to show only agency1 file plan category while agency1 admin login under the Record management site.Please help to achieve in alfresco webscript.
Resolved by creating the node and passing the node details to record management post webservice(api/node/"+Q.storeType+"/"+Q.storeId+"/"+Q.Id+"/rmpermissions",) as well as passing the permissions as data.
I am currently using AD groups to manage roles and access to Dynamics AX 2012. So for example I have and AD group called GG_AX_SalesRepresentative and it is used to allow everyone in the group to log on to Dynamics AX and to receive the corresponding role in Ax.
So this is working and users that log on to Dynamics Ax and are member of the group will automatically be created within Dynamics AX and receive a $CA2D like userId. They have no role assignments because AX knows that they came from the AD group and the roles are defined on the group itself. Thus management of users through groups is ok and working.
But now I need to provide a Custom service to a third party that returns all of the legal entities where a role assignment for a given user is active. Fe: I want to pass a UserId to the service and it must check if that user is service desk user and if zo, check in what legal entities.....
User data can be found in the UserInfo table.
User role assignments can be found in the SecurityUserRole table.
It seems I would have the data I need, except for the fact that the User Role assignments are done on the group! How can I find which groups this user is linked to within Dynamics???
So what I want to know : I have user $CA2D, he is member of the helpdesk role since he was a member of that group and thus he has the roles linked to that AD group.
Any ideas would be welcome :-)
We have worked our way around this and have written some logic that queries the AD to see if the user is in the group on the AD and then we look up the group in AX with the same network alias. This way we can fetch the roles attached to that role.
I have a different access role for each of the pages in my application (using Windows Authentication) to restrict users from access, using SqlRoleProvider. So to add users to role, I would go,
Roles.AddUserToRole(userName, roleName);
Now, I need integrate the company's AD groups into my application, such that each AD groups will be assigned these access roles as well, and users part of a certain AD group will automatically "inherit" the roles.
My questions are:
Can I continue to use my SQL tables like aspnet_Users, aspnet_Roles etc?
How do I go about integrating AD groups? And how do I assign roles to AD groups? (So far, I can check all the AD groups a user is part of using Directory Entry).
As a user logs in to the application using Windows Authentication, after I check that they are part of a particular AD group, how do I "give" or "assign" them the roles as per AD group?
Would deeply appreciate your help with these questions.
The AD ASP.NET Membership and Roles system ties directly into AD, your database tables are ignored. An AD Group becomes an ASP.NET Membership Role.
The rest of my post is concerned with applications modifying AD groups directly:
You can, with great difficulty, but in that case it is not recommended.
Active Directory group membership is assigned by another user who is a member of the Domain Admins group, or is delegated the permission to assign users to other groups.
In order to do this from code (using ADSI) your program would then need to run under (or use an impersonation token of) a user identity that is a member of the Domain Admins group or is delegated that user right.
...this means that your program is suddenly trusted with an ability that if hacked or abused, can wreck havok in your security domain. I do not recommend doing this.
Documentation is available on MSDN: http://msdn.microsoft.com/en-us/library/windows/desktop/aa706022%28v=vs.85%29.aspx