Alfresco ECM mandatory access control? - alfresco

Does Alfresco ECM has component, that allows to work not through role-based access control, but using mandatory access control (MAC)?

No. Alfresco ECM has no out of the box support for any dynamic authority security concepts like RBAC, MAC which supports defining (business) rules on (business) objects. Alfresco calls roles what in real are permission bundles (group of permissions) to be attached to a content node.
To be fair: most general purpose dms systems don't support dynamic, configurable role concepts in the sense of RBAC and MAC but Alfresco has the low level support to implement this:
policies (similar to database triggers)
method level security (java voter methods which can be hooked in)
Take a look into Authorization And Access Control
We implemented this for special use cases (e.g. role based access for special document types or access rights based on associations to implement case mimik) but it may be a bigger job as expected to make this working transparent in Share and scalable over millions of documents.

Alfresco ecm provide s role based access controls.
There are some roles like as
Contributor
Collaborator
Editor
Consumer
According to these roles you can access contents in Alfresco repository.
You can find more on Alfresco Documentation

Related

How to add Azure custom Policy for Azure Data Factory to only use Azure Key Vault during the Linked Service Creation?

How to add Azure custom Policy for Azure Data Factory to only use Azure Key Vault during the Linked Service Creation for fetching the Data Store Credentials instead of credentials being put up directly in ADF Linked Service. Please suggest ARM or PowerShell methods for the policy implementation.
As of yesterday, the Data Factory Azure Policy integration is available which means you can now find some built-in policies that can be assigned to ADF.
One of those is exactly what you're asking for as you can see in the image below. You can find more information here
Edit: Based on your comment, I'm editing this answer with the info you want. When it comes to custom policies, it's pretty much up to you to come up with them and create what fits your needs. In your particular case, I've created one policy that does what you want, please see here.
This policy will audit your data factory linked services and check if they're using a self-hosted integration runtime. Currently, that check is only done for a few types of integration runtimes (if you look at the policy, you can see 5 of them) which means that if you want to check more types of linked services, you'll need to add them to the list of allowed values and select them when assigning the policy definition.
Bear in mind that for some linked services types, such as Key Vault, that check won't make sense since that service can't use a self-hosted IR

ASP.NET Membership on .NET 4.0 Multi-Tenant app. Default or Custom?

This is my first attempt, trying to integrate Membership on an existing shop already in production.
I'm not quite sure, based on my scenario, if I should use the build-in aspnet-providers or custom implementations of them in order to integrate membership.
Here's a few details:
I have a multi-tenant, single database, single schema web app based on subdomain.
The app is already in production and I will later want to link newly registered users with existing anonymous orders by email.
The development will continue after the membership integration, new features will be added, meaning new columns and linked tables for the users table.
This answer got my thinking of using the membership deafult Profile in order to extend the users table created by the aspnet providers, since I don't have users yet. Though its not clear to me how I would link Users with Orders and other tables/entities that might later be added when the app is going to be extended.
Maybe I could define my entities related to users as user-defined profile properties but they would not have associations on my database.
Another overhead I'm thinking of is how would I associate the users with the different tenants of the app. I would want users to be able to regiter in different tenants/subdomains with the same email.
How would you implement membership in this scenario?
This question is an aggregate of a few questions. I will try to answer them to he best of my knowledge
In case of managing users, i would like to suggest that you consider the following approach
Pre-define a list of basic user profile metadata that you will need in the application
Create an extensible approach like having custom fields for the user profile so that it can accommodate any data that may be required to capture in future
You should also be planning for a self-registration system in the application that will allow your user's to register themselves like the anonymuous ones that use the system with an email
Regarding associating the business entities, you will require to associate the entities with the tenant and not with the user. the level of application will be from the tenant and then it will flow down to the users.
Additionally, you should not have the user accessible business entities, when they are maintained in a form of package or so, it will be very easy to manage and use.
Share your thoughts on these approaches.
- Create a tenant identifier column [property] for each profile that identifies the base tenant to which the user belongs to
- create a table that manages the list of other tenant's that the user may be gaining access to at a later part

Can i get list of users associated with a content in CMIS?

I am trying to implement a user-content ACL mapping service in alfresco using CMIS where I will allow a user to see a content if he is having permissions for this content.
I have get list of ACE for a content using CMIS ACL service but I am still trying to find out a way where I can get to know if a user has permissions on this content or he belongs to any of ACEs of this content. Or there are some common ACLs/ACEs between content and user which I can match before I can allow/deny access for content.
As CMIS is repository agnostic standard, I hope if I can get something to complete the mapping service.
In case you are using CMIS 1.1 against Alfresco, you could try using the ACE principal ID to retrieve the corresponding person / group. This is possible through the introduction of the cmis:item base type in CMIS 1.1. See http://ecmarchitect.com/archives/2014/04/28/3703 for information about those possibilities.
Unfortunately, it is not possible to resolve user-group or group-group memberships as those relations are child associations which Alfresco does not exposes as a CMIS relationship.
This is not possible because the standard does not care about a principal's effective rights on a documentary database object.
And I needed exactly the same thing, but I had to give up.

How to handle complex authorization in an ASP.NET MVC 4 / EF application?

The ability to add, update, and delete various entities in my application is often determined by the relationships defined between the various users involved. Here is an example:
A basic user or his supervisor can create tasks associated to the user, but only his supervisor can lock down the task so that the basic user will not longer be able to add/update/delete it. Until locked down, both individuals will be able to update the task.
What is the best approach to implement these kind of complex and advanced rules that deal with the relationship of users and the state of the entities (new, existing), as well as other things like maybe a user-defined status associated to the entity?
Thanks
What is the best approach to implement these kind of complex and advanced rules that deal with the relationship of users and the state of the entities (new, existing), as well as other things like maybe a user-defined status associated to the entity?
You want to use an authorization standard, namely XACML, the eXtensible Access Control Markup Language. XACML is:
a standard developed by OASIS, just like SAML is
a standard that focuses on fine-grained access control: access control that takes into account user information, resource information, state, and contextual information
a standard that implements the attribute-based access control (ABAC) model: the user information, resource data, and state can all be seen as attributes
a standard that uses policies and rules to structure the attributes and grant / deny access: XACML is policy-based
a standard that can be applied across multiple layers e.g. across the presntation tier, the data tier, the business tier of an MVC application
a standard that can be applied to multiple technologies and languages e.g. C# (MVC4 and more), Java, Python...
With XACML, you can easily implement relationships e.g.: an employee can approve a transaction if and only if the transaction amount < employee approval limit AND the transaction is not locked.
Where to go from here?
Check out NIST's page on ABAC.
Check out OASIS XACML's page and spec
Check out existing implementations (open-source and vendor such as the one I work for, Axiomatics.)
At a bank I worked for, we had a loan management system that allowed the entire bank hierarchy to see loans in their reporting structure. For instance, a Market exec could see the loan portfolio of all of his/her reports at once. Additionally, s/he had the ability to select from a list of all reports' (direct or indirect) names to view the portfolio of that employee.
It was complex, but we had to maintain an HR database of the reporting structure. Once we had that, we built user functions (could be done as stored procs, too, but user functions worked well in our LINQ to SQL backend) that allowed us to check whether user x supervises user y.
So, in your example, as long as you know who owns the task, and have access to a method that can be used to determine if the task owner reports to the currently-logged-in user, you should be able to easily enable/disable the "lock" button on the page.
The legwork lies in creating that reporting structure DB, and keeping it up to date!

In Symfony2, how to handle dynamic access / rights?

I'm trying to find the best way to handle a "complex" security / privacy system using Symfony2.
I read a lot of documentation about the ROLES and the ACLs but I'm looking for something different.
I need the rights to be calculated based on the properties of the objects.
In my case, I have a User object and multiple other objects (Project, Task, Label, and more...).
I need to check if a User can read or write any kind of object without storing the rights in the database (like the ACL system is doing). The rights should be "calculated" based on the relation between the User and a given object.
For example, the User(1) can write on the Task(2) because he is a member of the Project(3) and the Task(2) is in the Project(3).
The Roles of the security service can't handle that. The ACL could handle it but I don't want to store the rights in my database because I know that they are going to change a lot during the life of the product.
Is there a known good practice for that kind of needs or should I write my own system?
Thanks.
"that they are going to change a lot during the life of the product" -> IMO, storing in database is the best, and ACLs are a good way to do that.
In your example above, ACLs would be great to manage rights between User and Projects, and rights on Tasks are depending on this Project Rights.
These rights would be accessible in your controllers and you views with respectively isGranted() and is_granted() if you implement your own aclVoter: http://symfony.com/doc/current/cookbook/security/voters.html

Resources