Usually when a Disconnected Application Instance is provisioned to a user, the manual fulfillment tasks are by default assigned to "SYSTEM ADMINISTRATORS" Role. We can modify it to any other role directly in SOA Composer so that the Fulfillment tasks are assigned to the newly Updated role. We can also have different rules in place for different application instances.
But the scenario is like We have a Role associated with a access policy which will provision a Disconnected Application Instance to the user upon provisioning the role. The Access Policy is also associated with some entitlements which will require manual fulfillment tasks to be assigned to particular fulfillment role which differs for different roles.
How do we dynamically fetch the Fulfillment Role in order to assign the task to them. I understand we should achieve it using the Oracle Business Rules. But How do I get the catalog attributes in the DisconnectedProvisioning composite.
I am a beginner in SOA - Workflow implementation. So please provide some detailed answers.
Thanks,
Srini
You should be able to assign a role to the Fulfillment Roles on the Disconnected App and it's separate entitlements in the catalog.
Then when the Access Policy triggers First a Provision Task should be generated for the Fulfiller role on the application instance, then once that is completed a Grant Entitlement task will be created for the fulfiller roles associated with each entitlement.
Related
In some B2B applications that employ multi-tenancy, a single user can belong to multiple tenants. Slack, for example, allows the same user (email+password combination) to view all the workspaces (tenants) they belong to and alternate between them seamlessly. As users switch workspaces, the application switches context to the selected workspace, loading workspace-specific entities such as channels, messages, and threads.
Is it possible to do something similar with Google Identity Platform (GIP)?
I understand that in multi-tenancy in GIP, all users are scoped to zero or one tenants. If a person needs to belong to 2 tenants, 2 users must be created - each with their unique uid. This is not a big deal when users sign up with Federated Identity Providers. They see a consent screen twice, confirm, and the application can apply some logic to know they are the same person. For example, it can hash their email address, and link the two tenants to it.
But if users log in with email+password, such approach requires users to maintain two passwords for the same service, diminishing the user experience.
I imagine that one solution is to disable multi-tenancy and store the user-to-tenant links in Firestore, or perhaps as a custom claim so that Firestore Security Rules checks don't require an extra read on every request. However, this might make it harder to enforce different authentication requirements for different tenants. For example, a user may switch context to a tenant that requires 2FA as part of their policy, and it could be advantageous to have GIP manage that part.
Are there better approaches for such a scenario?
I created a kusto cluster and database as one of my accounts on one Azure subscription, but now I want to grant cluster admin permissions to one of my other accounts that is not part of this subscription.
I have to do this via a kql command, or some other way I can manually pass in which users are becoming admins.
Is there such a thing as Cluster Admin permissions?
I added my other account as an admin to one of the databases in my cluster using
.add database DatabaseName admins ('aaduser=username#email.com')
but I cannot seem to do the same on a cluster level. How can I do this?
Cluster admin isn't a role you can add principals to.
You're likely looking for the All databases admin role: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/management/access-control/role-based-authorization
You can add principals to that role via the Azure portal, or programmatically as explained here (note: there's a dropdown for C#, python, and an ARM template): https://learn.microsoft.com/en-us/azure/data-explorer/cluster-principal-python
When managing roles in Google Cloud IAM, all datastore.* permissions (such as datastore.entities.{create, list, get}) show up as greyed out with a yellow exclamation badge with a tool tip explaining "cannot assign permission."
I'm assuming this is why all datastore api calls result in "com.google.cloud.datastore.DatastoreException: Missing or insufficient permissions" even when assigning project level rights to the role.
Any idea how to grant these permissions to roles?
First of all, bear in mind that “Custom roles are a beta feature and should be used with caution.”
It is a known issue in Beta restrictions:
“Some predefined roles contain deprecated permissions or permissions that are otherwise not permitted in custom roles. A custom role that is based on a predefined role that contains deprecated or restricted permissions will not contain those permissions.”
Also if you check the IAM Permissions Change Log, in Upcoming IAM changes for the week of 2017-12-18 , you will see all these roles related to Cloud Datastore are not longer supported in Customer Roles.
In this case you will have to use Primitive roles.
I have a saas platform I'm building and I'm currently struggling with how to model my auth flow. The system is going to be multiple multi-tenant applications but I would like to unify user authorization & authentication. Basically, each US State will have its own web app/resource server/database and every county in that state will be a separate tenant. I cannot combine all states into one application, so that is not an option.
I would like to throw all users and their information/password into one database connected to my auth service. But each county (tenant) admin within each state (web app) needs to be able to add & manager their users and their roles. So the auth service needs to be aware of all the different tenants across each application. I also need to be able to link items created in each database to the user that created it. If I create object "X" and another user in my county views that item, they can see "Kovaci" created this.
I also do NOT want SSO between states but if possible I would like users to be a part of multiple tenants within one app (not a requirement though). Native iOS/Mobile apps are another client I need to support with this flow.
I used this bitoftech article to base off of: http://bitoftech.net/2014/10/27/json-web-token-asp-net-web-api-2-jwt-owin-authorization-server/comment-page-1/#comments
And here is my paint quick mockup: multi saas design
My question is just generally how do I design this auth part? Can I store all users in one auth db like my goal? If so, how do tenant admins manage them and how do I link tables in my separate app db's to the users' current info in the auth db?
How can I route a task based on user attributes in IBM BPM 8.5.6?
In my case I have a list of attributes assigned to each users. For example a user will have an attribute called Region and this can have multiple values. So what we do is keep it as a comma separated string. Like REG1,REG2,REG3. Now when a task is initiated there will be a region associated with it. So I want this task to be routed to only those users who have that region value set.
I've created a team filter service and filter out a list of users. This works fine but the problem here is if we add a new user with appropriate region or add new regions to existing users these tasks are not visible to them. Is there any way to dynamically update the user list?
PS: I can create one group per region or one team retrieval service per region as there will be 100s of regions.
IBM BPM won't update the user repository all the time, there are certain events that will trigger an update:
http://www-01.ibm.com/support/knowledgecenter/SSFPJS_8.5.6/com.ibm.wbpm.admin.doc/topics/sync_users_and_groups.html
Quoting the article (because IBM articles may vanish at some point):
IBM Business Process Manager implicitly synchronizes external users and groups based on the following triggers:
Upon startup of a cluster member or server, all available groups (without members) are synchronized, so that all external groups are available for IBM BPM modeling and execution.
When a user logs in to a IBM BPM web application, such as Process Portal, for the first time, that user is created in the IBM Business Process Manager database.
When a new or existing user logs in to a IBM BPM web application, such as Process Portal, that user's full name and group memberships are updated. The groups the user belongs to are queried from the external user registry, and the IBM Business Process Manager database content is updated to reflect the current state.
When a REST call is triggered because a user that was newly registered in a federated repository (using an LDAP server) is not yet known to IBM Business Process Manager, synchronization of external users and groups with IBM Business Process Manager takes place. This synchronization is done only once.
You can also trigger synchronization via the process admin console or manually with usersSync or usersFullSync commands