I am building a database seeder to create a random number of users with different roles. My application has two user roles: 'admin' and 'employee'.
I have managed to create a method and put it on the server side to seed the database with a random number of employees and one admin. I am trying to have a button that deletes all the users in the 'employee' role but not the 'admin' role.
I have used alanning:roles to define user roles. How can I achieve that?
I used this function
Meteor.users.remove({ "roles" : [ "patron" ] });
Related
I am using ASPNETZERO multi-tenancy solution and I want to achieve following solution in that.
My need is like One user share all details among all Tenants.
Let's say there is user1 registered in Tenant1 with email id, password and all fields.
Now what I want is this User1 can logged in any tenant using the same login details, I mean to say user1 can login in tenant2, tenant3 etc.. But without registering again and also with same login details.
Also user can edit details in any tenant and that need to updated in all tenants.
Here is what I have planned :
I am planning to put multiple entries of same user with different
tenant id in default Usertables. I mean to say, when user1 registere
in tenant1 then I will copy all details of that user to all tenants.
So I will create same user entry with tenant2 id, tenant3 id and so
on..
I got it working by editing user-service file.
Thanks
In case of allowing a user to login to multiple tenants, the following approach can be used
The user details should be generic and not under a tenant
After adding user, you will assign the user roles for every tenant
When the user logs-in, the data will be validated and then the user will be given a page to choose tenant for which he can work
(OR), the user can provide the tenant name during login so that you can directly validate the user and allow to use the application
Tenant level access will be based on the tenant and roles, if I have access to Tenant1, it means that i have a role for Tenant1 and if I pass Tenant2 to access, the system does not find any roles associated with my user for the Tenant2, denying access (401).
I'm a newbie to symfony 4.2. and trying to create an authentication form to access a back-end. I am not using FosUserBundle.
So far i have an a access denial due to that the user has not admin permissions.
in my user table created with make:user, i have a column named "roles" which contains an empty array.
I guess it should contain something like 'ROLE_ADMIN' but i have no idea.
Any help is welcome. Thanks
You should take a look to the official documentation : https://symfony.com/doc/current/security.html
The column roles is an array in Doctrine, so serialized string in database, you can fill this with :
a:1:{i:0;s:10:"ROLE_ADMIN";}
This way your user will have admin role. Then you can manager the roles access in your security.yml file, according to documentation.
I created an Azure Active Directory Application and i want to use role based security. I followed the tutorial on: https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapp-openidconnect-aspnetcore/
The login works, I added roles to the application manifest and assigned the role Approver to my own account. Now i want to use these roles.
After login the following works in the controller:
[Authorize]
But when adding the role the user is not authorized:
[Authorize(Roles="Approver")]
Also the following returns false:
User.IsInRole("Approver");
It seems the roles are not retreived, any suggestions on how to add the role functionality to this demo project?
While using Azure AD For Groups, group membership information does not magically appear in an application, You will either need to use Graph API to get groups for a user after authenticating, Or Configure Azure AD to send back claims representing a user's group membership.
Configure Azure AD to send Group Claims:
Change application manifest by going Under Azure Portal => Azure Active Directory => App Registrations => All Apps => Select Your App => click the manifest from top action bar
Change groupMembershipClaims to SecurityGroup,
Once you have that, you should be receiving Group claims From Azure AD, We Can quickly see that by iterating over User 's Claims Property.
The value of claim will be Object IDs, You’ll need to know the object ID of the group or groups.
With the ID in hand, you can now define an ASP.NET Core authorization policy like below,
services.AddAuthorization(options => {
options.AddPolicy("Approver",
policyBuilder => policyBuilder.RequireClaim("groups",
"c63b2f53-eff9-4d68-8b47-07f151270c74"));
});
You are all set to check against this policy, like below:
[Authorize("Approver")] OR
[Authorize(Policy = "Approver")]
This code sample works for me after assign roles to account . Please debug application in this line: User.IsInRole("Approver"); , check whether {http://schemas.microsoft.com/ws/2008/06/identity/claims/role: Approver}exists in user claims . And make sure you add roles which allowedMemberTypes is user , for example :
{
"allowedMemberTypes": [
"User"
],
"displayName": "Approver",
"id": "fc803414-3c61-4ebc-a5e5-cd1675c14bbb",
"isEnabled": true,
"description": "Approvers have the ability to change the status of tasks.",
"value": "Approver"
},
And you have assign the user role in Enterprise applications-->All applications--> find your app-->Users and groups--> add/edit a user and assign roles :
Please take a look at the following repo: https://github.com/Azure-Samples/active-directory-dotnet-webapp-roleclaims
You need to register your application in the Azure portal and then go to the manifest settings to add the roles and GUIDs for each role.
I have created a secondary User store using LDAP. By default, all users of the secondary store have no permission. Is it a way to assign the suscriber role to all users in one operation or I have to do it manually for each user ?
Thanks
Since by default WSO2 uses groupId('Organization) of the user to share the Application in the Devpotal as mentioned here in the documentation: sharing applications
You can go to the Carbon UI and search for the LDAP users among which you want to share an Application. Next to the User click on the 'User Profile' tab. There you can edit the value next to the 'Organization' column. For this, your secondary user store should be 'ReadWriteLDAPUserStore'. Similarly, edit the value for each user in the secondary user store to the same value to share the Application among them.
In fact, in the ldap user store if you configure LDAP groups there are automatically created as a role and you can apply permissions to a role which will be apply to all users of your LDAP group.
But I didn't find a way to share applications between users of a LDAP group ...
Here is a better way to achieve it. In the official documentation it is mentioned that it allows the Applications to be shared if we have common roles, in as you said WSO2 treats AD groups as roles. Lets assume you have two users user1 and user2 in your LDAP store both of which are the part of AD group 'AD_Group'.
So mention the AD group name common to the users among which application needs to be shared : -
Also change the configuration as following in the deployment.toml file : -
[apim.devportal]
enable_application_sharing = true
#application_sharing_type = "default"
application_sharing_claim=http://wso2.org/claims/role
I am having a problem and would like to know if someone has a suggestion. On a site I am developing, I was using Asp.net Simple Membership but now I am migrating to Asp.net Identity 2. I have 2 roles: "User" and "Admin". The admin can do admin stuf, configuration, database management, etc. But cannot do "user things". So, the admin is not a "super user" - it only has different function.
The problem I am facing is that the unique identifier for the user is their email. So, if someone wants to use the system all by himself he has to create 2 accounts (one admin and one user), so he has to have 2 emails. This is a problem. I could easily add both "user" and "admin" roles to that users but that would make the system harder to use for the "user" role and I would like to avoid this.
I use roles to authorize routes on the server (MVC and web api) and to basic (like hide elements) things on the UI (SPA), so, it is already part of the system - but I am willing to change it, if necessary.
I was thinking in doing something like this:
When the user is configured to be a administrator, every time he log on, I ask if he want to be an admin or user on this session.
If he choose "user", I set a user role for him and log in.
If he choose "admin", I set a "admin" role for him and log in.
What do you think about that? Does someone have a better idea? This feels like a hack and hacks do not go well with security :/
I see a problem with that - Sometimes I need to send emails to admins (when they are offline). With this, I cannot rely on the UserRole table only, will always have to check the User.IsAdministrator flag too. It is not a big problem but add a small complexity to things.
You need to use roles for this. A user can be a member of several roles at once, so you can have a user that is a member of the 'user' roles, a user that is a member of the 'admin' role or a user that is a member of both the 'user' and 'admin' roles.
You have already suggested this idea and this is how I would do it, if you then wanted to control what they could see (so that an 'admin' member could only see stuff that normally a 'user' role user can see) then you could have a drop down on any form (or put it on your master page) that allows the user to turn the admin stuff on and off, you can then remember their selecting in the session object and refer to that each time the page loads. e.g.
if user.IsInRole("Admin") and IsNothing(Session("HideAdmin")) Then
'Show Admin Stuff
End If
Or somthing similar.
This type of problem is solved at DataBase Design time not at development time. You have few choice the best I see is create a Third user who will have both rights.