We are using Plone 4.2.2 and we would like to delegate user account/group creation and managing local roles on content to our tier 1 helpdesk folks. We initially thought to use the Site Administrator role and just add the Site Setup Overview and Site Setup Users and Groups permissions. This allows them to create users and groups, but they don't have access to the sharing tab to manage local roles on folder and file objects.
I'm not finding much help out there and this seems like it would be a fairly common delegation. In fact, I'm surprised there isn't a role specifically for this. Giving Manager role to our tier 1 is a little scary.
Any suggestions would be greatly appreciated.
I found this thread that referenced Managing Users, but not the local roles on content
How to create a Plone 4 group who's sole purpose is to manage users?
The access to the sharing tab is only about permission.
You must give to your users the "Sharing page: Delegate roles" and all needed permission named "Sharing page: Delegate XXX role".
But to be honest I think that the Site Administrator role already have all those power you need.
What I would do is that instead of using the normal Plone user manager I'd
write a custom, simplified, user management form in Python add-on
form does sanity checks by allowing creating only of certain kind of users with certain roles
form also can delegate setting local roles on folders programmatically (no need to go to Sharing tab)
expose this form through a special new permission
Give the permission for the form to Tier 1 support personnel
As the use case is very specialized it might be easier to write your own manager form than customizing existing Plone logic.
Related
We are looking at enhanching our current security access model which is basically a check if the user is logged in. We now require the acesss to modules and pages and possible certain sections in the page such as dropdown restrictions based on your role.
I'm not sure how to design but maybe a few pointers and writing the requirements here will help.
The user usually belongs to an company.
The user usually has a role within that company
The company is made up of 1 or more sub companies
The user/role can have access to some modules in the system
The user/role can have access to some or all sub companies.
A role must be completely configurable on the fly.
A interface is required to configure the access for the users and the roles.
The menu needs to be configured based on access rights
The page needs to be configured based on access rights
We are using asp.net 2.0 at the moment but could possibly upgrade.
So based on that I think we need
User, Group, Role ( but roles need to be configurable) and Modules
A role for one organisation may have same name but have access to completely different Modules.
I am not sure asp.net membership is suitable so would like some opinions as it seams that access to pages is all hardcoded in config etc?
Yes, you can use ASP.Net Membership Provider for what you have stated.
As you said you are using ASP.Net 2.0, you cannot use new ASP.NET Universal Providers which is based on Entity Framework.
However, Membership Provider is introduced in ASP.Net 2.0. So you can still use the old version which uses aspnet_regsql.exe to create tables with the correct schema.
Here is the link for step-by-step instruction -
https://web.archive.org/web/20211020202857/http://www.4guysfromrolla.com/articles/120705-1.aspx
Please note that you cannot migrate from old ASP.Net 2.0 Membership to new Universal Providers.
I have been reading a lot about asp.net membership and roles for the past couple of days and trying implement it in my project using form based authentication. I tried out most of the samples that I found on the internet from managing user/roles using WSAT to managing urser/roles/access rules in code. No doubt it provides great functionality with little effort on developer's end but some how I have developed the feeling that authorization in asp.net only provides a way to restrict access to pages and directories. What if I have a page which can be accessed by all users and based on the user role, the page offer different functionality to the user (common scenario - like SO is using). Though we can check Roles.IsUserInRole(role) in our code and customize the page for different roles but then again we can code the functionality to create more roles and enable users (Admins) to create more. And once the application is up and running, users (admins) create new roles, how do we take care of such roles in our pages?
Well. You are right that Roles.IsUserInRole(role) can be used to customize pages for different roles. So it's not all about restricting access to pages and directories.
If you're asking how to accommodate new roles created by user administrators, and how to have the pages adapt to these new roles ... well, I think the term for what you're talking about is "dynamic roles". If you want a system where the users decide who can access what and create new roles with different access, you need a system that supports dynamic roles.
I've seen a lot of attempts to hand-code such a system, and I have yet to personally see one that was done well. Some systems that do exactly that and do it well are commercial CMS (content management systems). If you have an actual need for such a system, you might want to look at some of them.
ASP.NET's built-in role management is neat stuff, but it's really meant for a static role situation, where there are (say) "Payables Clerks", "Receivables Clerks" and "Managers" and, while people may change roles, the roles themselves and what people in them need to do don't change much.
RE: Ann L's comment on her own answer (I can't write a comment because I don't have enough reputation points yet).
If an administrator of the application is able to create new roles, it simply means that authenticated (!) users within those roles have rights to do more or other things (depending on those roles).
I don't think that letting users (admins) create roles dynamically would be a bad security practice. Bad security practices are, in my opinion, those that enable malevolent users to cause damage, steal data or hijack the application. Those bad practices enable people to be authenticated in a way that you wouldn't want them to be.
i'd like to create a Unique Web Site Administration Tool (UWSAT) to admin all users for all my websites on production server.
Basically the idea is to have the UWSAT with only an admin user; when the admin log the tool he could navigate the applications, select one and see its users . He could add new user to an existing application, or create a user specifying a new application name (as far as i know that create the application too).
The problem i'm facing is that to add a user to an application i have to set the Membership.ApplicationName but i read this should be avoided.
So i ask you : should i create a different MembershipProvider for each application and call it when i have to manage users for that application?
Thanks.
I recommend creating a role, and assigning it to the users. The role would be the application they should have access to.
The RoleProvider is one way to do this.
Suppose I have 3 kinds of users and their accessible pages in my ASP.net application are as follows:
(1) User Type-A {Default.aspx, a.aspx, b.aspx and c.aspx},
(2) User Type-B {Default.aspx, d.aspx, e.aspx and f.aspx},
(4) Admin {Default.aspx and g.aspx}.
Here Default.aspx is my Login-page.
I am using Membership Provider and Forms authentication technique.
Now I need to block access of one type of user to the pages assigned for other type users.
How should I configure my Web.config file?
and What kind of c# code should be used?
Role management in asp.net may help you in this case. Please check this article.
You may have to customize this as per your specific requirement. Hope this helps.
Role Manager in ASP.NET
Each of User-Type will be associated with Roles.
We have a similar requirement, and make use of the Patterns and Practices Web Client Software Factory. Basically it assists you in creating modules, and allowing you to specify per-page access levels in config based on Role / User details.
You might have a try to use roleship provider and web.sitemap.
I am creating a website in ASP MVC. Can anyone give me some advice on using the built-in membership provider in the following way.
I want my users to create an Administrative account for themselves and then create accounts for the people in their organization, or the people that they want to give access to.
I guess in a Database it will look something like this:
Companies have Administrators. Administrators can give users access.
I am sure this pattern is used all over the place, I am just not sure how to implement it. Especially using the membership providers.
Thanks,
David
There is nothing special in implementing this. It can be easily accomplished by built-in features of ASP.NET 2.0:
Configure Web site to use membership (via web.config)
Enable role management (via web.config <roles enabled="true"> tag)
Add administrator accounts to Administrators role.
Control access to the administrative pages by using [Authorize(Roles="Administrators")] attribute in the controller action.
Require authentication on other non-admin actions ([Authorize])
When I did this, I used the Membership Provider for authentication however, the organization concept I created externally from the Provider. You could use the Profile Provider.
As for roles I would still use the Roles within the ASP.Net Membership Model.
You can create a role for those people and name it something like organizational-admin, though that's a bit long, you catch my drift :). And give those the power to create users with a regular user role. At least that's how i did it in one of my applications.
Ofcourse you'll keep the admin to yourself or to the person who is in charge of this particular site.
Gu's blog has a small example of how to implement the roles in an action filter.