I'm new into Symfony 2 and I read some docs about ACL and the ROLE System.
I understood that I can use different Permissions on a Object with ACL.
But I need some different ( ? ) type of permission check, like in the static apache turbine roles / permission sets.
I want to use FOSUserBundle and using Groups.
The Groups should have permissions like
DOWNLOAD_PDF
DOWNLOAD_PPT
INVITE_USERS
and so on..
Stuff that does not have something to do with Objects but I have to check in Controller ( static ) and assign to Groups in an Userinterface.
I don't really found something about how to check those Permissions and assign them e.g. to Groups.
Is there something already exist? Or a best practice?
Or should I create for every Permission I need a ROLE?
Related
To access an OData web service that exposes data from a Core Data Service (CDS) in SAP R/3, a user needs has to have an authorization role assigned that contains the authorization object S_SERVICE.
The authorization object S_SERVICE requires two parameters:
the service type (SRV_TYPE) which is set to HT = "TADIR Object" in my case
the service hash (SRV_NAME).
Using the debugger I found out, that the function module AUTHORITY_CHECK_TADIR_SERVICE compares the hash from the S_SERVICE authorization object with the hash stored in a record of table usobhash:
I also found out, that function module AUTH_TRACE_CALC_HASH uses the data from the columns PGMID, OBJECT and OBJ_NAME in table usobhash as input to generate the hash which is then stored in column NAME.
So far, whenever I wanted to grant a user/role permission to access a OData service I needed to know this hash. To get the hash, I either checked the usobhash table or manually executed AUTH_TRACE_CALC_HASH and then entered the hash when I assigned the authorization object to an authorization role in transaction pfcg. I guess there has to be an easier, more "official" way to do this. My approach feels like a dirty workaround but I was unable to find any documentation about how to do it right.
tl;dr How do I set the S_SERVICE authorization object without either debugging AUTH_TRACE_CALC_HASH or searching for the relevant entry in usobhash?
Create a role with the Service in it. Therefore please create a new or choose an existing role in the transaction PFCG → (+ pushbutton).
Choose the object type "Authorization Default".
Choose "TADIR Service"; Choose object type IWSV or IWSG.
Use the F4 help to select your service.
Save the role.
Assign the role to user.
I want to clean all the identities and their accounts roles etc associated with identities.
Is there any way to bulk delete identities?
Do you have shell access?
You can use the iiq console for this:
bash /path/to/iiq/WEB-INF/bin/iiq console
> delete Identity *
This should get rid of all identities except for the ones which are tagged as protected. Also all additional data (links, assignedRoles, scorecards,..) will be deleted.
What is the best practice way to handle changes to configuration parameters (kept in yml) that have to happen at runtime?
I am working on a site where the owner wants to change various settings in his admin back end.
For example, enabling/disabling the confirmation email and link sent by FOS User bundle when a new user registers for an account.
Thanks for your time
For those operations you need the use Compiler Pass.
https://symfony.com/doc/current/service_container/compiler_passes.html
Here sample Custom Compiler pass;
https://symfony.com/doc/current/components/dependency_injection/compilation.html#creating-separate-compiler-passes
Here is a good example for compiler passes; ( Usually using with service tags )
https://symfony.com/doc/current/service_container/tags.html
I'm quite confused about the ACL in symfony/silex and how I can make them work for me.
I've been thinking about a solution based on modules -> actions. However, reading about ACL, everything seems to be based on roles, which is to broad for the implementation I'm trying to achieve.
I will have users, and all users do belong to a role (admins, users, etc...). However, the role is more of a guideline of what you can do (as it sets the default permissions a user with that role starts with) that an actual set of actions a user can perform. The actions, are really based on the modules the system has and the permissions that are actually granted to any of the users to read, add, update of delete and any other verb outside of those.
So for example:
ROLE #1: Is an Admin
can read users
can post users
can put users
can delete users
ROLE #2: Admin
can read users
can post users
cannot put users
cannot delete users
Since I'm planning to have several diferente modules (users, payments, products, etc..), and each admin can have privileges granted or revoked, they will not fit the ROLE_ADMIN, ROLE_SUPER_ADMIN, ROLE_USER type of roles.
I was thinking something on the lines of ROLE_VIEW_USERS, ROLE_ADD_USERS, ROLE_EDIT_USERS and that a User will probably have 100 of those little roles and have voters for each controller that will decide if you can perform certain action.
Does this make sense?
You are confusing ACL and roles. They both have to do with permissions but they approach and function differently from one another.
Roles aren't inherently tied to a specific resource. On the other hand, ACL is, and that link is persisted. Users can be tied to resources (or appear to be so) through the use of voters.
https://symfony.com/doc/current/security/voters.html#creating-the-custom-voter
User-specific ACL, e.g. where a user has specific access defined PER resource, you'll need quite a bit more stuff.
Take a look at the SF cookbook:
https://symfony.com/doc/current/cookbook/security/acl.html
https://symfony.com/doc/current/cookbook/security/acl_advanced.html
OWNER/MASTER/OPERATOR CAN
Edit
View
Delete
Create
ALL RESOURCES (This is done using ROLES)
ROLE_USER CAN
EDIT OWN
VIEW OWN
DELETE OWN
CREATE
OWN RESOURCES (This part is done with ACL or voter)
Voters are effectively creating your own ACL and therefore there is no persistent permission unless you make one explicitly (At this point I would go ACL). The use case for ACL is basically the same as the use case for a voter, and choosing one vs the other is a matter of complexity.
The built in ACL info is coming from the database, but as per SF documentation: "It can contain tens of millions [of records] without significantly impacting performance."
Extremely simple? Could use a voter.
If you don't want to maintain your own rules (voters) for resources and don't mind the complexity of the ACL, or like that permissions are persisted + cached, you could use ACL instead.
Note that the complexity of the ACL is generally the following when creating resources (although this could be put in a service):
$aclProvider = $this->get('security.acl.provider');
$objectIdentity = ObjectIdentity::fromDomainObject($resource);
$acl = $aclProvider->createAcl($objectIdentity);
$tokenStorage = $this->get('security.token_storage');
$user = $tokenStorage->getToken()->getUser();
$securityIdentity = UserSecurityIdentity::fromAccount($user);
$acl->insertObjectAce($securityIdentity, MaskBuilder::MASK_OWNER);
$aclProvider->updateAcl($acl);
For the previous scenario, you can use the ROLE_USER to make sure that the authenticated user is actually an actual user and not AUTHENTICATED_ANONYMOUSLY and the voter or ACL to make sure they can only edit their own resource, and override this if their ROLE is ROLE_ADMIN. (Assuming users are given ROLE_USER once they sign up)
Example in security.yml
# This could be done via #Secure(roles="ROLE_USER")
access_control:
- { path: ^/my/api/endpoint, role: IS_USER, requires_channel: https }
- { path: ^/my/admin/api/endpoint, role: IS_ADMIN, requires_channel: https }
Example in controller::action
// check for edit access
if (
false === $authorizationChecker->isGranted('EDIT', $resource) &&
false === $this->get('security.context')->isGranted('ROLE_ADMIN')
) {
throw new AccessDeniedException();
}
Here is another QA in StackOverflow that also provides some examples:
Symfony 2 ACL and Role Hierarchy
You can also use annotations for this stuff:
https://symfony.com/doc/current/best_practices/security.html#authorization-i-e-denying-access (It shows how one works vs the other).
Let me know if any part of this requires further explanation.
Thank you.
So I've this application and have to grant access to type of people the admin and a little group of people who have to edit a little part of an module.
Lets say I've a module which has fields [A, B, C, D], and a group of people need to change the default value of some os the items that module represents, for instance C and D.
Now I've created the the groups, setted the permissions and assigned the test user to that group, editted the security.yml like this: credentials: [[admin, certificatore]] as i need to be an or. Try to access it's not letting me in. where i'm going wrong? myUser extends the sfGuardSecurityUser.
I've noticed that in DB the user, group and permission I've created are not present, but from the backend i can see them...
Have you tried deleting contents of cache folder?