I'd like to limit what organizational items users can actually see in the CM rather than the default which allows them to see the item but not read its contents giving the "Insufficient permissions" error.
For a particular group, I've assigned the Category Management right on a publication and Read permission on only two of forty available categories. When I test logging in as a user of this group - all appears, well:
I see only publication the group has the right on.
I see all forty categories under Categories & Keywords but
can only read from the two I set the permission on.
So far so good.
I then opened the Tridion CM snap-in and changed the value "Hide organizational items if no access to content" from 0 to 1. Shutdown COM+ and restarted IIS.
Logging in as the same use as before I still see all forty categories as before - there doesn't seem to be any change?
Is it not possible to setup the CM so that my user only see the two categories they have the Read permission on?
Ideally I'd like the same thing for Audience Manager address books too - only listing address books a group has permissions to read/write/delete from.
This is Tridion 2011 SP1.
EDIT
Just checked the online docs and they refer to the snap-in setting as:
If enabled, Folders and Structure Groups for which a user does not
have read permission are hidden from that user; defaults to the value
0, that is, disabled.
Does that mean it doesn't apply to Categories/Address Books then?
Cheers
You are correct. This setting applies to structure groups and folders.
The term "organizational item" always needs some context to be understood accurately. Categories are, in principle, organizational items, but a category is always a root orgitem, and root orgitems have special rules. In some contexts, even publications are referred to as orgitems. In this specific context, it means folders and structure groups
Related
I'm using Visual Studio 2017 to create an SSRS Pivoted Report using a Matrix.
The report lists Users and their Network Permissions.
In the Leftmost column are The Users.
Across the top are the Individual Permissions.
At the intersections are one of three values:
1 = User has the Permission,
Blank = User does not have the Permission,
0 = User had the Permission but it was revoked.
Here's the issue:
Each individual Permission is in one or more 'Permission Groups'.
Each Permission Group is in one or more 'Parent' Groups.
So there is a Hierarchy of Permissions. If a User is granted Permission to a Parent Group, they are automatically granted every individual permission downstream from that Parent Group.
I hope I've explained the above sufficiently.
As requested, I made the Pivoted Matrix report showing Users in the first column, Individual Permissions across the top & 1, blank or 0 at the intersections.
Question:
Is it possible to show the Permissions Hierarchy on three Header rows in the Matrix [Parent Level - Permission Groups {named 'GroupName Level' in screenshot} - Individual Permissions] - above the Detail Rows?
This is what I would like it to look like:
Is this possible? If so, is it 'out of the normal range' of SSRS capabilities or is it pretty standard? I've worked with MS Access reporting, Crystal Reports & now SSRS and I've never needed to do anything like this.
I'd appreciate any help or pointers.
Thanks in advance!
I am trying to give access to a PowerBI(PBI) workspace for an Active Directory(AD) group comprised of few users. When users login to PBI service, they cant see the workspace. The type of the AD group where these users are, set as a Distribution List. There is another separate workspace I created where users in an AD group with type - Mail Enabled Security. Those users can see that Workspace with no issues. Level of permission the AD group was given for this Distribution list PBI workspace was - Viewer. When the users are individually added to this workspace, they can see the workspace. Could someone kindly confirm, if the AD group type has to be a - Mail Enabled Security for the users to see the PowerBI workspace?
According to PowerBI documentation, PBI Workspace also supports AD groups of the type, Distribution List.
See the link
https://learn.microsoft.com/en-us/power-bi/admin/service-admin-rls
Thank you for your replies. Much appreciated.
enter image description here
Edited: Hi Andrey, I added an extra image. This I got from a posting in a blog post. It's confusing whether the group has to be security group or a distribution lists are also allowed under PBI workspaces. According to this image, distribution lists are also allowed.
Also want to add that PBI workspace here was created as new workspace type not the Classic type. Under the point 2 in the link, what that images says confirms by the Microsoft PBI documentation.
https://learn.microsoft.com/en-us/power-bi/collaborate-share/service-give-access-new-workspaces
In order to make it simple, I didn't mention the fact that these groups are being used to access couple of reports inside the workspace. These reports use roles that maintain Row Level Security. I thought it would still show the users in the group the workspace even though they might not get access to the individual reports inside. Am I too optimistic here?
Edit 2:
Thank you everyone. The issue has been resolved without me doing anything. It was a delay in syncing the changes within the office365/AD accounts/PowerBI it seems. Just for the record I will leave this post here hoping it might help someone with my situation in the future.
In our company I have to extend the functionality of existing Drupal 7 website. Here are the requirements:
The business needs to inform all staff members, on different topics using uploaded to the Drupal site documents. (I already implemented this requirement.)
The business needs to know, which staff members have read a document and which still have not.
They need a report like this:
Document 1 25/50 (25 from 50 staff members still didn't read the file)
Document 2 50/50 (all staff members did read the file), etc.
In order to fulfill the second business requirement, I need a module which can track specific user's activity (in my case click on a link to download a file, which means the file is read). The module(s) have to be able to create a report like the one above.
(All staff members have a drupal account with a specific role.)
Is there any drupal module I can use or maybe a part of it. Or the requirements are too 'custom' and I have to create my own module.
I created almost exactly the feature you need. I would be glad to help you in the process.
I developed indeed a full custom module. And I could tell you that you will need different things:
A custom table in your DB to store the data
A custom entity called "track" or "action" that will be stored in the DB
Implementing the right hooks to create a track when you want to keep a track of a user's action
A custom page or block to display the tracks you stored in your DB with a custom query and appropriated permissions
To achieve all that, I suggest you to take a look at these pieces of documentation:
https://api.drupal.org/api/drupal/modules!system!system.api.php/function/hook_schema/7
https://www.drupal.org/node/878784
https://api.drupal.org/api/drupal/includes!module.inc/group/hooks/7
https://www.drupal.org/node/1343708
http://befused.com/drupal/page-programatically
https://api.drupal.org/api/drupal/modules!system!system.api.php/function/hook_permission/7
Hope it will help.
I am facing one typical issue on Tridion 2011 administrator activity.
How to replicate the issue?
Open a User
Add a Group to the user
Once group is inserted, by default all the publications are checked/ticked
Now here is the issue, if I have 200 publications and in that I want to check/tick only 2 publications then I need to uncheck remaining 198 publications manually.
Which is really difficult task doing for 20-30 users same activity.
I tried by checking and unchecking "ALL PUBLICATIONS" check box but NO LUCK.
How to fix this?
OR
Is there any hotfix already available?
You can use the following workaround:
Select all publications (Control + A)
Press Spacebar (Toggles selected/unselected)
Typically I'd recommend setting users to a group specifically for scope and permissions, rather than trying to define this for each of some 20-30 (or more) users.
For example:
Create "Rights" groups (or use the defaults) with This Group will be available for setting permissions in the following Publications: set to All Publications.
Create "Scope" groups with membership to one or more rights groups, with the scope limited to certain publications. Use Puntero's useful tip here. Optionally use separate groups for permissions.
Going forward, add users to a Scope group with Membership Scope: set to All Publications
This lets you consolidate global user changes to a few groups and simplify manual changes, even if experiencing a possible UI bug.
I have a Tridion implementation that is, in essence, multi-tennent. Different interest groups use the same environment. Security takes care that users cannot see publications/content from groups they are not permitted to see. However, in the publishing queue, all users can see the title of items that are in the queue; they cannot open the item but they can see the title (e.g. "Our company releases sky high profits!")
For sensitivity reasons I would like hide the title of the item when the queue list is loaded according to the scoped publications of the user viewing the queue. So, for example, If I am only able to work in publications b & c but not in a & d when the queue loads, I can see the titles of content coming from b & c but not a & d. I will see something like "Item from publication D".
Is this straight-forward to do with an extension and does any one have some examples of how to do this?
The logic is the most complicated thing about it. You need to work out what the user can see or not.
This is a good candidate for a Data Extender to the CME. Filter out the items on the server before the response is returned. There is a section of the online documentation dedicated to the topic, so that is hopefully enough to get you started.
A crafty person would still be able to access the information by directly querying the API / Core Service, but I imagine that is not a high priority in this case.