We want to give users peoplesoft portal access from outside network. But ..that access needs to be read only and very limited.
Has anyone done location based role enabling is peoplesoft.. i.e. disable all roles and enable only particular role based on ip address or web server ?
I have done something similar to that using DNS entries to determine internal/external access. The users wanted to force Self-Service access to all users when they logged into PeopleSoft if they were at home, but give the users full access if they logged in via VPN or at their desk. That way, power users would not have full security unless they were authenticated via VPN or at work.
We accomplished by customizing the USERMAINT component, created a new security table for "self service" security, adding custom Signon PeopleCode, and setting up a 2nd DNS entry that was exposed for external access.
To start, the network admin set up two sets of DNS entries that pointed to the PS web servers. For example, psoft.company.com was the internal DNS and only set for local network access, and selfservice.company.com was the external DNS available for global access.
Next, we customized the USERMAINT component (User Profile). We hid the delivered Roles tab and replaced it with a copy. The new page was pointing to a copy of PSUSERROLE. We did this because we want to use the delivered PSROLEUSER table as the "current" security table. If the Security Admin wants to update a users internal (or day-job) security, we want to store if for long term. (This will make more sense below). So the new custom table, say XXROLEUSER, is now the master table for security.
Then, we added record/page/component for the Security Admin to define "self service" security (XXSSROLES). This record/page just stores Role Names for when users log in externally. This allows the Security Admin to update self service security for seasonal changes, like Open Enrollment. The admin can add a role during Open Enrollment to grant additional access, and then remove it when the period has ended.
Last, we created a custom Signon PeopleCode step that handles the internal/external security switch. The Signon PeopleCode grabs the URL used to log in. The code parses the URL to see with DNS entry was used to access the system. If the DNS entry is "selfservice.company.com", the code will clear our the rows in PSROLEUSER for the user and insert the roles from the XXSSROLES table. If the DNS entry is "psoft.company.com", the code will clear out PSROLEUSER and insert the roles form the XXROLEUSER table.
This code change turns PSROLEUSER into a transaction table. Because the Tools system relies on this table for many different security functions, it is important to create a copy to use as the "master table" for use in the User Profile component.
If this is something you are interested in trying, I'd be happy to post some sample code for the Signon PeopleCode.
I uploaded the Signon PeopleCode function to GitHub (see link below). You can create a custom record to store the PeopleCode and then add it into the Signon PeopleCode page. If you need more information, let me know. I am not able to post the entire tech spec, but I'd be happy to help if you have questions.
http://github.com/iversond/PeopleTools-Dynamic-Login
Recruiting Solutions uses a similar process - when creating the external Candidate Gateway to allow applicants to apply for positions, a 'guest' ID is created for a particular web server that has severely restricted permissions - basically just the external applicant apply objects.
In PS 9 , have a look at PeopleTools > Web Profile > Web Profile Configuration under the security tab. You can definitely secure the system at a web server level.
HTH
Disclaimer: I work for the company.
A bit late to the party, but a useful answer: IntraSee has developed a solution for this exact situation.
The key is that you need to be able to define rules (locations) and then tie those to specific roles. Evaluated at login, the roles are revoked or granted depending on the rules and user location. It can use IP or other attributes to determine roles.
To do this manually is slightly tricky as you need to account for the versioning of the user profile and associated permissions. Signon PeopleCode is the best place to evaluate these rules as you can do it once per session, and you ahve access to the business data to make correlative decisions. E.G. if a person has a huge approval limit, maybe they can't approve remotely, but someone with a small limit can. Same security access, but add or revoked based on location and data.
To your specific case: you would have base roles with read only access to those users, then a set of 'opt-in' roles that gave read/write. When they come in from the correct location, they get the read/write. So, we are only adding the extra access when appropriate.
I would create a separate site ( like the candidate gateway suggestion ), it will need a similar web profile as the one you are currently using, no other changes would be necessary.
Next create a custom menu, then attach all of the components you wish to make read-only.
Register the content references for those custom_menu.components.
Create Roles and Permission Lists adding the custom_menu.components then select "Display Only". Then assign the roles to the users.
Expose that site via the firewall.
That's it.
Related
I'm looking for some guidance and have had a hard time finding a straight answer via Google.
I am building a web app using Google Cloud Platform and Firebase and would like to grant users access to only their own subdomain. So for example, if user 1 is part of the organization Lakers, I would like the domain they use to be lakers.myapp.com. If user 2 is part of Bucks, their app would be hosted at bucks.myapp.com. When somebody who is not authorized visits one of these domains, they should not be able to view anything since they are not authorized under that subdomain (just like any normal web app). I have the login all set up and can redirect the user to their subdomain, but what is the process of checking that the user is authorized to view that subdomain?
If the answer has many parts, I would be happy to receive some links to resources on how to do this; I wanna be sure it's done right.
For the first part: (Can we restrict users ( Identity ) based on the GCP domains ?) , then answer is yes. The Resource Manager provides a domain restriction constraint that can be used in organization policies to limit resource sharing based on domain. This constraint allows you to restrict the set of identities that are allowed to be used in Identity and Access Management policies.
Organization policies can use this constraint to limit resource sharing to a specified set of one or more Google Workspace domains, and exceptions can be granted on a per-folder or per-project basis. For more information about adding exceptions, see Override the organization policy for a project.
For the second part:(How do I lock down Firebase Database to any user from a specific email domain ?). If you're using the new Firebase this is now possible, since the email is available in the security rules.
In the security rules you can access both the email address and whether it is verified, which makes some great use-cases possible. With these rules for example only an authenticated, verified gmail user can write their profile, please see the Stackoverflow Link for more details.
We have a customer with an unusual request for the security of a subset of a DotNetNuke / Evoq website.
This is a special set of pages that should only be accessed by a large group of a company's employees to make preferred-discount purchases.
Rather than trying to maintain a set of thousands of user accounts, having the employees register to gain access passwords, they just want to have the employee get to a welcome page, provide their email address (which will be confirmed as from that company's domain) and then be sent a link or a link and temporary rotating passcode that grants access to that set of pages for just the duration of their session once they visit the link.
I've searched for any type of 3rd party module to accomplish this with no luck.
It has also been suggested this might be accomplished through some type of URL-masking process, which I suppose might even be done by a proxy outside of DNN.
Has anyone provided a similar type of security solution before, either within DotNetNuke or through a proxy?
So, I've gotten weary with trying to search for my problem online.
I am currently creating an ASP.NET 2.0 application. The application currently is connected to a database which stores all the information I need to store. I also have connection to the LDAP directory at my workplace on it. I am using the LDAP directory for my application as everything is tracked by employee ids. I now need to add authentication and authorization.
Since my workplace is large, I need the ability to limit who has access to the website within the company as well as what they are allowed to do on the website. I know that ASP.NET has some sort of authentication and authorization, but I am completely oblivious as to how it works.
My current solution is to add a table to my database with two columns (employee id and access_id). The employee id can be used to pull information from LDAP about the employee whenever I need to. The access_id is a set of integers that represent what the user is allowed to see on the website.
When the user first starts a session on my website I use their nt id and pull the employee id from LDAP. I then look up all the access_id's and store them in an array for the session. Everytime a user accesses part of the website, I check whether they have the access_id associated with that section and allow or disallow them based on that. My first access_id of 1 allows the user to see the webpage by setting the visibility of in C# as
if(access_id == 1)
Enter.visible = true;.
What kind of LDAP directory are you using? If it's Active Directory, try:
http://msdn.microsoft.com/en-us/library/ff650308.aspx
or
http://msdn.microsoft.com/en-us/library/ff647405
You could also consider: http://msdn.microsoft.com/en-us/library/ff649313
If it's not AD, you could implement your own MembershipProvider: http://msdn.microsoft.com/en-us/library/f1kyba5e.aspx
It's better to use the framework(s) where you can and only roll your own code when you have to.
I am trying to find a way to handle two types of users for an intranet system. There are users who login and there are those who do not. I need to store both types of users in the membership db. Does anyone have a common solution to this problem?
This is for an event booking system. The users who are in AD will see the app. We need to store the O/S Name along with a few other attributes from AD in our membership db. The O/S Name gets captured using the Request.ServerVariables(). We need to store those "requester" details along with other details about the event that is being booked.. In addition to those users, there are users that actually log into the system. I was hoping to store both types of users in the membership db, so that when an event is retrieved, the user details will get retrieved from the membership db as wel
If you can use 'Integrated Windows Authentication' you have access to some information about the user connecting to your system.
Therefore you could use this information for the general case, without the login.
If a user then want's more access, he can logon to the site with a special username/pwd.
A membership DB would typically restrict access to a set of users for a particular application on an Intranet site. Only those who are in Active Directory as network users would even see the Intranet in the first place. And only a subset of those network users who have been granted privileges for your application in its membership system would see the link and/or be able to gain access in one role or another. Can you be a little more specific with respect to what you are trying to achieve? :-)
Encouraged by SO, I'm trying to write an ASP.NET site that uses OpenID for user authentication. It's a regular WinForms site (not MVC.NET), using the DotNetOpenId library for authentication.
Is it safe for me to permit/deny administrative functions on the site by simply comparing the current session's "ClaimedID" (as returned in the OpenIdLogin_LoggedIn event, as member DotNetOpenId.RelyingParty,OpenIdEventArgs.Response.ClaimedIdentifier) to a known administrator's OpenID (i.e. mine)?
If so, is it safe for this ID to be visible (e.g. in open source code), or should it be "hidden" in a configuration file or a database row? (I know it's better design to make it configurable, my question is just about safety.)
My solution is to follow the same idea of the Roles table. After you've authenticated the user, look up that user's roles. If the user has role "Administrator" in the UserRoles table, then they can do whatever the Administrator can do.
I don't broadcast open ID's in my app. They're stored in the table. On every action result, I'm hitting the Users table, since I have also modified mine to store various user state information. With the exception of the home page, there is going to be some user information that I need from that table. I'm using LINQ, so I include the .LoadWith() to load the User with his list of roles when it serializes.
Jarrett makes some good comments about using database tables.
Just to answer another one of your questions, no, it's not a confidentiality thing to put your OpenID in your code generally. If setting up roles seems overkill for your site, a simple equality check against your ClaimedIdentifier is just perfect.