It's showing up for other permission sets but not for mine. What am I missing?
Check if the permission set is limited to particular license. If you're on Chatter Plus or say Platform user - you can see only certain standard objects
Related
I am trying to integrate ms teams API to my project. I have created an app in the Azure portal.I have added permissions User.ReadWriteAll and Meetings.ReadWriteAll.I can create a user through API but I am not able to create a meeting. Is there anything else I need to do for creating a meeting using API.
UPDATE
I gave delegated permission for creating the meeting,but unable to create the meeting.
Error Message
{code:"Forbidden",message:"Forbidden",innerError:{"request-id":"e1abb815-09d3-4b78-5063-39b0236c0968","Date":"2020-06-09T04:14:39"}}
Permissions
Screenshot of permission
You should check what kind of permissions are added for your app. To be able to create a meeting, only delegated permission OnlineMeetings.ReadWrite is supported - https://learn.microsoft.com/en-us/graph/api/application-post-onlinemeetings?view=graph-rest-1.0&tabs=http#permissions
If you have added an application permission, then the request for creating meetings won't work.
Update:
In the beta version of the MS Graph API, there is an OnlineMeetings.ReadWrite.All application permission which doesn't seem to be implemented yet. There is a note on the documentation page (https://learn.microsoft.com/en-us/graph/api/application-post-onlinemeetings?view=graph-rest-beta&tabs=http#permissions) that supports this.
Creating an online meeting with an application token will be supported
in the near future.
It depends on whether there is user interaction.
If you are get access on behalf of a userhere,follow this way app-user,just add delegated permission OnlineMeetings.ReadWrite.please check
If you get access without a userhere,follow this way app-only,just add application permission OnlineMeetings.ReadWrite.All.(Please note that this method can only use beta version https://graph.microsot.com/beta).please check beta version
Update:
I am wanting to disable the "Share dataset" feature of bigquery.
For my use case I would like to disable this feature as you can't control what data can be shared and and who with. This means datasets are shareable with anyone who has gmail account.
I've been experimenting with removing various IAM permissions and I can't seem to pin it down. I've also used chrome dev tools to see what the API call is but I can't trace it back to how I can prevent the sharing of datasets.
If this cannot be disabled can you at least lock it down to a specific domain?
Try the following steps to restrict the share option.
Add the user to the IAM and don't assign any role.
Share the dataset with the user with Can view role
Now the user can still see the Share dataset option, but if they try to share they will get the following error
As per BigQuery permissions and roles matrix only Admin, Data owner(BigQuery role), and the Owner of a dataset can share it. Make sure to give the least privilege needed to your users.
For example, give the respective user the bigquery.jobUser permission and share him the dataset with "can edit" permission. This setup will not allow the dataset to be shared.
I am trying to model some complex permission management system using apache shiro.
English not being my native tongue I am afraid I might be missing some of the subtleties of terms such as "Roles", "Permissions", "Rights" & "privileges".
For example lets say I want to create a system that manages resources such as printers located inside buildings.
A DB holds the information of which printer is located in what building.
Users of that system should be able to reset a printer or print to it.
Its clear to me that some users will be "Super Admins" and be able to reset and print to any printer ('printer:*:*')- I guess that we could say that those people have a "Super Admin Role".
But what if someone should be allowed to reset the printers in a specific building ('building:A:*') ? Is "Building Admin" a (prarametric) role? or is this just a permission on a specific building? How would you model this using apache Shiro?
n.b.
When tagging this Q I added the user-roles tag and it says:"A user role is a group of users that share the same privileges or permissions on a system. Use this tag for questions about how user roles work in a particular security framework, or questions about the implementation of user roles in your program."
Would I be correct to assume that based on this definition there is not such role as a "Building Admin" because being an Admin of Building A does not give you the same permissions as does being an Admin of building B?
and if so, what would be the correct terminology to describe a "Building admin"?
Have you considered using more than three tokens within the WildCardPermission format?
There is no limit to the number of tokens that can be used, so it is up to your imagination in terms of ways that this could be used in your application.
— WildCardPermission Javadoc
Instead of the domain:action:instance syntax commonly used in Apache Shiro examples and documentation, you could add another token to represent the building, e.g. printer:print,reset:*:buildingA.
The downside of this scheme is that whenever you are checking if an action is permitted on a particular printer, you'd now also have to specify the location, even though the token representing the printer instance might already uniquely identify that printer:
// let's say the role for buildingA-admin has permission of "printer:*:*:buildingA"
subject.isPermitted("printer:print:epson123:buildingA"); // returns true
subject.isPermitted("printer:print:epson123"); // returns false
Depending on your application domain, maybe a structure like buildingA:printer:print,reset:epson123 might even be more appropriate or useful.
To answer your other question regarding user roles, you'd be correct to assume that if you have both buildingA-admin and buildingB-admin roles, they are different user roles, if the permissions assigned to them are not the same.
You might conceive a general user role of Building Admin for permissions that all admins for the different buildings might have in common, to avoid duplicating those permissions across the different building-specific admin roles.
I apologise if the title is a little confusing, but I was a little stuck with the wording.
I'm currently working on a section of an application to allow users to grant developers access to their data through the application. This comes in a little 'Allow Some great app to access your account with the following permissions'. The application developer adds the required permissions, then when the user goes to authorize the application, these permissions are are displayed. If the user is happy to grant these permissions, the user shall press 'Grant'. This means that the user has agreed to every permission that has been displayed, and therefore this generates an API access token for the relevant application.
The issue now is that it has came to the attention that people may want to remove these permissions at a further date. At the moment, if the user would like to remove permissions, all permissions will be removed or disabled. The reasoning behind this is that if a single permission is removed from the application, the token that they authorized with is technically invalid as it does not have the permissions that were given to it when first creating the token.
Whilst this seems logical, there are also circumstances where the user would want to deny access for the third party application for a single feature (eg. The external application had a bug that was creating bad behaviour in a certain area, but was working fine in another area).
Would anybody be able to throw their two-cents in to this, as I'm having a hard time understanding if its best to allow modifications to a single permission in the event of problems, or to simply have to disable the application.
I have a script that is using manage_setLocalRoles to assign a specific role to certain users specified. See below for snippet
context.manage_setLocalRoles(username, (‘Editor’, ‘Reviewer’))
context.reindexObjectSecurity()
After that script runs, you can go to the Sharing tab of the page and see the user specified with Reviewer and Editor checked. However, that user does not have any of the rights that go with those roles.
For testing, I have performed the following checks
context.getMyRolesInContext() does not return any of the roles set above.
context.get_local_roles_for_userid(username) only displays the roles set above, and not any global roles set (when testing as site manager and the like).
context.portal_membership.checkPermission(“Modify portal content”) returns a False.
With Editor role I should have Modify portal content permission. I did verify in the workflow of the content type to make sure the roles are set correctly for the permissions in each state. And as a double check, I ran this script on the content.
username = context.getCurrentUserName()
roles = context.rolesOfPermission('Modify portal content')
member = context.portal_membership.getMemberById(username)
for role in roles:
if role['selected']!='':
print role['name']
print member.has_role(role['name'], context)
return printed
This was my result:
Editor
0
Manager
1
Reviewer
0
Site Administrator
0
Those results are from my site manager role, but after I ran the manage_setLocalRoles on my user to add Editor and Reviewer.
Any thoughts as to why the roles aren’t recognized everywhere? Or am I using the wrong process for what I am trying to accomplish?
NOTE - I have already looked at this answer, and as my code reflects I am already doing what it suggests.
EDIT
Adding versions per comment. We have quite a few add-ons, but none of them seem like they would be related. Mostly jQuery integrations, and types like PFG, True Gallery, FullCalendar. We are using a custom theme and all custom content types and workflows. Excluding the content type I am currently creating for this project both the theme and all other content types were created before I got here. The types are Archetypes extensions.
OS - Red Hat Enterprise Linux Server release 5.11 (Tikanga)
Plone - 4.3.2
Products.ATContentTypes - 2.1.13
AccessControl - 3.0.8
The problem boiled down to case sensitivity. Our users are fed from an Active Directory plugin. Some of the usernames are all caps, and others are all lower. Somehow the username being used in my set roles command were always lowercase. As a result, user was getting the roles, when it should have been USER.
My Solution was to first get the actual member from portal_membership, then grab the username from the member.
pm = getToolByName(self, 'portal_membership')
user = pm.getMemberById(username)
self.manage_setLocalRoles(member.getUserName(), ('Reviewer', 'Editor'))
self.reindexObjectSecurity()
Apparently getMemberById() is not case sensitive, and it returns the correct username in the correct case. So I was just missing that extra check/filter.