In Google BigQuery, I want to restrict an assigend role for table delete action, so that users only can delete tables they created themselves.
I assume, that it's (only?) possible with Condition Editor using CEL expressions (see https://cloud.google.com/iam/docs/conditions-overview#cel).
Since I'm not familiar with CEL, I ask for some hints how to write a condition like
resource.creator == current_user
But I have no clue about the syntax, the available CEL variables and how to reference them.
Condition Builder doesn't provide user details, does it?
Related
Given my tabular model, I'm attempting to write a measure that changes behavior, depending upon which role the effective user belongs to. This isn't traditional row-level security (RLS) since I'm not trying to filter by role; just do an if-else, instead.
I've come across the following solution at https://community.powerbi.com/t5/Desktop/DAX-Expression-For-Role-Level-Security-Using-DirectQuery/td-p/489699, which I believe will work, but I'd prefer querying active directory to see if the user belongs to said role, rather than another table on the model.
I've also seen some articles (i.e. https://community.powerbi.com/t5/Desktop/How-to-leverage-Active-Directory-to-filter-the-data-in-Power-BI/td-p/140479) about getting attributes from active directory for Power BI, but nothing that exposes the DAX being used.
Bottom line, if I could get a role name in DAX or call a function to check if the user is in a role, I'd be golden (assuming performance isn't compromised).
Edit: I should add that I'm currently leveraging one of three functions to get the user. USERNAME(), USEROBJECTID(), and USERPRINCIPALNAME().
I ended up giving up on leveraging active directory and did what it appears everyone else is doing (as seen in one of the links posted in my question).
For reference, here's a snippet that illustrates the solution:
EVALUATE
SUMMARIZECOLUMNS (
"Some Measure",
IF (
LOOKUPVALUE('My User'[UsePrivilegedValue], [Name], USERNAME()),
SUM('Some Fact'[PrivilegedValue]),
SUM('Some Fact'[OtherValue])
)
)
I have a cabinet say "tcabinet" in a repository "trepository".
In this repository there are multiple users however their access is restricted by adding the cabinet IDs to the restricted_folder_ids column in dm_user object.
The user has access to the ACL. But still they can not see tcabinet as their access is restricted. There are thousands of such users.
For these users to see the tcabinet. I'll have to add the object id of tcabinet to restricted_folder_ids column of each user which would definitely be a large task.
Is there any way to make them able to see the cabinet without adding the cabinet id to each user?
As confirmed by OpenText also, there is no other way to achive this. However we can add the cabinet to everyone's 'restricted_folder_id' attribute in dm_user table.
UPDATE dm_user object
APPEND restricted_folder_ids=’<Object ID of the Cabinet>’
WHERE user_name='<user_name>'
NOTE: If you are using this method, make sure to filter out the users which does not have any existing 'restricted_folder_id' in dm_user table, else this method will restrict the access of these users to a single folder which might not be the intention.
I am trying to write a query that 1) works and 2) shows meaningful information.
However, I can't seem to complete both scenarios. Both bits of code do work to a degree. My SQL query does work by showing all the useful information a user wants but when you click the edit button it doesn't link properly so it won't allow the user to update that row. The other shows only keys and rowid but when you click edit does show the information and allows it to be updated.
So as not to get another down-voted question, I have taken pictures of each scenario to show the problem, but, ultimately, I need to show meaningful information: an id or key isn't meaningful to the vast majority of users.
Here is my code
SELECT APPLICATIONS.APP_ID, APPLICATIONS.SRN, STUDENTS.SURNAME, STUDENTS.FORENAME, APP_STATUS.STATUS, METHODS.METHOD, JOBS.JOB_TITLE, APPLICATIONS.APP_DATE
FROM APPLICATIONS
JOIN STUDENTS
ON APPLICATIONS.SRN = STUDENTS.SRN
JOIN APP_STATUS
ON APPLICATIONS.STATUS_ID = APP_STATUS.STATUS_ID
JOIN METHODS
ON APPLICATIONS.METHOD_ID = METHODS.METHOD_ID
JOIN JOBS
ON APPLICATIONS.JOB_ID = JOBS.JOB_ID;
and here are the pictures of it in action
below is the code that does not show meaningful information but does work.
select "ROWID",
"APP_ID",
"SRN",
"STATUS_ID",
"METHOD_ID",
"JOB_ID",
"APP_DATE"
from "#OWNER#"."APPLICATIONS"
If i knew how to properly use rowid i am sure this is a simple feat but i dont so if i could get any help it would be useful
//edit
who ever renamed this to Application Expression why? what i am using is Apex Application Express it was relevant information that got changed to something wrong which might make it hard for someone with a similar problem to find later.
In the second, simple query, apex can determine which table (and record) you are trying to edit.
In the first query, with the joins, it can't tell which of the five tables in query you want to edit. You probably want to have the edit link pass the primary key of the row from APPLICATIONS to the child page. You would need to build into that page any logic (lists of values etc) that map lookup tables (such as status) to the values needed in the APPLICATIONS table.
I would like to join the user object and project permission object to see how many users have been assigned to a project, for audit purpose. I don't see a common field with common values (email address or first name/last name) between these objects. I used Excel plugin to retrieve two separate data sheet and unable to map them. Any thoughts on this on how to do this?
You're probably seeing something similar to the following when you query on ProjectPermissions:
In this situation, the default User object selected from the "Columns" picker in the query dialog, gives you the User's DisplayName, which doesn't unambiguously map to a Rally UserID.
Note, however, that you can add dot-notation sub-fields of Objects manually by typing them into the Columns field. In the following example, I've included User.Username and User.LastLoginDate as additional fields I want to show on the Permissions report:
Of course, you could also just include User.Username, and run a second query on the User object with all fields selected, and do a join in Excel.
One note of caution - if you have many users (say 1,000), and a lot of projects, (say 1,000, which is not uncommon in large Rally subscriptions), querying directly against the ProjectPermissions endpoint can rapidly result in total results that number on the order of 10^6. This will probably time out in an Excel query.
The Rally User Management: User Permissions Summary script works around this by querying Permissions in a loop on a user-by-user basis. It's slow, but it returns results without timeouts. Certainly not as convenient as Excel either - you need to install Ruby 1.9.2+ and the rally_api gem to get it working.
Hi does any one know how to check if a given DB object (Table/View/SP/Function) is used inside Oracle.
For example to check if the table "A" is used in any SP/Function or View definitions. I am trying to cleanup unused objects in the database.
I tried the query select * from all_source WHERE TEXT like '%A%' (A is the table name). Do you thing it is safe to assume it is not being used if it does not return any results?
From this ASKTOM question:
You'll have to enable auditing and then come back in 3 months to see.
We don't track this information by default -- also, even with auditing, it may be very
possible to have an object that is INDIRECTLY accessed (eg: via a foreign key for
example) that won't show up.
You can try USER_DEPENDENCIES but that won't tell you about objects referenced by code in
client apps or via dynamic sql
There's code in the thread for checking ALL_SOURCE, but it's highlighted that this isn't a silver bullet.