We have a bunch of files and we want only users belonging to a certain department to have access to a specific set of files. We want to create a system that would upon swiping the card allows access to files.
I don't want to have multiple relations from each user to each file, but I'd rather have it compartmentalized.
What would Cypher query for this look like?
With the following command, you can now check the access rights of a person or department with a graph database.
The MATCH clause tries to find a pattern where the Person node with the usernaname “jsmith” and the File node with the name “apendix.pdf” are connected within 2 hops with relationships of type BELONGS_TO or HAS_ACCESS_TO.
In summary, the query checks if Mark BELONGS_TO a certain team which HAS_ACCESS_TO a file or whether there is a direct relationship between Person and File with HAS_ACCESS_TO type.
MATCH path=(p:Person {usernamename:"jsmith"})-[:BELONGS_TO|:HAS_ACCESS_TO *..2
]->(f:File {name:"apendix.pdf"})
RETURN *;
Related
I'm looking for a way to migrate data from LDAP-hosted groups to Google Groups.
With GCDS only the users are migrated, but I would like to migrate the data, do you know any way?
Thanks team
I've migrate groups between different directories using custom-written scripts. This requires some type of mapping between IDs. That is I know the fully qualified DN of each member within the LDAP-hosted group, I can match that up to a record in the new directory -- e.g. cn=lisa,ou=users,o=example has uid lisaj, and there's a corresponding account with the logon id lisaj in the new directory. I've had to do migrations where there was no direct correlation available within the two directories, and successfully linked the two systems using a text file with cross-reference info. A line in the file might say "lisaj 019485-B9184A-9284C-1949" to map my user id in the old system to a record identifier in the new one.
Basic process:
Connect to source LDAP
Find all in-scope groups For each in-scope group, get member list
Find the corresponding group in the new directory (if none exists,
create it)
For each member, find corresponding account in new
directory
Add member to group in new directory
(https://developers.google.com/admin-sdk/directory/v1/reference/members/insert
for Google Groups,
https://github.com/alfasin/Google-Admin-Directory-API has some Python
examples)
As a one-off process, it's pretty simple. If you need the two directories to remain in sync for some time, the script becomes a little more complicated. Assuming the old directory is "authoritative" (the one with the 'right' data -- and you can only make changes in one of the directories, otherwise it's impossible to tell which members actually should be in the group), you need to check the new directory group for any members that aren't a member of the old directory group and remove them as well as add any old directory group members that aren't in the new directory group yet. I generally add a "last modified" constraint to the filter used to locate groups in the old directory -- e.g. find all group objects where the lastModified timestamp is in the past 24 hrs -- to avoid continually reprocessing data for groups that haven't changed.
I have a cabinet say "tcabinet" in a repository "trepository".
In this repository there are multiple users however their access is restricted by adding the cabinet IDs to the restricted_folder_ids column in dm_user object.
The user has access to the ACL. But still they can not see tcabinet as their access is restricted. There are thousands of such users.
For these users to see the tcabinet. I'll have to add the object id of tcabinet to restricted_folder_ids column of each user which would definitely be a large task.
Is there any way to make them able to see the cabinet without adding the cabinet id to each user?
As confirmed by OpenText also, there is no other way to achive this. However we can add the cabinet to everyone's 'restricted_folder_id' attribute in dm_user table.
UPDATE dm_user object
APPEND restricted_folder_ids=’<Object ID of the Cabinet>’
WHERE user_name='<user_name>'
NOTE: If you are using this method, make sure to filter out the users which does not have any existing 'restricted_folder_id' in dm_user table, else this method will restrict the access of these users to a single folder which might not be the intention.
I would like to join the user object and project permission object to see how many users have been assigned to a project, for audit purpose. I don't see a common field with common values (email address or first name/last name) between these objects. I used Excel plugin to retrieve two separate data sheet and unable to map them. Any thoughts on this on how to do this?
You're probably seeing something similar to the following when you query on ProjectPermissions:
In this situation, the default User object selected from the "Columns" picker in the query dialog, gives you the User's DisplayName, which doesn't unambiguously map to a Rally UserID.
Note, however, that you can add dot-notation sub-fields of Objects manually by typing them into the Columns field. In the following example, I've included User.Username and User.LastLoginDate as additional fields I want to show on the Permissions report:
Of course, you could also just include User.Username, and run a second query on the User object with all fields selected, and do a join in Excel.
One note of caution - if you have many users (say 1,000), and a lot of projects, (say 1,000, which is not uncommon in large Rally subscriptions), querying directly against the ProjectPermissions endpoint can rapidly result in total results that number on the order of 10^6. This will probably time out in an Excel query.
The Rally User Management: User Permissions Summary script works around this by querying Permissions in a loop on a user-by-user basis. It's slow, but it returns results without timeouts. Certainly not as convenient as Excel either - you need to install Ruby 1.9.2+ and the rally_api gem to get it working.
I can succesfully authenticate my application with ApacheDS
But now i use only one domain.
I want to add subdomains or sub organizations under root domain.
For example a root organization as
dc=example,dc=com
and sub organizations dc=x
another sub organization dc=y
Now i can authenticate users using uid attribute
like:
user-search-filter="(uid={0})"
i use login name like user1, without an # extension
But i want to have suborganizations and i want to use user1#x.example.com
Is it possible and how?
My application is a spring application but i think subject is independent from my application side.
The attribute defined in the LDAP standards track for email addresses is mail, rfc822mailbox, or 0.9.2342.19200300.100.1.3 as defined in RFC4524. Perhaps your filter should be an attribute assertion using one of those types, for example, user-search-filter="mail={0}".
I am not sure what is meant by "manually". LDAP does not have a concept of organizations, only entries that might belong to an organization. These entries might have a mail attribute if the entry belongs to an objectClass that allows or requires the mail attribute. In other words, if your filter is mail={0} (which might become mail=user1#x.example.com), then a search using that filter (given the appropriate base object and scope) will return all entries that have a mail attribute with the value user1#x.example.com irrespective of where that user is located and irrespective of the value of the uid attribute.
If the users in an organization can identified some other way, perhaps by organization or other attribute, then the filter could be:
(&(uid={0})(o=x))
or
(&(uid={0})(o=y))
One way or another, the users' entry must be identifiable by the contents of the entry. The primary key in an LDAP database is the distinguished name (uid=abc,dc=x,dc=example,dc=com) but attributes in the entry can be used to tighten the filter. Some alternatives are:
use unique identifiers (all uid or mail values are unique in the database, therefore, only one is ever returned to a search request)
use an attribute to identify users in an organization (like o in the example filters above)
use a dynamic group to generate a list of users in an organization.
consider using an extensible match filter to make values in the distinguished names be part of the filtering process
see also
using ldapsearch - the article is about the ldapsearch command line tool, but the concepts are useful when constructing search requests
mastering search filters
Is there any LDAP command to delete all users attached to a specific group. Assume there are user1,user2,user3 assigned to group G1 . I want to delete all the users attached to group G1
Users are not attached to a group, entries are members of a group. To delete all entries that are members
of a group, execute a search that will return all of distinguished names that are members of the group:
make the base object of the search the distinguished name of the group
use (&) or (objectClass=*) for the filter. Some directory servers, for example Sun DSEE in certain
versions fail to properly parse the filter (&)
use base for the search scope
request the attribute type whose values are the distinguished names of the members of the groups. This varies,
but could be something like uniqueMember
Then, transmit a delete request for each distinguished name returned from the above search.
Some servers support referential integrity, if so, the members of the group will be deleted
at the same time as the entries are deleted.
See also
LDAP: Programming Practices
LDAP: Search best practices