Choosing selecting one account sometimes and choosing multiple accounts sometimes on plaid - account

I can see that plaid allows configuring whether one account can be selected or multiple accounts can be selected via the account select configuration (https://plaid.com/docs/link/customization/#account-select), but does plaid support allowing one account to be selected vs multiple accounts to be selected based on some flag?

Yes.
As you mentioned, this setting is controlled by the account select configuration. The account select configuration itself is set up on a per-Link customization profile basis.
So, if you want to sometimes use account select in multi-select mode and sometimes use it in single-select mode, all you need to do is create two different Link customization profiles and associate one with multi-select and the other one with single-select. Then, when you call /link/token/create, specify which of the two customization profiles you want to use via the optional link_customization_name parameter.

Related

Grafana: Adding indivisual Ldap user using ldap.toml

I am looking for a solution on how to add a specific LDAP user to access grafana. The current configuration I have in "ldap.toml" works for a group or multiple groups but not sure how to add individual ldap users. We want to only add specific group and individual members to the grafana.
Note: I do not want to add used through UI. Just wanted to make sure whether that is feasible or not.

Web App: How is administrator access usually done

Currently I'm building a web app. So far I only have regular users. However, due to some requirements I need to have special admin accounts for the app administrators. I'm wondering now how these are usually implemented. The requirement is, that they use the same login mask as regular users and behave the same except for the additional capabilities. To differentiate I could put an admin flag into the users' profile or put the admins into a separate table in my DB. Maybe the the second option scales better for potential additional user groups. Also, how could these admins be signed up? I don't want to use predefined usernames I check against in the login handler. I know the question is rather general. I'm just looking for some directions.
Since you didn't give information about the platform(s) you are using, I can only give theoretical answer. While a simple "isadmin checkbox" will do the job for only separating normal users and admins, but if you will need another user type such as "power users" etc. you will keep adding new columns to your table, which is not ideal. Basically you can use a "Role Based" or a "Permission" based approach. In Role based, as the name implies, you assign each user a role and give access to specific resources depending on the role. In the "Permissions" approach you define for each user the permissions they have (resources to access, actions they can perform). Also you could combine these two approaches, where you assign each user his role and define permissions for each role.

Setting permissions for certain actions in MTM

Is is possible to associate permissions for certain actions in MTM to predefined groups, so that the MTM UI will only allow the permitted actions to be active, hiding or disabling the unpermitted ones? For example if we have two groups, Testers and Business Analysts, only users from the Testers group can create a new test case. So if we take a look at the image below
the New button will only be available for Testers and will be disabled for other groups, like afore mentioned Business Analysts for example.
Is it possible?
We cannot exactly achieve that, but we can set permissions on the area path for the specific group in TFS to permit or restrict access to edit or modify work items, test cases, or test plans assigned to those areas. It will have the same restriction in MTM.
Please follow below steps to do that.
Go to Area tab, right click on the area your test plans belong to
and then click on "Security"
Grant rights for the specific groups to manage test plans. (eg , In
you case set Allow for Testers group and Deny for Business Analysts group). Of cause you can also set other permissions as needed, eg
Delete this node, Edit this node etc.
Thus, the users in Business Analysts goup can click the New button, but cannot save the work item, they will receive the error message ‘TF237111: The current user does not have permissions to save work items under the specified area path.’ when save the test case.

Using openLDAP groups to authenticate users for different services

I am currently setting up a small server with several applications. Since no Active Directory etc is planned, but I do need a centralized user administration, I decided for LDAP since all applications are capable of authenticating against it.
I have already set up a domain "dc=example,dc=lan". It has two organizational Units. Groups and Users. My plan was, to create a posixGroup for every application, so that a user can be added to each group (if he/she was allowed to use this application).
The structure would then be (example):
for each group
cn=ejabberd,ou=groups,dc=example,dc=lan
where cn=ejabberd is of type "posixGroup"
and for users
cn=user1,ou=users,dc=example,dc=lan
where cn=user1 is of type "posixAccount"
Some, but not all, applications expect the "mail" attribute as login name. Some don't.
My problem is, that searching for users in ou=users is easy as 1,2,3 - searching in "cn=ejabberd,ou=groups,dc=example,dc=lan" is sheer driving me crazy since the users are not a "child" to this group but a "memberuid" attribute.
I have tried different filters and thought about another setup.. Just cannot think of anything different making sense right now.
Am I running down the wrong way, or maybe just blind to what's right in front of me?
I'd be glad for any finger pointing out a direction.
So here is, how I did it:
I created the following structure.
+dc=example,dc=com
+ou=groups
| +employees (PosixGroup)
| +service1 (GroupOfNames)
| +service2 (GroupOfNames)
+ou=users
| +user1 (User Account)
| +user2 (User Account)
etc..
Groups like "service1" and "service2" are of type "GroupOfNames". Furthermore I had to install the "memberOf"-Overlay so I could search for this exact attribute of a user.
This now gives me the possibility to tell each service to use a search filter that returns only the members of one special group, which will be granted access. For instance, ejabberd will use this filter:
"(&(objectClass=inetOrgPerson)(memberof=cn=ejabberd,ou=groups,dc=example,dc=com))"
Found these informations on the following website. Just take care to set the filter case sensitive! "memberOf" will not return any results, since the overlay in this example uses "memberof".
http://www.schenkels.nl/2013/03/how-to-setup-openldap-with-memberof-overlay-ubuntu-12-04/
I suggest you're on the wrong track. You don't want to authenticate by application, you just want to define overall roles that users can be in. The applications can then be defined to require certain role(s) per application funtion, web page, etc. As a limiting case, an application can be a role, but if you set out to define it that way you're overly limiting yourself.
To answer your immediate problem, you only have to search under the ou=Groups item for posixGroups which have memberUID={0} where {0} is the DN of the user. In other words the search filter is
(&(objectClass=posixGroup)(memberUID={0}))
Iterating those search results then gives you the DNs of all the groups of which he is a member.

How do I determine who has access to modify an active directory group

I'm working on creating an administrative interface that allows managing users in groups in Active Directory.
I would like to only show groups to the active user if the user actually has the rights to add or remove other users within those groups, but I'm not sure at this point, how to determine which people can modify the groups, or whether the current person has access to modify a specific group.
I suppose the application can find out after the user tries and we get an access error, but I don't like to use error trapping as a way of determining if some feature is available and I would prefer not to tempt the users with a list of groups they can't control.
If possible, please supply an answer that targets vb.net 3.5 using System.DirectoryServices.AccountManagement as that is the environment that I am currently working within. I can translate from C# if necessary.