Is there any way to overwrite permission to share drive item to specific users only?
e.g.
Case 1:
File1 is shared with User1. I want to share File1 to User2 only using graph api which can also remove User1 from share list.
Currently, Graph APIs are available to add the permission and to delete permission separately.
But, I need to deal with a lot of files to update the permissions and for each file I need to take difference of permissions (User list already shared and User list needs to be updated to share item) for drive item to delete the permission to remove User from share list.
Case 2:
Another case is to make File private to the user. Is there any way to make file private directly(possibly single api call)?. Currently, I have to delete each user permission from shared list(5 calls to delete permissions if file is shared with 5 users). Again, I am dealing with a lot of files.
[Edited]
More info: My use case is for Direct Access permission and Not link-based permission.
According to your scenario, I think you can create a sharelink for a file by using the following API: /sites/{siteId}/drive/items/{itemId}/createLink and grant access to sharelink accordingly.
Refer to the documentation here on accessing shared drive items.
If this doesn't help, consider raising user voice for your specific scenario so that it goes into our backlog.
Related
My team is attempting to move towards templatization of our services and their infrastructure.
We have found it to be extremely time-consuming to determine the set of permissions required to execute or update a given Cloudformation template. Our process is:
Create a user with permissions cloudformation:CreateStack and/or cloudformation:UpdateStack
Have that user attempt to create/update the specified stack
Observe which missing permission caused the stack operation to fail
Add that permission to the user
Go to 2.
The alternative to this would be to create a "God User" who has unlimited permissions and have that user execute the create/update - which seems to violate the Principle Of Least Privilege
Alternatively, is there a tool that can list "what permissions have been exercised by a given user in the past N minutes?". If such a tool existed, we could create the "God User", have them execute the template, and then create a more limited-scope user that has precisely the permissions that the God User had used.
There is no simple way/tool to do this.
Here are a couple of approaches you can try-
Using an User that has Admin priviledges, create the Stack. Once done, wait for 15-20 minutes for CloudTrail to populate. Now in CloudTrail list the API calls made by the 'Event Source' - 'cloudformation.amazonaws.com'. That should be roughly all the API calls required. There can be a few more calls required, for other operations as you keep on adding functionalities to the Resources. Again, you would need to figure that out this way.
Create a CFN service role , and add admin privileges to this Role. Use this Role to create/update/delete the Stacks. Allow the IAM users only iam:PassRole and cloudformation:* . However, users will be able to create different resources using CFN.
Use Service Catalog and create Products. Service Catalog Products are CFN Templates which can be launched by a specific user/Role/Group. The user does not need permission to create/modify the Resources in a Stack/Product. Also the end user cannot change the Product to add more Resources. Here's a great video that explains this stuff : https://www.youtube.com/watch?v=A9kKy6WhqVA
Hope this helps...
I am wanting to disable the "Share dataset" feature of bigquery.
For my use case I would like to disable this feature as you can't control what data can be shared and and who with. This means datasets are shareable with anyone who has gmail account.
I've been experimenting with removing various IAM permissions and I can't seem to pin it down. I've also used chrome dev tools to see what the API call is but I can't trace it back to how I can prevent the sharing of datasets.
If this cannot be disabled can you at least lock it down to a specific domain?
Try the following steps to restrict the share option.
Add the user to the IAM and don't assign any role.
Share the dataset with the user with Can view role
Now the user can still see the Share dataset option, but if they try to share they will get the following error
As per BigQuery permissions and roles matrix only Admin, Data owner(BigQuery role), and the Owner of a dataset can share it. Make sure to give the least privilege needed to your users.
For example, give the respective user the bigquery.jobUser permission and share him the dataset with "can edit" permission. This setup will not allow the dataset to be shared.
I am using the Slack API to upload files. https://api.slack.com/methods/files.upload
If you include a channel when you upload a file to it becomes accessible to everyone in that channel, otherwise it is only available to the person who created the API key. Also, when a file is posted to a channel it displays as the user who created the API key.
Questions
Is a way to share with everyone on a team without posting the file in a public channel?
Is there a way to upload a file as another user or as a bot?
I tried files.sharedPublicURL, but these links allow anyone to view files. I want to make file accessible only to a slack team.
There is an option when on the channel info pane when you click "View all file in #channel" to "Include files from integrations & bots". This seems to indicate that it is possible to upload files as a bot.
Sure, by choosing in which channels you share the file, you can control who can see it. That also works with private channels.
No, a file must always belong to a user, a bot would not be sufficient. Also the file is always owned by the user linked to the access token used. If you want to rather use a generic user, A workaround is to create a generic user fort you Slack that is only used for bot-related tasks. (Mine is called slackadmin)
I am developing a POC (SahrePoint 2010) where I can demonstrate that the users can be granted certain permissions on a list for a Date range (for example contribute access for a selected week). I will be breaking permission inheritance and create unique permissions for a list.
I would like the permissions to be revoked automatically after the expiry date. Also, I would like to do this using the Manage Permissions list (_layouts/user.aspx) so that I don't have to maintain a separate list.
I have a couple of questions regarding this:
1. I assume that the custom permissions for any list must be stored n some list. How can get to know in which list the permissions are getting stored?
2. If at all I get to know in which list the permissions are getting stored, will I be able to add columns to that particular list?
I hope that the question is clear.
Permissions are not stored in any list. Rather, every securable object (including sites, lists, folders, and items) has a Role Assignments property that indicates what groups/users currently have access, and what their permissions are (if not inherited).
See the SPRoleAssignment class documentation for more information.
Note that the User Information list is not a "Manage Permissions" list; it stores profile information about users who access the site, but does not store any permission-related information. Further, it's not a typical list at all, in that it does not show up in the SPWeb.Lists collection for a subsite, and its fields are automatically populated by SharePoint's User Profile Service. While you could potentially add more columns to it, you'd be better off using a separate list to store and track your permission information instead of contaminating the site collection user info list.
To have permission changes take place based on an expiry date, you'll need to implement a time-based solution that runs on a regular basis to see if any changes need to be made, such as a custom timer job, a custom site workflow that runs on a schedule, or a Windows scheduled task.
I'm using user defaults to store my app data.
I have some global data that is relevant for all users on the same machine.
How can I share this data between them?
NSUserDefaults' initWithSuiteName did not work.
The only workaround I found it to write to a hidden file in the root folder, but that is too visible to the users.
You can use the /Users/Shared directory like iTunes & the App Store.
The closest you could do is to make all of the users be members of a single group, then make a group writable file with the shared data. It could be a plist and it could even be accessed via the defaults API, assuming you don't need multiple simultaneous write access.
You could use CFPreferences APIs instead of NSUserDefaults, passing kCFPreferencesAnyUser as the user name parameter. However, setting defaults for all users requires admin privileges.