I have case like this - i want my PHP application to create accounts for employees in my OpenLDAP directory, so i have created dedicated account for this specific app and i'm going to use it only in this app. Next thing is to give this account permissions to write in ou=people,dc=example,dc=com, i have no problems with it - used olcAccess: {2}to dn.subtree="ou=people,dc=example,dc=com" by dn="cn=app.name,ou=systems,dc=example,dc=com" write by * read and all works OK. But now, i want this app to have only permission to create new users in this OU just to be sure developers of app won't mess something accidentally and delete all users from directory.
I'm looking for something like MySQL grants - e.g. user can INSERT into tables but can't DELETE, UPDATE or DROP. Is there any possibility? I've looked into OpenLDAP documentation and it says just about write or manage permissions :(
Thanks!
From the documentation:
To add or delete an entry, the subject must have write access to the entry's entry attribute AND must have write access to the entry's parent's children attribute.
From this, it seems like you could grant the PHP app's service account write permissions only to the parent OU entry but not on the user entries it creates. Since modification and deletion both require write permissions on the entry being modified or deleted, this should restrict the service account to your needs.
I am not sure exactly what the rule would look like, but try this:
olcAccess: {2}to dn.base="ou=people,dc=example,dc=com" by dn="cn=app.name,ou=systems,dc=example,dc=com" write by * read
Note that I replaced dn.subtree with dn.base.
Related
I would like to create a deployIfNotExists policy against storage account logs (enable them if they are not, and if possible, add a trigger to them). If this is not possible, I would at least like an audit policy on them. But this functionality does not appear to exist at this time. Is this possible or does this process have to be "manual"?
There has to be an alias for this to be possible. I didn't find one from the storage resource, but in log profiles I found this: "Microsoft.Insights/logProfiles/storageAccountId". However I am not sure if that is the same thing that you are looking for. There is also this built in that can help: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_StorageAccountBYOK_Audit.json
Is there a registry key location in which multiple NON-admin users can read and write ?
I need to write a registry-key as non-admin user in a web-application, that another non-admin user needs to read in his web-applicaton.
So far, in HKLM/SOME_PATH, both users can read, but the one that needs to write cannot write.
And in HKCU/SOME_PATH, one user can write, but the other cannot read it.
Something like
Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData);
except with registry instead of files.
Note:
With a windows-system as-is.
Without somebody having to set read/write rights in advance.
HKLM ain't writable for basic-users. Most of subkeys ain't even readable.
HKCU, as its name indicate, is only accessible in the context of the current user.
So :
Is there a registry key location in which multiple NON-admin users can
read and write ?
Registry 'd better be protected !
Without somebody having to set read/write rights...
No
... in advance
Depends. Since the owner basically have all the rights on the key, just make him manage the rights for the users group at the creation of keys (or even, change the owner of the keys since this last one automatically have free_access on it).
However, it can't be done in a basic-user context which seems to be your case ?
Please explain how content security works on SenseNet.
Especially how to read the following SN database view:
PermissionInfoView
What EFEntries(LocalOnly) flag is used for?
In a nutshell: it works very similarly to the file system permissions in Windows.
You can define permissions for individual users, or (more preferably) groups and org units. Defining a permission happens on a content, usually on a container like a workspace or folder. For example you give Open and Save permissions for the Editors group on the Articles folder.
There is inheritance: child content will inherit permissions you defined on the parent folder (unless it was defined as local only, which means not propagated to children). For example if you define a local only Save permission on a document library for John, he will be able to modify the doclib content itself (e.g. change its display name), but not the files inside the library.
To make things a bit more complex, you can break permissions on a content, for example to remove an inherited permission. This may be necessary if you want to hide a subfolder.
For details please visit the Permission System article.
Permission overview GUI
If you have installed the WebPages component of SN7, you get a Permission Overview page that may help you understand the current permission settings in the tree.
The Permission info database view
In case you have the Services component only (so no GUI) or you really want to look under the hood, you can check out this db view to see all the permission settings in the system.
The records here contain all the defined permission entries in the system (so inherited ones cannot be seen here, they are calculated in memory). The Path is the content where the permissions are defined, the Identity can be a user or group, LocalOnly means not propagated to children (see above), the rest is a list of permissions (e.g. Open or Save) and whether they are allowed, denied or undefined.
For details about this and other db elements please visit the DB structure article.
I already have access to Google analytics provided by my client and the bigquery has been configured to the project. But i want to know if i can create jobs. How do i find the role assigned to my id ?
i want to know if i can create jobs
Below is simple way to get this:
Just open Web UI and try to switch to project of your interest
a. If you do have it in the list of available projects – just select it and then run (just in case) some simple query (SELECT 1)
If it is run successfully - you can create jobs in this project (because any query is in reality a job)
b. If it is not in the initial list – select “Display Project” and enter project of your interest and also check “Make this my current project” box. If result is successful – most likely you again lucky and can create jobs in this project (but still – run some simple query to be 110% sure
How do i find the role assigned to my id
This would be more involved – you will need to use respective IAM (Google Identity and Access Management) APIs
For example you can use testIamPermissions() API that allows you to test Cloud IAM permissions on a user for a resource. It takes the resource URL and a set of permissions as input parameters, and returns the set of permissions that the caller is allowed.
The permission you should look for is bigquery.jobs.create, but yo can pass to this API list of any permissions you want to check if you have
We have multiple apps that use OpenLDAP for authentication and for storing data. We have quite lot links to these OpenLDAP entities from DBs from multiple applications (each app has its own DB), so when you change OpenLDAP entity you have to track object changes (currently we are using DN as a reference key). And inside LDAP we have few references, like what user can access which objects, as they can have very specific access rights (access right are not depend on hierarchy), LDAP also doesn't track these changes, so once these referenced objects are moved we need to track them both in LDAP and in multiple DBs.
I'm new to linux and OpenLDAP (we have it running on linux), but to me this all seems like a wrong way to handle things and it seems like we are using LDAP in the way it wasn't designed to be used (The idea of using it like this came from senior developers).
My questions is:
Is there anything bad to use LDAP in way i have described.
How can i change the OpenLDAP schema to create something like GUID for all object classes we are using, this way at least we can store object GUID instead of DN and don't have to track changes. If I change schema will I be able to perform search and filter by this GUID?
Sorry, but your architecture description is not clear for me, so I can't write if it's bad to use it like this.
Having multiple directories in a company is very common in middle to big companies (most of the time it's due to historical reasons) but for single sign on "Meta directories" are setup to have a single authentification point.
In my point of view the DN is obsolutly not the way to point an object in a directory, jus because moving an object is changing his DN. Each directory has got an attribute inherited from the "top" class that contains an unique identifier inside the directory. In OpenLDAP it's entryUUID.
entryUUID: bec561c4-c5b0-102a-81c0-81bc30f92d57
If you want to link datas in a not too big Directory you can also use referential integrity, that the way users are linked to groups (when you move a user you don't have to look at each group it belongs to) in operating systems directories (RefInt Overlay in OpenLDAP).