A user has a company_id and a many to many relationship with tasks.
Each user has a role.
Each role has permissions.
An admin should be able to see all tasks within the company.
A user should only be able to see his own tasks within the company.
What are the pitfalls of each approach?
Assign all admins to the m2m when a task is created
Include a see_all_tasks permission as part of the admin role
Given that you already have roles and permissions configured in your application. You should be assigning the users the roles against a company, like Admins will have a Administrator role in all Companies.
Any user in the application will be having a role per company that allows him to perform his task in the context of the company.
Ex: I can be a Admin for CompanyA & Enduser for CompanyB. This should give you the desired result.
In case of having a consolidated list of tasks being shown across all companies, I will aggregate roles for each task based on the companyId and then enforce permissions.
Related
net core application. I am trying to implement authentication and authorization. I have users they are split into multiple regions. For example I have below regions.
GE GSAS
- user1
- user2
APAC
-user3
-user4
SE&A
-user5
-user6
These users have different permissions or roles. For example, RegionalAdmin,GlobalAdmin,Users etc
These users will be creating some orders in the portal. For example, Regional head can reassign orders within that region only to other users. For global head he/she can reassign orders to anyone. Users can create orders and view delete and users cannot reassign orders. All these users are part of Azure AD tenant. Now I am trying to implement authentication and authorization. I started thinking the design strategy like this, I can create groups as per regions and add users to groups. Based on the groups I can have authentication or authorization. But these users have different permissions like RegionalAdmin,GlobalAdmin etc and these users have some extra functionalities aloowed in web/api permission. Can someone help me regarding this and how to organize groups or roles with respect to above scenario. Any help owuld be greatly appreciated. Thank you
Assuming regional admin you mentioned as a custom role in your application(as there is no such role in AAD), it is always better to use the administrative-units and a suggestable approach would be to create groups separately for regional admin, global admin users and assign roles to these groups accordingly.
A user can be assigned to multiple groups and roles can be assigned to individual users/groups.
Authorize applications based on the role permissions granted by the administrator to groups. Please refer this link for the detailed documentation on how to create/manage roles for an application in Azure AD.
net core application and trying to implement authentication and authorization. I have set of users and these users belong to different regions. For example I have region APAC and I have some users in it. Then I have roles like global admin or regional admin. Now these users are type of regional admin global admin etc. Now I want to return role claim in my token. To return role claim in my JWT token I should add app roles in manifest. So how should I return app roles now. If I select as group then all users belong to that group emits this role details. I am little bit confused here. I have grouped users according to regions. Inside each region users are of type regional admin, global admin etc and they have different permissions inside app. Segregation of these groups vs roles I am finding lot of challenge and no use full document also I found. Can some one help me to segregate these groups vs roles.
As I understand you have users with different roles under the groups segregated by the regions. When you are trying to authorize by group all the users with different roles of the group emit the group role details.
Assuming regional admin you mentioned as a custom role for your application(as there is no such role in AAD) following is a suggestable approach.
A user can be assigned to multiple groups and Roles can be assigned to individual users/groups.
Create groups separately for regional admin, global admin users and assign roles to these groups accordingly.
If you are using the role claim in the token for role-based access control, authorize applications based on the role permissions granted by the administrator to groups. Please refer this link for the detailed documentation on how to create/manage roles for an application in Azure AD.
In ASP.NET Boilerplate, why does it has roles and permissions to control authorization? Which is the difference between both?
Role: a group of permissions.
1. Why does ABP have roles and permissions to control authorization? What is the difference between the two?
Having both roles and permissions allows flexibility and ease for admins to control authorization.
The difference is that authorization only depends on permissions, not roles.
From https://aspnetboilerplate.com/Pages/Documents/Zero/Role-Management:
Roles are used to group permissions. When a user has a role, then he/she will have all the permissions of that role. A user can have multiple roles. The permissions of this user will be a merge of all the permissions of all assigned roles.
For example, a site moderator can be allowed to add, edit and delete any posts, including the ones written by others. A site moderator can add, edit and delete comments as well. If there are several site moderators, then a role can be easily assigned instead of individual permissions to each user.
2. Does a permission necessarily belong to a role? And does a role necessarily need permissions?
No, a permission can be assigned directly to a user.
No, a role does not need permissions. A role with no permissions is like a position (e.g. employee).
From https://aspnetboilerplate.com/Pages/Documents/Zero/Permission-Management:
Role Permissions
If we grant a permission to a role, all the users that have this role are authorized for the permission (unless explicitly prohibited for a specific user).
User Permissions
While the role-based permission management can be enough for most applications, we may need to control the permissions per user. When we define a permission setting for a user, it overrides the permission setting defined for the roles of the user.
In addition, there are also Organization Unit Roles (not documented yet). That is, a role can be assigned to an organization unit and users in that organization unit are considered to have that role.
Can usergrid support User's in (Group or Role) have access to ALL user's in same (Group or Role)? The way i understand it is because users are in /users/user1, you would have to iterate over all the users in the group and give explicit permissions to a (group/role/user). Can you prefix user's /users/group_user1?
Could use the organization / application but /users and permissions are specific to a single application.
Basically I want to model organization and groups within a single usergrid application, things such as inheriting permissions, etc.
Any ideas? I am going about this in the wrong way? Other frameworks/apis?
Users are linked within a role, so depending on how you configure your roles you can do set a resource within a role like this:
/roles/{role uuid}/users/*
Which would look more like this in a real example:
/roles/7a7fbe9ec74-70f39f37-1825-379f-8385/users/*
You can then set your verbs (GET, POST, DELETE) as you see fit within that role to allow all members of that role to see or change users within that role. I assume you're looking for them to be able to do a GET but if you have additional linked resources below that user, you can add them explicitly as well like this:
/roles/7a7fbe9ec74-70f39f37-1825-379f-8385/users/*/mylinkedrsource/**
Then you can set the verb to GET for roles/{id}/users/* and add POST or PUT for the resources linked below /users/*/{linked resource}
Cross posting from the usergrid google group:
I think you can do what you need with groups.
The idea with groups is that all users in that group get the group's permissions.
So if you do this:
create a group.
give that group permissions for various resources
add users to that group
all users in the group will have the permissions of the group
or
create a group
create various roles, each with various permissions
add the various roles to the group
add users to the group
all users in the group will have the roles (and thus the permissions) of the group
So in this way, you could create various roles for your users. And add users to roles as needed to satisfy the needs of the users. Then, you can create one group for admins. Add all the roles to that admin group, then add your admin users to that admin group. They will have the collective permissions of all the roles.
I do have some unique requirements where I want to hide a role to be selected from specific role users.
For example I have a role name admin, department 1, department 2 and department 3.
As a admin I should be able to see only department 1, department 2 and department 3 for role management in my portal.
But if I define permission for admin that he/she can manage roles.
Admin user is able to see all the roles which are available OOTB in Liferay.
Can anyone help me with the configurations?
The administrator role is by Liferay outside of permission concept, so the admin can manage all other roles.
You can create another role like Department-Role-Admin and put them necessary permissions.