we're using Keycloack with activated LDAP-sync. The LDAP-provider uses a Custom User LDAP Filter which filters for department names.
Now there has been a organizational change in the department names, which resulted in no user was able to log into our application.
Is there a technical way, to maybe get a notification via mail, if there large changes in the number of synced users?
Regards
Lars
Related
For example, suppose I am making a restaurant app, which API should I use to let owners post their own restaurant and then manage it(title, available tables, foods etc.) from a dashboard? Can this be done with Sanity or Firebase?
With firebase yeah - I had done something similar before. You'll manage your users (restaurant owners) within Firebase. You can have a "Role" column that would indicate permissions for that user on your app.
So for example, you may have an admin, manager and general user. Admins will have read/write access to everything whilst manager some of the content and general users read only.
How to create users: https://firebase.google.com/docs/auth/web/manage-users
How to set 'custom properties', in your case - it can be the role: https://firebase.google.com/docs/analytics/user-properties?platform=android
Firestore is a document based, non SQL database and free to a certain point: https://firebase.google.com/docs/firestore
There many different ways this can be achieved, this would just be an example that comes to mind - and it would work for small scale projects.
If the app gets a lot of traffic and users, I'd switch to AWS.
I am fairly new to coding in the .Net environment. I am having trouble finding "real-world" examples on authentication/authorization using Identity. Most examples I come across are primarily textbook examples that use the ASP .Net registration template.
I am trying to find guidance on where to look (yes, I Googled and I get very unrealistic/unusable use cases or "classroom" examples) or how to do this.
I work for a small school and I am trying to build an application (possibly Blazor - just experimenting with various technologies now) that allows both students and employees to login into a portal and view their relevant data. I have an Employee table and a Student table based on POCO classes. When I add identity to the project it creates Users and Roles tables as well.
I would like to have the "Users" table based on the Student and Employee tables - not have a separate users table. I do not want to have a "registration" option either. I would like the option for an Admin (which would fall under an "Employee") to be able to add users, but not use a registration page.
How would I implement Identity and Roles without using all the extras added? I am using .Net 5.0.
Thank you for your time and pelase forgive the English - it's new to me as well.
I understand what you're trying to do. It IS possible to Create a Custom AuthenticationStateProvider
But unless you have a VERY robust database already, I wouldn't do it. Getting the default system set up and migrating users will take at most an hour. Setting up your own custom authorization system is likely to take you MUCH MUCH longer.
Having different users in different tables is not a good design plan. They all have names, phone numbers, e-mails and so on-- put them on one table.
Hi Derrick and welcome to the community! #Bennyboy1973 is correct, in that both your Students and Employees are all "Users", so they should all be stored in the same table. To add to that response a bit, probably the simplest way for you to manage them is by using Roles, so the Students could be in one role and the Employees could be in another. By having a role attached to each, you can then use the roles as a filter in your queries and you could also restrict the access and actions each type will have based on the role they are in.
Regarding having administrators add the users to the database without public access, this can be done as well. Once you get the default identity system up and running, you can scaffold out the whole system so it can be modified, and probably the easiest way to achieve what you are after is to then modify the default registration (signup) page so that it requires the user to be authenticated to reach it, and then implement a confirmation email to activate each new account.
There are a few things with this approach that you need to be aware of as well.
Since the admin will be setting up all the other user accounts, you should modify the email confirmation chain to require a password reset at some point. The administrators can have access to the user's information as needed but shouldn't have the user's passwords.
Identity Server will store passwords in an encrypted format, and you'll need an initial user in your database. What this means is that you will have to "seed" an initial admin user into the database that you can use to sign in and get started with everything else. You'll have to research how to do this, as it isn't as simple as just accessing the database directly and adding the user and roles because of the encryption. The program you build should be designed to do this for you on either the first run or if you are connecting to a new database, using a username and password that you know. It will then store the user properly that you can use to sign in as Admin, then change the admin password. This makes the whole thing more secure.
This all sounds like a headache, but it's worth it to work through and know how it all fits together. The, as mentioned in other answers, you can migrate existing data into the database.
I want to auto-assign a few of the Projects to the user who is logging in using the LDAP credentials. Currently, if LDAP user logs in, I have to go in Report Portal using super admin credentials and assign Member Role and Projects to that specific member.
I have recently tried this LDAP feature and facing this issue of the new user gets creating and assigning projects and members to each one of them. I wan some auto-assignment (like can we passed while setting LDAP setting in Report Portal)
Below is my LDAP user nperiwal with which I logged in Report Portal. But as you see this got created a new user and no project got assigned to it automatically. I want some process or code or settings which can fulfil my requirement.
FYI, see the below snapshot where I manually assigned projects and admin role.
Please help.
Simple way:
It can be done via scripting, see which requests are send to server in browser Network tab and put the same into the bash/shell script. Parametrize according to username and required access.
Long way: wait until our team will implement it within ReportPortal as feature, based on regular priority
Best way: request payed support from our team, and we will implement this capabilities for your company with highest priority. Drop mail at support#reportportal.io
I tried to understand RBAC in order to determine if it is a good solution for our problem.
Let say that the context is a bank. Among the several actors, we have account managers and clients.
I think I have understand RBAC for the account manager. If we imagine Account Managers can create, modify, view and remove accounts, then:
Account Manager is a role,
create, modify, view, remove are the operations,
accounts are objects
create account is one of the permissions associated to the role Account Manager
But my problem is about clients ... They can consult only their accounts.
My problem is: How can we specified this particular account in RBAC? Is it at least possible or must I choose another way of manage access control? And which of them?
As mentionned, Attribute based access control may be the good solution. And XACML could be used in an application with complex policies.
Here is a very understandable documentation about ABAC in Spring Security
Currently I'm building a web app. So far I only have regular users. However, due to some requirements I need to have special admin accounts for the app administrators. I'm wondering now how these are usually implemented. The requirement is, that they use the same login mask as regular users and behave the same except for the additional capabilities. To differentiate I could put an admin flag into the users' profile or put the admins into a separate table in my DB. Maybe the the second option scales better for potential additional user groups. Also, how could these admins be signed up? I don't want to use predefined usernames I check against in the login handler. I know the question is rather general. I'm just looking for some directions.
Since you didn't give information about the platform(s) you are using, I can only give theoretical answer. While a simple "isadmin checkbox" will do the job for only separating normal users and admins, but if you will need another user type such as "power users" etc. you will keep adding new columns to your table, which is not ideal. Basically you can use a "Role Based" or a "Permission" based approach. In Role based, as the name implies, you assign each user a role and give access to specific resources depending on the role. In the "Permissions" approach you define for each user the permissions they have (resources to access, actions they can perform). Also you could combine these two approaches, where you assign each user his role and define permissions for each role.