AWS Cognito Batch Query - amazon-cognito

Is it possible to query AWS cognito with a list of user ids? Let's say i have user ids List : userid1,userid2,userid3,userid4,userid5,userid6
I know how to get an users one by one using their id or email address, but I was wondering if it is possible to get the users in a batch query using their ids or emails.
I use golang, but I can use any other language thanks in advance.

You can't do it directly, but maybe you could use https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListUsers.html with a filter condition, but it has this limitation:
You can only search for the following standard attributes:
username (case-sensitive)
email
phone_number
name
given_name
family_name
preferred_username
cognito:user_status (called Status in the Console) (case-insensitive)
status (called Enabled in the Console) (case-sensitive)
sub
Custom attributes are not searchable.

Mostly filter won't work, because it only supports 2 conditions: "=" and "begin with".
I guess you have to use promise.all()

Related

How to list users which belongs to specific group in ldap without backlink enabled

What is the search filter to list users belong to specific group like "engineering" in a ldap server which don't have backlink enabled.
For example, if backlink enabled i can use following filter,
(&(objectClass=person)(memberOf=cn=engineering,ou=Groups,o=company,o=com))
Wanted to know corresponding search query without using memberOf attribute.
Thanks
DarRay
Try your filter as:
(&(objectClass=group)(cn=engineering))
using a base of
ou=Groups,o=company,o=com
and a scope of subtree
Returning attribute "member"
Or even more efficient:
(objectClass=group)
With a base of
cn=engineering,ou=Groups,o=company,o=com
and a scope of base
Returning attribute "member"
-jim
The main question is: How are the users linked to groups?
One way is by specifying the users as attributes in the group. That can be done either via the uniqueMember- or the memberUid-Attribute. To find the users of a certain group you will have to use two queries. One query will retrieve the DNs or UIDs of the users of a group by fetching the uniqueMember or memberUid attribute of the group in question depending on your setup. Then you can retrieve the users by either using (&(objectclass=person)(uid=<uid>)) or (&(objectclass=person)(dn=<dn>)).
The other way is by storing the grous as attributes in the user, which you described above.
Hope that helps.

AtTask API get assigned users

We have multiple people assigned to a single ticket but when using the assignedToID field, it just returns the first user?.. Why is it not returning an array of user ids?
I know this is off-topic but is it possible to get user's name also and not just id?
To get a list of users you can user assignmentsListString
to pull user names instead of IDs you should be able to use
assignedTo:name
example
/attask/api/v4.0/task/54d25b43005a2117e6c2d674b932a666?fields=assignmentsListString,assignedTo:name

XACML Policy with Multiple Resources with Multiple Rules and Multiple Actions

In a multiple decision profile scenario I want to create a policy for a particular Tenant and for the root resources like Customer. Here my scenario is like I have a Tenant T1 and Tenant T1 is allowed to access Root resource Customer. Customer is the Top level resource and it will contain sub child resources like: Sub-Resources: name, email. In my scenario how can i create a policy so that i can enforce multiple rules for each sub resources like:
Rule-1:
Admin Permit access to resource-
{name: create,read,update,delete},
{email: create,read,update,delete}
Rule-2:
Employee Permit access to resource-
{name: read,update},
{email: read}
Please share the policy structure and the Request format for the same.
In the request format i want to pass only the Tenant Id and the Root level resource Customer .
In this scenario, what you would want to do is pass in the field id you are interested in.
The request would be: "Can Alice view the name field of customer record #123"?
You could express this as a multiple decision request e.g.:
"Can Alice view the name, email, and job title fields of customer record #123"?
Either way your policy would be field-centric. It would protect a given field or set of fields. You could actually define a set of non-sensitive fields and a set of sensitive fields. You could also even write the policy in terms of field metadata. Instead of saying "a user can view field 'email'", you could write "a user can view a field if the user's clearance > field's sensitivity".
Alternatively, you could also use Reverse Query - that's specific to Axiomatics' APIs though. Reverse Query lets you do the following type of requests / responses:
Q: list the fields Alice can view
A: name, email

Query User by City using the Soundcloud Web API

Is it possible to fetch users by city or country? I would like to create something very local!
I've checked the available documentation but fail to see any solution to this, so this is a final stretch.
The City and Country properties are not searchable with the provided q parameter in the API, and as this searches over username / description and title you'd return a large number of false positives if it could.
It's unlikely you could over select as mentioned in the comments, as there are just too many users to pull down and then parse.

Suborganizations and Unique id

I can succesfully authenticate my application with ApacheDS
But now i use only one domain.
I want to add subdomains or sub organizations under root domain.
For example a root organization as
dc=example,dc=com
and sub organizations dc=x
another sub organization dc=y
Now i can authenticate users using uid attribute
like:
user-search-filter="(uid={0})"
i use login name like user1, without an # extension
But i want to have suborganizations and i want to use user1#x.example.com
Is it possible and how?
My application is a spring application but i think subject is independent from my application side.
The attribute defined in the LDAP standards track for email addresses is mail, rfc822mailbox, or 0.9.2342.19200300.100.1.3 as defined in RFC4524. Perhaps your filter should be an attribute assertion using one of those types, for example, user-search-filter="mail={0}".
I am not sure what is meant by "manually". LDAP does not have a concept of organizations, only entries that might belong to an organization. These entries might have a mail attribute if the entry belongs to an objectClass that allows or requires the mail attribute. In other words, if your filter is mail={0} (which might become mail=user1#x.example.com), then a search using that filter (given the appropriate base object and scope) will return all entries that have a mail attribute with the value user1#x.example.com irrespective of where that user is located and irrespective of the value of the uid attribute.
If the users in an organization can identified some other way, perhaps by organization or other attribute, then the filter could be:
(&(uid={0})(o=x))
or
(&(uid={0})(o=y))
One way or another, the users' entry must be identifiable by the contents of the entry. The primary key in an LDAP database is the distinguished name (uid=abc,dc=x,dc=example,dc=com) but attributes in the entry can be used to tighten the filter. Some alternatives are:
use unique identifiers (all uid or mail values are unique in the database, therefore, only one is ever returned to a search request)
use an attribute to identify users in an organization (like o in the example filters above)
use a dynamic group to generate a list of users in an organization.
consider using an extensible match filter to make values in the distinguished names be part of the filtering process
see also
using ldapsearch - the article is about the ldapsearch command line tool, but the concepts are useful when constructing search requests
mastering search filters