We have a use-case with using AWS Amplify and Cognito for user authentication where a user will be given certain roles for authorization, e.g. "create object", "delete object", etc.
Now we have a new requirement where a user should be able to belong to multiple organizations.
This means that the user will have to have the option of belonging to different roles in different organizations, e.g. being able to delete in one organization but not in the other (being logged in with the same account/e-mail).
As there is a variable number of organizations creating groups or roles per organization is not an option (as there would potentially be millions of groups).
Can this be solved using Cognito at all or would a custom coded solution be preferred and only use Cognito for the authentication?
I proposed a doable solution to this requirements in https://github.com/aws-amplify/amplify-cli/issues/630. And it is working in my app.
Yes, as there could be so many organizations, it is not feasible to use a Cognito group to represent an organization.
The idea of my solution is to have 3 custom models: User, Organization, and Membership. This allows many-to-many relationships between users and organizations: A user can belong to multiple organizations, and an organization can employ multiple users.
User could contains its own info. You could also let a user has the same id as in cognito such that you can align a cognito user with a User stored in DynamoDB.
Organization could contains its own info.
Membership is the critical bridge as it connects to both ends (user and organization) and you can encode role info here.
See many-to-many section to understand how does Membership work in AWS Amplify GraphQL Transform.
The schema.graphql looks like:
type User #model {
id: ID!
organizations: [Membership] #connection(name: "Membership_User")
}
type Organization #model {
id: ID!
users: [Membership] #connection(name: "Membership_Organization")
}
type Membership #model {
id: ID!
user: User! #connection(name: "Membership_User")
organization: Organization! #connection(name: "Membership_Organization")
role: Role!
}
type Role {
canCreate: Boolean!
canDelete: Boolean!
}
In my github issue, think of Project as your Organization, and the rest are almost the same.
Related
I need a help, to find out the best architectural pattern to implement a feature.
We have an application that manages users access to a SalesForce platform. We can create a user, read the roles created in SF and append the user roles from our app and send the change to SF...and some other features not relevent in this question's scope.
We added a new concept to our app, to handle the growing number of SF users we manage. We add a profil concept. In few words, we create a profile with some roles for example DEV_PROFIL. We apply this profil to all the developer users. and we modify each user in Salesforce based on the roles in his profile.
From backend pov, I have a profile index, and a user index and a one to many relation ship. ( one profile can have many users ).
My question is the following :
How I can keep track and keep the user's roles synced with any change I can append to the profile.
Ex : Let's suppose I had 3 roles in my DEV profile. And 100 user have this DEV profile. No I added two new roles to my profile. How can I be sure that 100 users roles are synced after my change ??
PS : Salesforce does not know about my profiles, all he knows is the roles.
net core application and trying to implement authentication and authorization. I have set of users and these users belong to different regions. For example I have region APAC and I have some users in it. Then I have roles like global admin or regional admin. Now these users are type of regional admin global admin etc. Now I want to return role claim in my token. To return role claim in my JWT token I should add app roles in manifest. So how should I return app roles now. If I select as group then all users belong to that group emits this role details. I am little bit confused here. I have grouped users according to regions. Inside each region users are of type regional admin, global admin etc and they have different permissions inside app. Segregation of these groups vs roles I am finding lot of challenge and no use full document also I found. Can some one help me to segregate these groups vs roles.
As I understand you have users with different roles under the groups segregated by the regions. When you are trying to authorize by group all the users with different roles of the group emit the group role details.
Assuming regional admin you mentioned as a custom role for your application(as there is no such role in AAD) following is a suggestable approach.
A user can be assigned to multiple groups and Roles can be assigned to individual users/groups.
Create groups separately for regional admin, global admin users and assign roles to these groups accordingly.
If you are using the role claim in the token for role-based access control, authorize applications based on the role permissions granted by the administrator to groups. Please refer this link for the detailed documentation on how to create/manage roles for an application in Azure AD.
I have three roles: admin, instructor (combination of teacher and course creator) and student.
I created a child theme based from clean theme. In my child theme, I customize the layout of the login page. In my login page, there are three buttons: Login as Admin, Login as Instructor and Login as Student.
How can I force the login to be as specific role? I did check out the /login/index.php but I'm having a hard time understanding the flow of the login process.
For an additional info, the dashboard content and design depends on what role the user logged in.
First, San is wrong. There are very much global roles in Moodle. You can access these under:
Site Administration -> Users -> Permissions -> Assign system roles
Second, you talk about 'forcing' a role when you login. This makes no sense in Moodle terms. This is how Moodle works:
Create a user.
Assign them a system role (by default they will be under the role 'All Users')
Login as that user and they will have that role.
Why bother creating three different login buttons? All you need to do is create three accounts, each with different login details, and assign them each a separate role.
If this does not answer your question please give me more details on what you are trying to achieve?
First, there is no global role in Moodle for any user.
User roles are assigned to course level in Moodle.
For dashboard content and design you can check user course level role and show data as per user role.
If a user is a student in any course then, I consider it as a student and show data related to a student only for a course in which user is a student.
Recently I began to use MeanJs, it's pretty amazing but I don't understand some stuff.
I need to create a simple user management for my backend.
From official blog they say:
New usability features:
Added roles to the User model - the defaults
are ‘user’ and ‘admin’, you can add and remove them as needed.
After a search I found some examples but all of these about meanio, not meanjs, there are a package MEAN-ADMIN in meanio that does it for us but in meanjs I not found.
Someone know the best way to implement a user management? some example?
Thanks guys.
The meanjs generator comes with some basic user roles built in. The roles is an array on the user model.
roles: {
type: [{
type: String,
enum: ['user', 'admin']
}],
default: ['user']
},
To add a user with the role admin just attach it to the user object before saving.
user.roles = ['admin'];
If you want to use roles apart from admin and user you need to add then to the type enum.
This is probably a question a bit in between SO and UX.se.
I'm implementing a signup/login sytem which allows for multiple ways of authentication: social signups using Facebook, Twitter, Github and a local (username + password) signup.
In the backend I'm having a User model and a Passport model. A User may have multiple Passports, meaning a User may authenticate through different means (e.g.: through local signin,. or through facebook for example)
For good measure: the Passports of a particular User will always be from a different provider (facebook, twitter, local). I.e.: a Facebook-passport, a Local-passport, etc.
This seems like a good way and would allow me to have a User account connected to multiple ways of authentication.
I'm familiar with the security issues this might raise, so for passports to be combined/merged a User has to be logged in to both.
Ok on to the problem. Consider the following flow:
user-a signs up with a provider, say local, with email user-a#gmail.com
user-a signs out (or has it's session expired).
user-a signs in using another provider, say facebook. Chances are the facebook account has a email-record of user-a#gmail.com
Currently, I've defined email to be unique on the User-model. This would mean the above signup would fail, because there's already a User-account that, by means of the local Passport, has the mentioned email-address.
What would be considered a best practice in a situation like this? I trust there must be many implementations floating around that must have seen this problem pop-up.
Options:
Warn the user the authentication isn't possible and mention the user that the current email-address is already registered by means of another authentication mechanism? This would be reasonably user-friendly.
Note that a User-account, by means of a different provider exists with the same email-address and as a consequence merge the new Passport with the User.. I just put this in for good measure: this is a pretty big attack-vector and would allow a user-b to get access to an account by faking the email-address (through a social provider which doesn't do email-validation)
Don't have a uniqueness constraint on <user,email>, but on <passport, email>. This would allow a new User and associated Passport to be created and all goes well. Now the same actual person probably has 2 User Accounts: 1 for each authentication provider. As a next stage allow the User-accounts to be merged, by signing in to both and acknowledging the merge.
I'm leaning towards 3, but 1 is simpler. I'm not sure, what do you think?
Have you encountered this before?
Yes, #3. I have implemented this myself. The concept you're looking at is: Associate multiple SSO accounts. My user structure is as follows:
name : {
first: { type: String},
last: { type: String }
},
emails: [{ type: String, unique: true, 'index': true }], //all known emails as provided by SSO services. we use this to cross ref when the user uses a different SSO to login after initial setup. this avoids account dupes
sso: [{
provider: { type: String, required: true}, //matches the name of passport strategy name employed
userid: { type: String, required: true } //the specific SSO provider userID that's unique in the provider's realm
}]
So, in your auth sequence, you look it up by email OR provider+userid combo, if you don't find the SSO provider, you attach it. The reason for or, someone may update their email but the specific SSO provider ID never changes.
Another common practice (if it makes sense in your app) is to allow the user to "link" SSO accounts. That allows you to handle different email addresses. Example: user FB email is a personal one but in LinkedIn he lists as primary the business one. LinkedIn sadly gives you only the primary via their OAuth2 call.