Archer Assign User dynamically - archer

RSA Archer Is there a way (custom code?) to assign a user to a user/group field dynamically?
Like:
2 Groups
apple - is assigned to usera
orange - is assigned to usero
sendnote - user/group field
if I choose apple - assign usera to sendnote
if I choose orange - assign usero to sendnote

User/group list can't be calculated, but record permission field can be. The logic you described can be implemented if you use Record Permission field and make it Automatic type. This will allow you to add calculation rules and populate it as required. Side affect of this approach is that calculated fields can't accept user input.
If you want to accept user input and automate behavior of the given field at the same time, then you have to write a Custom Object. Code for Custom Object will vary a lot based on the behavior you want, so it is probably a topic for another question.
Good luck!

Related

Masking Dimension attribute / Security in SSAS

We have a cube where we implemented the dimension data level security based on ROLE. This security is working fine where we are restricting the user to see his records only. Now the Customer dimension has another Employee attribute. Based on the value of this field we want to restrict other dimension attributes. Like in the below example Manager_Id is the attribute that should be masked. We want to mask the attribute value of this field with "Employeeā€¯ so that the restricted user only sees a masked attributes value.
Note: Both the attribute from the same dimension
User is allowed to see employee data
Name Manager_ID
Jon 123456
If the User is not allowed to see then the attribute value needs to be masked with Employee
Eg:
Name Manage_ID
Jon xxxxx
Thanks
Jay
If I'm interpreting your question correctly you're trying to disable a value in a dimension based on the user querying the dimension/cube. Unless you've build your own version of excel where you would add those overrides you should use different roles for the different types of users that use your application.
While I don't know how and if you can mask a value, you can use attribute security to disable the role from viewing the contents of a certain attribute of a dimension.
To do this from SQL Server Management Studio you can open the properties of a role, go to the dimension data tab and select the cube and dimensions you want to filter.
Warning: you can't disable values in a dimension, then the user will still be able to query them, you'll need to scroll down to the cubes and edit the dimension there.
(it's a long list of first your dimensions and then your cubes which can be extended to show the cubedimensions, which are the only thing relevant to us right now)
When you have the correct dimension you can select an attribute Manager_ID in your case and disable all values a user shouldn't be able to see. You can do this by unchecking all restricted values or deselect all members and then click the ones that should be available. That all depends on your useCase.
The result of this will be that when opening the dimension from excel or powerBI the disabled values won't show.
I hope this helps and good luck.

What are the security risks if I disclose database field name to web user interface?

I want make the program more simple, so I use table's field name as name in input html,
And then I can save some time for mapping input name to database field name
But, are there security risks if user know my field name?
(Suppose SQL injection have handled in the server program)
Update 1:
I am not going to around the field name validation
I just don't want to do something like this
$uid=$_POST['user_id'];
$ufname=$_POST['user_first_name'];
$ulname=$_POST['user_last_name'];
If I do this
$user_id=$_POST['user_id'];
$user_first_name=$_POST['user_first_name'];
$user_first_name=$_POST['user_last_name'];
I can save coding time, and don't need to think two names for one data, and reduce bug.
and I can also do something like this to save more time as I just type the name once.
$validField=array("user_id","user_first_name","user_last_name");
foreach ($validField as $field) {
$orm[$field]=$field;
}
This can also valid the field name
so I think that hacks are no way to get my unpublished fields
I can save some time for mapping input name to database field name.
If you save time mapping input names to database field names, you would need to spend a roughly equivalent time validating that the field names are, in fact, among the fields that the users can access in your database. There is no way around this validation, because otherwise your DB is exposed to hacks that try and get your unpublished fields, such as IDs and hashes. This is pretty bad, so you would need to build that validation layer.
On the other hand, if you do a mapping from meaningless IDs to meaningful, then you do not need validation, because it is your program that produced the meaningful IDs. Essentially, the validation step is built into the process.

How to give edit rights to own records for a user in openerp 7?

I would like to implement the following scenario.
User must be able to see all the records and should be able to edit only his own records
Is it possible to do it in openerp 7 and if possible how to do it?
You need to create Record rule so User can see only his records and create Access Control List so User can edit those records.
Record rule --> Settings/Technical/Security/Record Rules
Create a Record rule for your object and add a specific domain so user
can see only his record.
Access Control List --> Settings/Technical/Security/Access Control List
Create a Access Control List and add name, object,
Access(Read/Edit/Delete/Create) and save it. As per your need, you
need to tick Write Access, Save it and Check it.
Add a functional field which returns false if the record is created by the logged in user else true and in the view add a group with attributes readonly if the functional field's value is true and move all the fields to this group and also add the functional field invisible as invisible in the view

Suborganizations and Unique id

I can succesfully authenticate my application with ApacheDS
But now i use only one domain.
I want to add subdomains or sub organizations under root domain.
For example a root organization as
dc=example,dc=com
and sub organizations dc=x
another sub organization dc=y
Now i can authenticate users using uid attribute
like:
user-search-filter="(uid={0})"
i use login name like user1, without an # extension
But i want to have suborganizations and i want to use user1#x.example.com
Is it possible and how?
My application is a spring application but i think subject is independent from my application side.
The attribute defined in the LDAP standards track for email addresses is mail, rfc822mailbox, or 0.9.2342.19200300.100.1.3 as defined in RFC4524. Perhaps your filter should be an attribute assertion using one of those types, for example, user-search-filter="mail={0}".
I am not sure what is meant by "manually". LDAP does not have a concept of organizations, only entries that might belong to an organization. These entries might have a mail attribute if the entry belongs to an objectClass that allows or requires the mail attribute. In other words, if your filter is mail={0} (which might become mail=user1#x.example.com), then a search using that filter (given the appropriate base object and scope) will return all entries that have a mail attribute with the value user1#x.example.com irrespective of where that user is located and irrespective of the value of the uid attribute.
If the users in an organization can identified some other way, perhaps by organization or other attribute, then the filter could be:
(&(uid={0})(o=x))
or
(&(uid={0})(o=y))
One way or another, the users' entry must be identifiable by the contents of the entry. The primary key in an LDAP database is the distinguished name (uid=abc,dc=x,dc=example,dc=com) but attributes in the entry can be used to tighten the filter. Some alternatives are:
use unique identifiers (all uid or mail values are unique in the database, therefore, only one is ever returned to a search request)
use an attribute to identify users in an organization (like o in the example filters above)
use a dynamic group to generate a list of users in an organization.
consider using an extensible match filter to make values in the distinguished names be part of the filtering process
see also
using ldapsearch - the article is about the ldapsearch command line tool, but the concepts are useful when constructing search requests
mastering search filters

Update an entity inside an aggregate

I was reading a similar question on SO: How update an entity inside Aggregate, but I'm still not sure how a user interface should interact with entities inside an aggregate.
Let's say I have a User, with a bunch of Addresses. User is the aggregate root, while Address only exists within the aggregate.
On a web inteface, a user can edit his addresses. Basically, what happens is:
The user sees a list of addresses on its web interface
He clicks on an address, and gets redirected to this page: edit-address?user=1&address=2
On this page, he gets a form where he can modify this address.
I we decided to bypass the aggregate root, this would be straightforward:
We would directly load the Address with its Id
We would update it, then save it
Because we want to do it the DDD way, we have different solutions:
Either we ask the User to get this Address by Id:
address = user.getAddress(id);
address.setPostCode("12345");
address.setCity("New York");
em.persist(user);
The problem with this approach is, IMO, that the aggregate root still doesn't have much more control over what's done with the address. It just returns a reference to it, so that's not much different from bypassing the aggregate.
Or we tell the aggregate to update an existing address:
user.updateAddress(id, "12345", "New York");
em.persist(user);
Now the aggregate has control over what's done with this address, and can take any necessary action that goes with updating an address.
Or we treat the Address as a value object, and we don't update our Address, but rather delete it and recreate it:
user.removeAddress(id);
address = new Address();
address.setPostCode("12345");
address.setCity("New York");
user.addAddress(address);
em.persist(user);
This last solution looks elegant, but means that an Address cannot be an Entity. Then, what if it needs to be treated as an entity, for example because another business object within the aggregate has a reference to it?
I'm pretty sure I'm missing something here to correctly understand the aggregate concept and how it's used in real life examples, so please don't hesitate to give your comments!
No, you're not missing anything - in most cases the best option would be number 2 (although I'd call that method changeAddress instead of updateAdress - update seems so not-DDD) and that's regardless whether an address is an Entity or Value Object. With Ubiquitous Language you'd rather say that User changed his address, so that's exactly how you should model it - it's the changeAddress method that gets to decide whether update properties (if Address is an Entity) or assign completely new object (when it's VO).
The following sample code assumes the most common scenario - Address as VO:
public void ChangeAddress(AddressParams addressParams)
{
// here we might include some validation
address = new Address(addressParams);
// here we might include additional actions related with changing address
// for example marking user as required to confirm address before
// next billing
}
What is important in this sample, is that once Address is created, it is considered valid - there can be no invalid Address object in your aggregate. Bare in mind however, that whether you should follow this sample or not depends on your actual domain - there's no one path to follow. This one is the most common one though.
And yes, you should always perform operations on your entities by traversing through aggregate root - the reason for this was given in many answers on SO (for example in this Basic Aggregate Question).
Whether something is an entity or VO depends on the requirements and your domain. Most of the time address is just a Value Object, because there's no difference between two addresses with the same values and addresses tend to not change during their lifetime. But again, that's most of the time and depends on domain you're modeling.
Another example - for most of the domains a Money would be a Value Object - 10$ is 10$, it has no identity besides amount. However if you'd model a domain that deals with money on a level of bills, each bill would have its own identity (expressed with a unique number of some sort) thus it would be an Entity.