I am using external LDAP service to define Camunda Groups, Users and User Group memberships.
I can see the Groups and Users from LDAP in the Admin UI very well.
I can also use Authorisations for example to provide or revoke read access to my deployment.
But no matter what I do, any application user can see complete list of the currently running [CMMN] tasks in the /tasks REST endpoint.
I am taking an LDAP user that is a member of 2 groups.
Neither the user, nor any of his groups have any Authorizations set up in Camunda, except for ACCESS to an application (I restrict to 'cockpit' only).
Still, when I login with that user the GET /tasks lists complete list of all currently running tasks.
My test user cannot see any data /process-instance (even though there are some running), but at the same moment it can see all process instance variables via /variable-instace.
What's the purpose of restricting /process-instance without restricting /variable-instance ?
What am I missing here? Can access to the /tasks and /variable-instance be restricted?
Can the reason be that the User Tasks that I try to restrict access to had been generated by a CMMN process?
Update
Yes, my unprivileged user can see all CMMN tasks but no BPMN tasks.
So the authorization is working but it doesn't cover CMMN :(
According to this (Closed) feature request:
https://app.camunda.com/jira/browse/CAM-5875
The CMMN is 100% Enterprise version feature available since version 7.6 (I am on 7.7)
According to this (Open) feature request:
https://app.camunda.com/jira/browse/CAM-6754
The CMMN Tasks are not yet covered by the authorisation even in the enterprise version.
:(
Related
I'm quite new to the entire auth design and am still trying to understand how to use keycloak for authentication and authorisation.
Currently from what I understand in order to have authorisation enabled for a client you will need to have it in confidential.
After which I am kind of stuck in terms of how to set which policy for which permission.
I have a few types resources but currently placing them all under a single client for simplicity sake.
For my use case I have a workspace for users. So each workspace can have multiple users with different roles of owner,editor,viewer. And within the workspace there are artifacts. So it is some what like designing an authorisation for Google drive.
Would like some advice on how best to design it.
One way I have thought of is using groups and each workspace is a group. Using it to assign users to each group as a way to use the group policy for permission.
The other is really by creating multiple policy and permission for each artifact/resource and adding user to each policy for each workspace.
Would like any advice on authorisation design or even where to begin reading.
After some research I have come to these conclusion.
Yes these can be done by keycloak though most likely shouldn't be done in keycloak itself for its design.
Keycloak itself will most likely be more suitable in terms of authenticating/authorising on services or infra level. So this use case of having user be able to access workspaces or artifacts will be better done in application level having a separated service to handle the permission itself.
That being said if it really needs to be done in keycloak the design that I thought of that is not so scalable is as follow.
Create a policy/user and each workspace/artifact as a single resource. Depending on how many types of access/fine grain control is needed for each type of resource create the scope for each (e.g workspace:view, workspace:edit...). Then create a permission for each resource&scope. This allows fine grain access of basically assigning user to permission of each resource through the user policy.
But of course this design has its flaws of the need of too many policies, permissions and resources so it is better to have keycloak just handle the authentication part and authorisation is just giving users the role to be able to access a service and through the service check if the user is authorised for a certain action.
I want to auto-assign a few of the Projects to the user who is logging in using the LDAP credentials. Currently, if LDAP user logs in, I have to go in Report Portal using super admin credentials and assign Member Role and Projects to that specific member.
I have recently tried this LDAP feature and facing this issue of the new user gets creating and assigning projects and members to each one of them. I wan some auto-assignment (like can we passed while setting LDAP setting in Report Portal)
Below is my LDAP user nperiwal with which I logged in Report Portal. But as you see this got created a new user and no project got assigned to it automatically. I want some process or code or settings which can fulfil my requirement.
FYI, see the below snapshot where I manually assigned projects and admin role.
Please help.
Simple way:
It can be done via scripting, see which requests are send to server in browser Network tab and put the same into the bash/shell script. Parametrize according to username and required access.
Long way: wait until our team will implement it within ReportPortal as feature, based on regular priority
Best way: request payed support from our team, and we will implement this capabilities for your company with highest priority. Drop mail at support#reportportal.io
Suppose that I have a web application. Consider it like a Black-Box for now. I want to use a backend system to limit what a user can view/do on the app.
i.e. Sample users can only do three functions, Premium users can do 10 functions and see more pictures.
What is the best way to do it?
I'm trying to using WSO2 Identity Server, but it doesn't offer this functionality. So I've thought that maybe I can integrate it with the WSO2 API Manager and make an API that limits users' access to a certain resource. But really I cannot find if it's possible do it. Anyone know it?
Please refer to : https://docs.wso2.com/display/IS530/Access+Control+Concepts
1) WSO2IS can act as a coarse grained access manager. Your application will act as a fine grained access mnager.
It means that roles can be defined in WSO2IS, managed and assigned to user. From there Roles assigned to one user can be provided as clains with the identity token generated by WSO2IS and sent to the application.
The application, on the other side, will manage roles to permissions links.
Access control is then done at each request by the application, based on the roles presented in the Identity Token by the user and the Permissions grid based on roles in the application.
2) The access control at the application is a business logic you must implement (or at least configure if it a COTS). It is possible to outsource this logic to WSO2IS as policies on attribute (with Workflows).
Please look at : https://docs.wso2.com/display/IS530/XACML+Architecture
Jeff
If I have multiple Atlassian tools integrated with Crowd, i.e Jira, Confluence, Bamboo, etc., is it possible to grant a user access to Jira and not to Confluence or vice versa?
This can be done by the use of Groups. So, for example, you could have a jira-users group and a confluence-users group. Some users maybe members of both but other users may only be members of one and not the other.
The Managing Groups documentation for Crowd should help setting up the groups and adding users to them.
Specifying which Groups can access an Application details how to setup the restrictions you require per application.
Please note, that both these tasks require admin access to the Crowd Administration Console.
In alfresco execution of webscript, we can define whether the webscript authentication. Advanced Description Options
But I want to know "Is it a single webscript can be executed as admin or member of some group only modifying authentication property?"
I want to write new programs for member of some group, not member of admin group, can create new users, upload users and delete existing users. All webscripts[user-csv-upload.post, person.delete, people.post] to do these tasks require admin authentication. If I changed to authentication of these webscripts to user and run these webscript as admin like <authentication runas="admin">user</authentication>. All normal users can create new users. So I want to check that these webscript can only invoked one condition is met.
If I cannot check, I have to do two ways.
I have to write the same logic to two different webscripts, one for admin and one for member of some group
write authentication checking inside controller file with sudo like tool for current user is admin or member of some group.
I want to get any of your suggestion. Any help is greatly appreciated.
Solution:
I found exact code for my needs in sudo-like-tool-for-alfresco-security-aspects
Like Will Abson said in another question post, the most elegant solution is using this: Sudo Tool for Alfresco WebScripts. With this tool you can grant your user (if this users is part of a certain custom group) temporarily admin privileges. If not, it acts as a normal user with his own privileges. It requires some Java coding, though.
Otherwise, the solution number 1 is what we achieved for an our client. We developed a custom webscript with a custom url known only to their manager users, that can run script with "runas=admin" option, and make what they want. In this case, what you can do is: expose a link to the "user management webscript", only if the manager user is logged in, otherwise the link doesn't appear, and you respect some sort of "security". It's not very elegant but does the trick.