I am developing an application using Grails framework. I would like to allow access to the application to Users based on their Roles and the privileges granted to those Roles. Spring Security can provide only high-level security. which is not sufficient to my task. But here I would like to manage the privileges dynamically.
Please suggest any best approach to do this.
Suppose take a Reprint functionality in application. Being an Admin will decide to who can access and who cannot based on their Roles.
Thanks in Advance
Spring security provides the role based functionality which is not dynamic or admin or any super your can't allow / deny the access to the particular thing dynamically to the particular user.
But you could create the custom authorization workflow.
Assuming that you have 'user' table in your database, in this table you can create the one column as 'authorization' as a string / varchar data.
Make a JSON as follows ( for example)
[ "resource1":{
"canView" : true,
"canEdit" : false,
"canDelete" : false
},
"resource2":{
"canView" : true,
"canEdit" : true,
"canDelete" : true
}
]
Create / build this JSON as per your requirement, this is just an example.
Store this as a string in the database convert it after fetching from backend ( String to JSON) manipulate its values dynamically (which admin will change), again convert to string and update it, fetch and convert to JSON and check value wherever you want check -> Is the user have an access to get this resource or not.
Related
I'm trying to mask sensitive data via an Azure SQL database.
The data is saved as normal text and one column as XML and another saved as json.
I've tried adding rules to the database but when I open SSMS and run a select statement it does not apply to any of the data in the columns (normal text, xml or json saved data)
There's no user excluded to see unmasked data.
Just want to understand why the data is not masked when I perform a select on SSMS.
My rules look like the below:
XML Rule
JSON Rule:
Text Rule:
My SQL statment:
SELECT TOP (1000) * from database_Name
As mentioned in Microsoft Document it says,
The identities in Azure Active Directory (Azure AD) or SQL are included in the masking process and should have access to the unmasked sensitive data.
Maybe you are accessing data as SQL admin or Azure AD user because of that you can see sensitive data.
By hiding important information from unwanted users at multiple layers of the database, you may prevent access and gain control. You may give or remove UNMASK permission to a user.
The code taken from Microsoft-documentation it says,
Give UNMASK permission to user
GRANT UNMASK ON Data.Membership TO USER;
To Query the data under the context of user
EXECUTE AS USER='USER';
To revoke UNMASK permissions
REVOKE UNMASK ON Data.Membership FROM USER;
Data after granting permission to user
Data after removing permission from user
Taken Reference from:
SQL Database dynamic data masking with the Azure portal
Granting and Revoking the Permission
These are two properties you can set in a template and I am curious how they differ and which one I should use.
The definitions don't make it clear:
role: arn:aws:iam::XXXXXX:role/role # Overwrite the default IAM role which is used for all functions
iamRoleStatements: # IAM role statements so that services can be accessed in the AWS account
Can someone explain how they differ along with use cases for both?
I'm not sure if I should just make a new provider level role with all resources the application needs and assign the role paramater to it, or if I should just keep the default role serverless makes, and add my own policies to the iamRoleStatements
iamRoleStatements is designed to contain the most common permissions needed for this service. For example, you have an API gateway and a bunch of lambda functions that all use DynamoDB to store the transactional data. Almost all the lambda functions need to have permission to query DynamoDB, so iamRoleStatements should be configured like this.
provider:
name: aws
...
iamRoleStatements:
- Effect: Allow
Action:
- dynamodb:DescribeTable
- dynamodb:Query
- dynamodb:Scan
- dynamodb:GetItem
- dynamodb:PutItem
- dynamodb:UpdateItem
- dynamodb:DeleteItem
Resource:
- <DynamoDB table and indices arns>
All the lambdas will get the same iamRoleStatements written above. Now, say if you have a special lambda function that needs completely different permission sets. You can craft a role in the console, and use the role option to overwrite the default role which contains iamRoleStatements.
What privileges can I grant to let everyone in the world query my information schema? i.e. I want everyone to be able to run:
select * from `projectid`.INFORMATION_SCHEMA.SCHEMATA
Currently I get back:
Access Denied: Table projectid:INFORMATION_SCHEMA.SCHEMATA: User does not have permission to query table projectid:INFORMATION_SCHEMA.SCHEMATA
Usually in BigQuery you set permissions at the dataset level. For example, this query will run for anyone, as the dataset is public for everyone:
SELECT *
FROM `fh-bigquery.flights.INFORMATION_SCHEMA.TABLES`
But you can't do this:
SELECT *
FROM `fh-bigquery.INFORMATION_SCHEMA.SCHEMATA`
This because you need project level permissions to see all my datasets, even the ones I haven't made public.
If you really want to share the schemas of all your datasets with the world, then you could create a custom role just for this, with the bigquery.datasets.get permission:
https://console.cloud.google.com/iam-admin/roles
Then you need to assign this role to all users - but that's not an option.
At the project level, you can assign this role to one of these:
Google Account email: user#gmail.com
Google Group: admins#googlegroups.com
Service account: server#example.gserviceaccount.com
G Suite domain: example.com
One option in this case:
Create a Google Group.
Give this new role to this new Google Group.
Make this Google Group free to join.
Tell people "hey, if you want to see my project SCHEMATA, join this group".
Then all will work.
I'm looking for a very efficient way to control row level access and column level access, considering that users and user groups metadata is stored in the database. Our application is using Entity Framework and we have to ensure that all code access to some record and it's columns is filtered based on the user access to the requested data.
I would like to make the user console available to our users, but I cannot do to if I can't set permissions on individual data sources. That is to say, user A would only have access to use data source A, and user B would only have access to use data source B.
Is it possible to restrict a user or role to a subset of defined datasources?
try this for every datasource: http://mondrian.pentaho.com/documentation/schema.php#Access_control
Make sure the Mondrian One-To-One UserRoleMapper is uncommented in the /pentaho-solutions/system/pentahoObjects.spring.xml file.
It will look like this:
https://help.pentaho.com/Documentation/5.1/0N0/020/080/010/000