I have three roles: admin, instructor (combination of teacher and course creator) and student.
I created a child theme based from clean theme. In my child theme, I customize the layout of the login page. In my login page, there are three buttons: Login as Admin, Login as Instructor and Login as Student.
How can I force the login to be as specific role? I did check out the /login/index.php but I'm having a hard time understanding the flow of the login process.
For an additional info, the dashboard content and design depends on what role the user logged in.
First, San is wrong. There are very much global roles in Moodle. You can access these under:
Site Administration -> Users -> Permissions -> Assign system roles
Second, you talk about 'forcing' a role when you login. This makes no sense in Moodle terms. This is how Moodle works:
Create a user.
Assign them a system role (by default they will be under the role 'All Users')
Login as that user and they will have that role.
Why bother creating three different login buttons? All you need to do is create three accounts, each with different login details, and assign them each a separate role.
If this does not answer your question please give me more details on what you are trying to achieve?
First, there is no global role in Moodle for any user.
User roles are assigned to course level in Moodle.
For dashboard content and design you can check user course level role and show data as per user role.
If a user is a student in any course then, I consider it as a student and show data related to a student only for a course in which user is a student.
Related
I need a help, to find out the best architectural pattern to implement a feature.
We have an application that manages users access to a SalesForce platform. We can create a user, read the roles created in SF and append the user roles from our app and send the change to SF...and some other features not relevent in this question's scope.
We added a new concept to our app, to handle the growing number of SF users we manage. We add a profil concept. In few words, we create a profile with some roles for example DEV_PROFIL. We apply this profil to all the developer users. and we modify each user in Salesforce based on the roles in his profile.
From backend pov, I have a profile index, and a user index and a one to many relation ship. ( one profile can have many users ).
My question is the following :
How I can keep track and keep the user's roles synced with any change I can append to the profile.
Ex : Let's suppose I had 3 roles in my DEV profile. And 100 user have this DEV profile. No I added two new roles to my profile. How can I be sure that 100 users roles are synced after my change ??
PS : Salesforce does not know about my profiles, all he knows is the roles.
I'm trying to set up an HR type role, so one of our users can do all the backend user and division management.
Most of it is working apart form two things
When creating the user the Access Settings tab is missing the normal admin user shows it but my HR role does not
Is there a specific security item we need to add to allow this
Also when I try to create a new business unit under the unit that user belongs to I get a you do not have permission to perform this action message. For that HR user I have set all the business permissions to business unit
Again do I need to set a specific permission to allow this?
Thanks
Steve
The tab is hidden because the new role doesn't have an Organization view permission.
I have a admin role on my realm and a user-admin role for my test client.
The user-admin is only allowed to view users, edit them and map roles from the test client. I also want the user-admin to create new users.
Sadly the "Add User" Button is not displayed when i log in using a user-admin.
The only way to allow the user-admin to create users is to add the manage-users role from the ream-management client as a composite.
The problem with the manage-users role is that it also allows to view and edit groups and to map every role there is including my admin realm role.
I tried using the map-role permission from the admin role itself. That did not work and it seems that the manage-users role simply overweights the permissions of the role.
I'd expect something like a create permission for the Users ressouce but can't find anything like that.
Thanks,
Maik
I am new to Keycloak and I try to use it as authentication server in my solution.
I have the following entity's model: the devices are owned by a particular company to which some users belong. User with role admin can grant permission for viewing some set of devices to a regular user but only those devices that belong to the admin's company. Thus all users except admins can view only a subset of all devices in company.
Based on these requirements, I decided to make companies as groups and devices as Keycloak's resources. To evaluate permissions, I chose rule based policy.
The question is -- Can I set group as an owner of resource to check this relation in policy?
If someone is more experienced in keycloak and knows how to better represent such model, please help.
Thank you in advance.
As working on keycloak, I didn't find any way to set the multiple owners for particular resources.
I'm having the alternate option to give the access permission, that owners have for their resources.
Let say Resource A owner is OWNER A, now there are two more user USER A and USER B. If suppose OWNER A already share the access permission to USER A and USER A wants to share Resource A to USER B on behalf of the Resource owner, then how should USER A can share the resource scopes to USER B?
Answer
Keycloak provides the facility of token exchanging or impersonation feature. With the help of this USER A can able to share the resources to USER B on behalf of the OWNER A (Owner of Resource A).
Reference: You just need to follow this Keycloak Impersonation
Add comments if you still face the problem
In Keycloak, you may represent a particular company (or any organization or organizational unit) as a realm:
https://www.keycloak.org/docs/latest/server_admin/index.html#core-concepts-and-terms
Create a new realm:
https://www.keycloak.org/docs/latest/server_admin/index.html#_create-realm
Then represent the company's users as users in the company's Keycloak realm
https://www.keycloak.org/docs/latest/server_admin/index.html#user-management
... and devices as Keycloak Clients (any kind of resource you want enforce permissions on is a Client in Keycloak model):
https://www.keycloak.org/docs/latest/server_admin/index.html#core-concepts-and-terms
An admin role is already defined by default for each role (Roles menu).
Instructions tested on Keycloak 4.0.0.
For each device, create the corresponding Client in Keycloak (Clients menu). Switch on Permissions Enabled on the Permissions tab of the new client. A list of admin console permissions will appear just below the switch button, such as the view permission.
Then, in order to assign the permission to view the device to some user, the admin should click on the view permission (link) just mentioned, create a User Policy (Create Policy... listbox) and select the users (assignees) in the Users field.
In order to assign the permission on multiple devices to the same group of people, use a Group or Role Policy instead (put the users in the same group before).
In order to assign the permission to groups of devices, use one Group/Role per group of device, then assign users to the Group/Role.
I have a site, and I would like to make it "multi-country".
I have created several organizations and users that belongs to one of them.
I'd like to do this: when a user logs in from one organization page, say it MySite/EN/home, how can I prevent it to be logged in also for another organization page, say it MySite/IT/home?
Actually, if a user logs-in in mysite/en/home and visit mysite/it/home, he is logged in also in that page.
Can this be prevented?
Liferay, out-of-box, doesnt permit what you desire, if a user is logged in this is true in every part of the liferay portal.
I try to write some chances you can do:
1st chance)
If each organization has different virtual host setting, the login cookie is only valid for the domain the user logged in.
2nd chance)
A logged user can be organization-member on a organization and a simple user on each others organizations. You can set the permission on different roles to allow different actions and different view level among different organizations for the same user.
3rd chance)
You have to develop new portal extension througth ext-let plugin that can alter the portal behaviour...
bye