I'm getting the below error when trying to create a new user in Splunk:
Encountered the following error while trying to save: In handler 'users': Could not get info for role that does not exist: alert_manager
Do I need to disable any apps or delete the files related to any apps from the Splunk directory? Kindly suggest.
Without knowing any further information about your problem or environment, it sounds like the issue is with your alert_manager role, rather than a global issue. Try to create a user with the user role (or another role) and see if that works; if it does, there is a problem with how your alert_manager role is configured (or that role doesn't exist).
To see how to modify or add roles, check out Add and edit roles with Splunk Web in the Splunk docs.
Related
I am new to openidm and trying to explore options to remove roles from user once user status changes to terminated.
Is there any out of box feature available in Forgerock to do this ? Can you please help how to implement this solution
You can write a JavaScript that you can add to postUpdate (or onUpdate, but this will block the patch call during the removal) of the managed object. If you detect the change of the user status to the terminated state, you can query the roles the user is in and then loop over those to delete the user from each.
Some resources that might help you with listing roles and removing them:
Query a user's roles: https://backstage.forgerock.com/docs/idcloud-idm/latest/objects-guide/roles-over-rest.html#querying-user-roles
Delete user's roles:
https://backstage.forgerock.com/docs/idcloud-idm/latest/objects-guide/roles-over-rest.html#_over_rest
Scripts in managed object triggers:
https://backstage.forgerock.com/docs/idcloud-idm/latest/scripting-guide/script-triggers-managedConfig.html
How to use resources in IDM scripts:
https://backstage.forgerock.com/docs/idcloud-idm/latest/scripting-guide/scripting-func-ref.html
I am working on Netsuite and I'm new to it, so I need help. After creating roles and assigning a user to that specific role, I want to assign them to an application created using the integration record. When I wanted to create an access token, after selecting the application in the application name drop down, I am not finding any users or roles in the user drop down box and the role drop down box:
This is where I am facing the problem. So I need a solution to select users in the drop down box.
This link tells you all you need to know about setting up TBA and the correct basic permissions needed:
Token Based Authentication
Your user needs to have a role assigned to it with the following basic permissions:
User Access Token: Full
Access Token Management: Full
Web Services: Full
Once this role has been assigned to your user, the user will be available for selection when creating a token.
Go to the role you have setup for this OAuth and click Permissions tab > Setup and make sure User Access Tokens permission is there.
Here are the docs for setting up TBA roles. Maybe you are missing one of the permissions?
Getting Started with Token-based Authentication
I'm working on a project to pull information from a SharePoint calendar and and post it into the atTask Time Off calendar. This should be pretty simple, but nothing in the AtTask API works the way I would expect. I've already asked about the "POST" action deleting existing records. Now I'm running into some strange rights issues.
I have administrator rights in our AtTask sandbox. I am able to access the Time Off records (RESVY) for all users on the system. I am able to delete them without issue. However, I am only able to create new records (POST) for myself. When attempting to create a new record for another user, I'm plugging in the sessionID from my login as the administrator and the other users userID.
The result is an error message: "You do not have sufficient access to edit this User".
It seems odd that the API would allow me to delete the RESVT records for another user, but no create new records.
We are using Active Directory for authentication into AtTask, so I don't have access to the passwords of the other users. This is really getting to be a headache.
Thanks in advance,
Mark
To update another users Time-Off the following 3 scenarios will allow you to mark time-off for another user. This is using the new access module.
You are a system admin
You have User Admin setting enabled in your access level settings (Located under the Fine Tuning option through the Edit Rights at the user level)
You have users who report to you (you are a manager) you will be able to edit users Time-off for users who report to you.
Here is the scenario. I have two objects Users (with username/password) and UserInfo with rest of the data related to user. The Users is an old table with thousands of records and UserInfo is fairly new. I want to get as much UserInfo as I can when the user first logs in.
I'd like to force user to a custom screen after first login and ask for the UserInfo data. Once I get the "required" data in the new screen, I dont show it till the user voluntarily wants to fill in the data under "Profile".
Since there are multiple entry points to the application, I dont want to update all the controllers to check for this.
Is there a way I can use a Spring Security filter or something which is executed on successful login? I had a look at ApplicationListener<AuthenticationSuccessEvent> but it doesnt solve the problem as if I copy paste the link in the browser, it lets me go ahead to the destination without asking for "extra information".
In a nutshell, I want a check after each login which, if fails, user is not allowed to enter the application. No matter how he tries to get in.
In your Config.groovy, configure Spring Security's defaultTargetUrl and tell it to always redirect there:
grails.plugins.springsecurity.successHandler.alwaysUseDefault = true
grails.plugins.springsecurity.successHandler.defaultTargetUrl = '/userInfo/edit'
In your UserInfoController's edit action, you can check that the required fields are present (userInfo.validate() perhaps?) and if they are, redirect to wherever you like, perhaps '/', otherwise render the edit info view.
You can adopt what #doelleri proposed and enhance the rule by those steps:
run a batch task to assign a temporary ROLE_DISABLED role to each user who does not provide supplemental information yet. If the user already had some roles, save them in some property.
setup your authorization rule as that users with ROLE_DISABLED role only allowed to access /userInfo/edit.
in /userInfo/edit, if the user has a ROLE_DISABLED role, render the information input view, and resume user's role after it successfully updated its information. Otherwise redirect to '/' or the path it requested.
In alfresco execution of webscript, we can define whether the webscript authentication. Advanced Description Options
But I want to know "Is it a single webscript can be executed as admin or member of some group only modifying authentication property?"
I want to write new programs for member of some group, not member of admin group, can create new users, upload users and delete existing users. All webscripts[user-csv-upload.post, person.delete, people.post] to do these tasks require admin authentication. If I changed to authentication of these webscripts to user and run these webscript as admin like <authentication runas="admin">user</authentication>. All normal users can create new users. So I want to check that these webscript can only invoked one condition is met.
If I cannot check, I have to do two ways.
I have to write the same logic to two different webscripts, one for admin and one for member of some group
write authentication checking inside controller file with sudo like tool for current user is admin or member of some group.
I want to get any of your suggestion. Any help is greatly appreciated.
Solution:
I found exact code for my needs in sudo-like-tool-for-alfresco-security-aspects
Like Will Abson said in another question post, the most elegant solution is using this: Sudo Tool for Alfresco WebScripts. With this tool you can grant your user (if this users is part of a certain custom group) temporarily admin privileges. If not, it acts as a normal user with his own privileges. It requires some Java coding, though.
Otherwise, the solution number 1 is what we achieved for an our client. We developed a custom webscript with a custom url known only to their manager users, that can run script with "runas=admin" option, and make what they want. In this case, what you can do is: expose a link to the "user management webscript", only if the manager user is logged in, otherwise the link doesn't appear, and you respect some sort of "security". It's not very elegant but does the trick.