I'm developing an application in ASP.NET MVC5 with some forms for data entry and I have a database with 30 users.
3 of them are Admin, 4 of them are Regional Managers and the rest are users by country.
1. I want to restrict the users by country access to some fields in a form. Basically, there are 4 fields that only the Regional Managers can see and introduce data.
Also there's another form that only the Regional Managers can have access.
2. When the users logs into the application, they should only be able to see the data regarding the country they belong to. Example: a user from China can only see and introduce data from Chinese projects and a user from Indonesia can only do the same for projects in Indonesia.
How can I implement these restrictions in SQL Server?
Thanks in advance.
You should bring about that restriction at the application end and not in SQL Server. The app devs should implement that logic in place.
Additionally, what you could do at the database end would be to restrict users to access specific data only. One way of implementing this would be to create separate views for each country and grant users access to those views and not to the parent table directly. A user from japan could be granted access only to the view that holds data for Japan.
Related
I have a dimension which contains our business warehouse IDs and also I made users in Active Directory with the same name(1001, 1002, 1003, 1004, …) as you see in below.
DimWarehouse
ID
1001
1002
1003
1004
.
.
.
My question is that how it is possible each "username" just access to it's Warehouse ID?
There are two ways how you can restrict user access to certain parts of the cube:
You define "static security": You define one role in the cube for each set of permissions (if I understand your requirements correctly, that would mean one role per user), and then you map the Active Directory users or user groups to those roles. If you have many users and many permission roles, that can get more or less unmanageable. However, sometimes it is good that you also can use AD user groups for this purpose, and that can reduce effort a lot. I Implemented a solution like this where we needed to restrict access user access based on their country, and only had around 50 countries, and AD user groups were already existing for the countries.
You can use "dynamic security". This means you only use a single role and write an MDX expression that most likely makes use of the Username() MDX function, and which returns a valid MDX set which is either a set of allowed or a set of forbidden members. As your MDX statement could even call an AS Stored procedure implemented in .net, you are even more flexible, as this .net Stored procedure could e. g. contact your AD to check for further properties of the user.
In both cases, you would administer the settings in "dimension security" of the cube design in "SQL Server Data Tools - Business Intelligence" or in SQL Server Management Studio, and would need to design your cube accordingly to have the correct relations from the dimension that you restrict to your data.
A detailed (if a bit old) blog post describing an approach for setting security using dynamic security can be found at http://bharathonsqlserver.blogspot.com/2016/07/dynamic-security-in-ssas-in-detail.html.
The permissions are driven by roles.
You may need to create multiple roles and assign users to each of the roles.
Then for each role, you define which dimension attributes are accessible to that role.
I want to create two users
App_dbo which is used to deploy scripts
App_batch which is used to run jobs
I googled it and found SQL Script
I did not understand why I need to create a LOGIN.
What is the process to create a user ?
Let me try to explain how the login and users work on a little example.
Imagine you are going to stay in a hotel, you've booked a room. At the reception they check your id and give you the key for your room. The id is your login, it is only checked once at the reception and you get access to whatever you are eligible for. If you paid for more rooms, you will get multiple keys.
In the SQL server, the rooms are the databases and the keys are your users. You can map multiple users to the login as long as the users are in a different databases - you get keys for all rooms you've paid for using just one id.
There is also a case where login doesn't have any users mapped. It can have permissions to create new databases or update infrastructure, but will not have access to the existing databases. This can be a case of a server admin. In the hotel example it is the technical maintenance employee who fixes pipes or electric wires. He has access to the hotel, but doesn't have keys for any rooms.
Therefore, login gives access to the sql server (hotel common areas), however, it doesn't give you access to any database. You need user(s) mapped to your login to get a database(s) access(es).
Afaik, you can't map two users from the same db to one login (you only get one key for each room you've access too).
There are also other cases, like the AD one mentioned in the discussion below the question, where you can map multiple (external) identities to a single login etc, you can have users without login etc. I recommend to study documentation or get some good book explaining all possibilities. Good start might be here.
Hope this helps to understand how it works to a human being, there are plenty of answers how to set it up technically, for example the one you've referenced.
We are creating dashboards for clients using data studio.
Each client should see their data in the dashboard, based on their login credentials. It is simple to create an authorized_view in Big Query to let certain users see certain rows of an underlying shared table. But how would one achieve to then move this into a dashboard which can be shared with each client, yet show only the individuals client in the dashboard instead of the data that was visible to the report creator?
So let's say we have a large table with a bunch of columns and one column email which contains the email of users. Now, we want the dashboard to show metrics for each user based on this email column.
On DataStudio in the datasource schema review step, make sure the flag USING VIEWER’S CREDENTIALS is on. By turning it on, the query when being executed will use the viewer’s credential instead of the owner who created the report.
After you finish create proper visualization on Data Studio, final step is to share the report to eg: store managers using the share option of Data Studio which is similar to share a Google Docs. You can confidently share it with the whole organization or with the email group of eg: store managers, permission already be controlled at data level.
Read more about this topic here.
I am trying to find out how Microsoft has built access check flow in Dynamics CRM. What is the order of checks(security role, team, sharing)? The reason is that I came to a project where they created logic to share all records of one entity with a team, based on some criteria. All users are members of this team. Now we have a lot of records in POA table regarding this entity and one of my queries times out if it is not ran by user with admin permissions.
I wonder if it would be more efficient if this team was owner of a record instead of a record being shared with the team? Will CRM check user's membership in the team before running through POA table?
Thanks in advance.
Based on your description I'm assuming the following:
All records of some entity, call it new_entity, are shared to a specific team, call it TeamA.
All users are a member of TeamA.
They could eliminate the sharing and team membership altogether by giving all users the desired permission to the entity type in question.
It will certainly be more efficient to have everyone be a member of the team than it would be to share with the team, since it will mostly eliminate the POA table. That said, how big is the POA table? POA used to be an issue but at this point, if they are up-to-date on Rollups, most POA issues are a result of bad queries, missing indexes, or poor disk/memory configuration on the SQL server.
Am I doing this right?
I have a client, they currently have a portal for their users, all their users are in an oracle database. They want to move to SharePoint 2010.
The user will log into the site via their username and password, which I will need to migrate from their existing database. The users also have account information, which I'll need to query FROM their existing database in Oracle (over a VPN tunnel from the web front end to their Oracle DB).
For the user authentication;
ASP.NET Membership -
I tried to configure my application to run under FBA. The aspnet_regsql.exe application created Users and Roles tables in my database (and a whole bunch of other ones). I need to add account_id, which is a foreign key to the client's database, and firstname, last name, which we'll store and need to surface on our application.
Where to I create the account_id and other fields that need to be associated to the user?
Is the ASPNET Profile table the same as the SharePoint Profile from the API? How do I populate this database to try?
Through IIS? Do I need to write a custom registration webpart, or can I somehow add custom columns to the profile and reprovision the ASP.NET user registration control in a visual webpart?
Thanks in advance for the help!
The ASPNet profile table is not the same as the SharePoint Profile. The SharePoint Profiles are assigned their own database thus much more robust where as theASPNET profile contains all of the propertynames/values for a single user in a single row, not really the best deal.
Your can use IIS to populate the users/roles, but you need to keep changing the Default Role and Membership providers. One way will let you add users and roles, but not let you log into SharePoint. The other vice versa. You can create the properties for the profile and assign them default values but I don't beleive you can set them on a user by user basis, I won't swear to that though. I found this tool on codeplex for FBA management but have not had time to test it yet.
I am also trying to figure out the FBA/user profile question. SharePoint is smart enough to create profiles for Windows accounts. I am hoping that once the providers for FBA are created it will pull the users name and basic info from the FBA provider and create SharePoint profiles as well so that I can use the UserProfileManager to access/store profile based information from the SharePoint profile database. It looks like you can configure the User Profile Service to sync with other sources, thats what I am going to investigate once I have some more free time.
try the new ASP.Net Identity System.
Introduction to ASP.NET Identity
and
Customizing User's Profile to add new fields in brand new database table here