JUDDI Authorization - apache

I would like to know about authorization in jUDDI. I would like to give Publisher capabilities to few of my clients And also I want few of my clients to inquire or access only those services which are related to them. I want to hide the rest of the services which are not related to them. Can we achieve this using jUDDI? and How?

As of right now, no. There is an open ticket for this to provide role, group, list, etc access control on a per record (business/service) basis but it hasn't been implemented.
This problem is also a complex one, since UDDI has both a search and a getDetails set of methods. Get Details in the easy one, but search is very complex. Filtering out records and keeping the paging option still functional would be a challenge

Related

How to protect a specific record

We are trying to write an authorization program to our company.
We've decided to use claim based authorization .
The normal restrictions are pretty easy (Let particular users use particular services ETC) , but I have some kind of special requirement :
I need to filter records of the result set, based on the claim this user have.
For example , I have a service that return a list of people that invest in our company, with details about them and the amount of money they have. Now, an employee shouldn't be able to see other employee details, unless this employee is a direct manager of the employee presented.
This means -> I need the claim attribute to some how effect the result set, and I couldn't find any information online on how to do this.
What you're looking for is usually called fine-grain security, and HERE is one article on doing it with ASP.Net and claims. Also, a search for "asp.net fine grained permissions" will lead you to lots of resources.
This is a pretty involved topic, but it basically involves elegant and effective ways to add filters (e.g. WHERE clauses on SQL queries) to accomplish your row-level application security.

Social Tables data model

I've just started looking at the documentation as we are going to need to integrate Salesforce with Social Tables shortly, so I am really new to Social Tables.
Specifically, we will need to sync data between the CRM and Social Tables Events and Guests, and maybe other objects, so it would be very helpful to have a data model or similar to check the relationships and fields available in Social Tables architecture.
I haven't found anything in the documentation, is there any way to get this, even if it's at a high level?
Thanks
Danny
To make an integration with SocialTables you'll have to do a few manual steps, there is no way to do this completely programmatic from my experience. You'll also have to be prepared to contact SocialTables to get get correct guestlist ids. Also keep in mind that the API documentation isn't always correct, the API logic is also quite difficult to understand from time to time.
The first thing you need to do is figure out which version of the Venue Mapper you use. You'd want to use the 4.0 api and as far as I know this version of the api is only supported by Venue Mapper 3.0. I believe the Venue Mapper 3.0 is the frontend tool SocialTables provides to do the venue planning.
In social tables an event has two ids, one numerical one and one alpha-numerical one, when you use the 4.0/events endpoint you only get the alpha-numerical event id, and your going to need the numerical one. The only way I've been able to get the numerical id is to pull it out from the url when using the Venue Mapper, example of the url follows below:
https://plan.socialtables.com/team/{team_id}/event/{event_id}/space/{space_id}
Now you need to get the guestlist id, you can get that by using the following url, using the numerical event id:
GET https://api.socialtables.com/4.0/diagrams?event={numerical_event_id}
This endpoint return a json structure where one of the parameters is "guestlist_id".
Please be aware that the guestlist id you get from this endpoint might not be the correct one. I struggled quite a bit with this part and ended up with SocialTables sending me the guestlist id by email.
To get the guests in your guestlist use the following api endpoint:
GET https://api.socialtables.com/4.0/guestlists/{guestlist_id}
The {guestlist_id} is an alpha-numerical string similar to: cfdac1c0-yb1d-12e6-84a5-a39e92131645
And by that you should hopefully get access to your guests.
Hey thanks for using our API.
To answer your question, the best way to see the data model at the moment is to access our developer portal and use the API console to see what is returned. For events you will need to know the team id of the team you are working with use the team events endpoint to get access to the event ids.
https://developer.socialtables.com/api-console#!/Events/get_4_0_legacyvm3_teams_team_events
This will return some basic information about each event for that team. You can then request additional details for specific events by using this endpoint:
https://developer.socialtables.com/api-console#!/Events/get_4_0_legacyvm3_events_event

What's the optimal way to filter a set of entities in a lookup?

I've got a lookup field on Account entity called something. Each such Something has a reference to an account. When my users click the magnifying glass, I want them to see a list of available Something records but filtered to view only such instances that link to the currently treated entity.
Also, I'll need to design such a filtration for Contact instances to only show the Something records that are related to the account that the currently regarded contact is a member of.
I can't decide between a plugin on Retrieve and some JS in OnLoad registering a fetchXML. All such operations will be done client-side. The solution needs only to work in CRM13 (and if possible apply some cool functionality in that version).
Suggestions?
JavaScript & FetchXml are your best option here as with a Retrieve plugin you're taking the performance hit of executing on every retrieve regardless of whether the entity is being retrieved for the lookup. A filtered lookup in JS only applies for those scenarios that require a change to the field on Account.
Another other good reason for using a filtered lookup in Js is they are now a supported feature in CRM 2013 as opposed to the "hack" that was required in 2011.
Some more info on addPreSearch and addCustomFilter can be found on MSDN and there's a decent blog post providing examples here.

designing a restful api: naming URIs, custom headers?

EDIT: I've solved my issues (for now at least).
I've recently been working with the Zendesk REST Api and their use of the custom "X-On-Behalf-Of" header for looking up tickets opened by a particular user got me thinking about Restful Api design choices (in no specific language, more of a how to name URIs question). I've also read this related question on Custom HTTP headers, but it left me with more questions than answers.
Say I have an example restful web service dealing with rental apartment applications where clients use Basic Auth (keep it simple) to authenticate. Define the basic data as such:
Users (can be of type landlord or renter)
Forms (which consist of one or more Document resources and some form meta data like form name and version info)
And then some type of resource corresponding to Rental Applications, which ties together Forms, Applicants (one or more renters), Landlord, and some metadata like status and dates.
I'm struggling to properly model the URIs for the Applications resource in general, and more specifically with respect to a clients role. (assume api root is https://api.example.com/)
How do I allow a Landlord to fetch a list of applications sent to them? My intuition says make a request to "GET /applications" and Basic Auth lets the server know which user to build the list for; likewise "GET /applications" requested by a Renter would return a list of applications they've sent...but I'm not confident this is a solid design in general to mix and match sender vs. recipient lists at the same URI. Should I be thinking about the "/applications" resource differently, and perhaps allowing a hierarchy like "/applications/[USER_IDENTIFIER]" for each user instead?
Also, regardless of my applications URI design, assume a Landlord is able to create an application on behalf of a renter. Is this better accomplished by sending a custom header like "X-Create-On-Behalf-Of: somerenter#example.com" with the PUT/POST creation request? Or should my schema define a field which allows for this alternative scenario.
I'm very much an amateur at this, so I'm open to any criticism of my assumptions/design, as well as any pointers for learning more about designing RESTful api's. Thanks for reading.
I think I've found a solution.
Landlords and Renters are really just subclasses of the same object, which I'll call Party (as in party to a transaction, not birthday party). So then each one has their own resource, named like /party/PARTY_ID.
It's easy to extend this to see that /party/SOME_LANDLORD/applications and /party/SOME_RENTER/applications solve my issues. It also removes my need to consider custom headers.

CakePHP: model-based permissions?

Struggling with a decision on how best to handle Client-level authentication with the following model hierarchy:
Client -> Store -> Product (Staff, EquipmentItem, etc.)
...where Client hasMany Stores, Store hasMany Products(hasMany Staff, hasMany EquipmentItem, etc.)
I've set up a HABTM relationship between User and Client, which is straightforward and accessible through the Auth session or a static method on the User model if necessary (see afterFind description below).
Right now, I'm waffling between evaluating the results in each model's afterFind callback, checking for relationship to Client based on the model I'm querying against the Clients that the current User is a member of. i.e. if the current model is Client, check the id; if the current model is a Store, check Store.clientid, and finally if Product, get parent Store from Item.storeid and check Store.clientid accordingly.
However, to keep in line with proper MVC, I return true or false from the afterFind, and then have to check the return from the calling action -- this is ok, but I have no way I can think of to determine if the Model->find (or Model->read, etc.) is returning false because of invalid id in the find or because of Client permissions in the afterFind; it also means I'd have to modify every action as well.
The other method I've been playing with is to evaluate the request in app_controller.beforeFilter and by breaking down the request into controller/action/id, I can then query the appropriate model(s) and eval the fields against the Auth.User.clients array to determine whether User has access to the requested Client. This seems ok, but doesn't leave me any way (afaik) to handle /controller/index -- it seems logical that the index results would reflect Client membership.
Flaws in both include a lengthy list of conditional "rules" I need to break down to determine where the current model/action/id is in the context of the client. All in all, both feel a little brittle and convoluted to me.
Is there a 3rd option I'm not looking at?
This sounds like a job for Cake ACL. It is a bit of a learning curve, but once you figure it out, this method is very powerful and flexible.
Cake's ACLs (Access Control Lists) allow you to match users to controllers down to the CRUD (Create Read Update Delete) level. Why use it?
1) The code is already there for you to use. The AuthComponent already has it built in.
2) It is powerful and integrated to allow you to control permissions every action in your site.
3) You will be able to find help from other cake developers who have already used it.
4) Once you get it setup the first time, it will be much easier and faster to implement full site permissions on any other application.
Here are a few links:
http://bakery.cakephp.org/articles/view/how-to-use-acl-in-1-2-x
http://book.cakephp.org/view/171/Access-Control-Lists
http://blog.jails.fr/cakephp/index.php?post/2007/08/15/AuthComponent-and-ACL
Or you could just google for CakePHP ACL