I am writing a document workflow application (DWA) which uses Documentum (v6.6) as its document storage mechanism.
What I'd like to do is for the application to access Documentum as a privileged user, via the Java API, and perform actions on stored documents, and have those actions appear as though the masqueraded user performed them (if they looked directly at Documentum).
How would I perform this?
For example:
User (Jane) uploads a new document via the DWA. This gets pushed into Documentum.
If Jane then accesses Documentum directly, she can see document has been uploaded and the owner is marked as Jane.
Assuming by "Java API" you mean the DFC. I think you can also do something similar in DFS (web services).
You can use IDfSession.getLoginTicketForUser(string username) after authenticating with an admin session. You can use this login ticket to impersonate a user by name, and perform operations on their behalf.
http://www.nathanobert.com/dfc7/com/documentum/fc/client/IDfSession.html#getLoginTicketForUser(java.lang.String)
Create a Superuser session and call getLoginTicketForUser(String userName) to get the Login Ticket and use this ticket as password to create the session of the user passed in the getLoginTicketForUser(String userName) method.
Related
Good day!
I just want to ask about microsoft graph Api permission, there's too many options here but my goal is to have the full access ONLY to specific account and read the mail box such as Subject, Email Body, attachment and Sender Email, the system will read the mails from the back end from the specific account only. (like a basic auth)
I'm trying to make system to my org. I don't have the full control in azure portal, so I create API Permission request.
What option need to include in my api permission request?
enter image description here
I saw the "Mail.Read" Option
but I think the scope of this option is to access ALL other mail account without signing in. correct me if I'm wrong, but then what I really need is for single account only.
Thank you in advance
Access to Graph API is normally done one of two ways:
On behalf of user
As a application (no user)
The permissions required for the access type are different and are documented for each API endpiont under the Permissions sections. The on behalf of user access requires "delegated" type permissions and application access require application permissions.
If you use "on behalf of user access" (i.e. you have a user fronting the authentication or you know the username/password) and the correct permissions for the api endponts you are using then you only have access to the data that that user has access too (even if you have permissions like ".all").
If you use "application access" then normally you need higher permissions and you can normally read all user/org data. In some specific cases you can constrain application access. Email account access happens to be one. Follow the Limit Mailbox access instructions to limit a specific application id to a specific set of mailboxes.
There is a separate Mail.Read permission for both Application and Delegated permissions. Application permissions allows the app to read mail in all mailboxes without a signed-in user where as Delegated permissions allows the app to read email in user mailboxes , check the doc for more info - https://learn.microsoft.com/en-us/graph/permissions-reference
In your case you want to check your mail only , then you need to use Delegated permissions , which doesn't required admin conesent
Hope this helps
Thanks
-- goal is to have the full access ONLY to specific account and read the mail box
Can I understand your requirement as, you may want to have a user who is admin role and only this user can query mail information for all other users?
If so, you must have a sign in popup window to let users sign in, then your application can validate the user to check if the signed in user is in admin role to determine whether allowing this user to query mails.
But you also mentioned "to run in background the signing in process, no pop up window", so I'm afraid that you want to allow anyone using your application to query mail on behalf on this specific user. In this scenario, I'm afraid you can using client credential flow directly with the application permission.
Newbie to Parse Server here.
I have an app which reads data from Parse Server and displays it to users without logging them in.
I want to create another 'Admin' app which will allow ONLY ONE pre-populated admin user to login and change the data. Is this possible via Facebook login? I would prefer Facebook login because with normal (user, password) login I can't implement 2FA easily on Parse Server. Facebook login would take care of the issue since the user is already logged into Facebook using 2FA.
Is this possible? Any suggestions / pointers would be appreciated. I am coding both apps in React Native. The first app is complete.
The type of login has nothing to do with the abilities a user has. The simplest solution for your desired setup is using class-level permissions:
create a new Role object and name it accordingly, e.g. admin
add your admin user to that role
set class-level permissions for your data classes: grant public read access, limit write access to the admin role
Now every user can see all the data, but only members of the admin role are able to manipulate them. If you want you can add more users to the role to also give them write access.
BTW: all these steps can be performed in Parse Dashboard, no coding required.
EDIT
Actually you can have it even simpler, the class-level permissions can also be granted to a single user -- so no need for a role, if you really only need one admin.
I am working with PowerBI Embedded but I am quite new.
The following is my customer request. They want to have the dashboard embedded in their webpage but before opening they want to have password. They will just get the URL and add as iFrame in their webpage.
I plan to use the Embedded API to make the webpage using the token provided.
However this will not prompt the user to login. Is there any way I could do that? Maybe I will have to write the app in as whole to monitor the user authentication.
If you're using 'User owns data' scenario of Power BI Embedded, then each user HAS to be authenticated on his own, and is limited to access only resources in his possession (or that were shared with him).
If you're using 'App owns data', you can control whichever auth process you'd like, and grant access to the embedded entity as you please.
Read about the different approaches:
https://guyinacube.com/2016/07/3-ways-to-embed-power-bi/
I'd like to ask a question to confirm my understanding of how to use Scopes and Claims (roles). Let's say I have a User (User A with read only rights i.e. suitable read only role), a Windows Service (Client A with read only access), an MVC site (Client B with full access), and a Web API. I want the Web API to be accessed by Users and Clients with full access and read only access.
I create two Scopes "sampleApi.full and "sampleApi.read_only"
I create two Roles "full_access" and "read_only"
I configure the Web API with RequiredScopes = new[]{"sampleApi.full", "sampleApi.read_only"}
When Client A connects to the Web API, it passes an Access Token containing Scope "sampleApi.read_only" and I can use [ScopeAuthorize("sampleApi.full)] or ScopeAuthorize("sampleApi.full, sampleApi.read_only")] on my Classes and Methods to fine tune accessibility. No problem.
However, when User A logs in, then he/she "inherits" the Scopes of Client B. So the Access Token contains "sampleApi.full", "sampleApi.read_only", and Role "read_only".
Now I have a problem at the WebApi in that I need to act differently when being called by a User. In that case I ignore the Scopes and use his/her Roles and the User gets "read_only" access which is what I want.
That being correct, it no longer makes sense to use the ScopeAuthorize attribute, and I need a custom hybrid attribute that does something along the lines:
If Caller is a User
- then use Roles to determine accessibility
Else
- use Scopes to determine accessibility
or have I completely misunderstood?
Scopes model what a client (not user) is allowed to access. They are manifest as claims in the token. The user's claims are also in the token. Authorization in the resource will be based on a combination of what the client is allowed to do and what the user is allowed to do. That's it.
When passing Api request to this URL
https://www.google.com/m8/feeds/contacts/default/full
A screen comes requesting this permissions. Is there any URL that just only asks user to "retrieve you contacts" instead of managing it.
SHOPBOX.IO is requesting permission to:
Manage your contacts
Perform these operations when I'm not using the application
The permissions the user is asked for at the authorization screen is dependent on the scope that you specify. Of course for accessing different endpoints you have to request certain scopes.
For accessing the Google's Contacts API this scope is required:
https://www.google.com/m8/feeds - read/write access to Contacts and Contact Groups
As this is your only option and there is no read-only scope available, the user gets warned that you could edit his contacts, even if you won't do that.