In my custom module the security kind of directory and its related groups is working fine.
Then after I was created a many users for that groups.
I want from the Following things:
As a Admin, I need to give separate access rights.
As a Users, I need to give separate access rights.
In some Module
I have achieved from the front-end using groups in OpenERP 7
Is there any method to do from back-end ?
Related
I am looking for a solution on how to add a specific LDAP user to access grafana. The current configuration I have in "ldap.toml" works for a group or multiple groups but not sure how to add individual ldap users. We want to only add specific group and individual members to the grafana.
Note: I do not want to add used through UI. Just wanted to make sure whether that is feasible or not.
If you allow organization wide access to your application, how do you default users to a specific role in your app?
i'm following an example from a tutorial, and it works great if I specify individual users to have specific roles, but I need to be able to leave this open to the broader org but I only want them using the "user" level.
I would suggest using Google Groups for roles that may involve many individuals where it would become cumbersome to update members in the App Maker deployment settings. There is some information here https://developers.google.com/appmaker/security/secure-your-app#add_members_to_roles.
If this is strictly an access restriction to the application itself to a subset of individuals within a domain then groups can still be used to restrict access to the application within the application settings.
I have a question regarding Cumulocity. I want to create a site hierarchy in Cumulocity, we can go up to sub-tenant level only but I want to create a hierarchy up to 2 level.
Let's take an example of schools, its locations, and different branches. Here I want to attach an owner with each branch and that owner should be able to register only their own users and devices. I was trying to achieve it using groups, roles etc but was not able to do it. If anyone can suggest how to proceed for this use case.
I can see two possible options using which this can be tried:
Groups
Custom Apps (Angular apps)
But I am not sure how to proceed as there is no direct UI for the user to group assignment and REST API for this assignment is giving me errors.
You can use the inventory permissions for configuring access rights that are limited to a certain group see documentation
The managing of only your own users can be achieved by giving a user the global permission for USER_MANAGEMENT_CREATE. Make sure to revoke the ADMIN and READ role as well.
I would not recommend to solve this with apps on the UI side. That way you can of course hide information from the user but he may still be access it via API. Only with the RBAC you can really ensure on API level that the access is managed correctly.
I am using Piranha CMS , and i want to create multiple users in different group, i tried to do so but its not allowing me to login those users,even i have to implement that logged in user should only edit few pages which is permitted to that user. How can i restrict user to do so
The group permission system in Piranha CMS is hierarchical, this means that all users that should be able to log in to the manager should derive from the group admin.
When you have that set up you can take a look at the different permissions in the manager interface and assign these to different groups.
There are however no support to allow users to only edit certain pages, if you want that kind of behavior you'll have to implement it yourself in the available manager hooks.
Regards
In alfresco execution of webscript, we can define whether the webscript authentication. Advanced Description Options
But I want to know "Is it a single webscript can be executed as admin or member of some group only modifying authentication property?"
I want to write new programs for member of some group, not member of admin group, can create new users, upload users and delete existing users. All webscripts[user-csv-upload.post, person.delete, people.post] to do these tasks require admin authentication. If I changed to authentication of these webscripts to user and run these webscript as admin like <authentication runas="admin">user</authentication>. All normal users can create new users. So I want to check that these webscript can only invoked one condition is met.
If I cannot check, I have to do two ways.
I have to write the same logic to two different webscripts, one for admin and one for member of some group
write authentication checking inside controller file with sudo like tool for current user is admin or member of some group.
I want to get any of your suggestion. Any help is greatly appreciated.
Solution:
I found exact code for my needs in sudo-like-tool-for-alfresco-security-aspects
Like Will Abson said in another question post, the most elegant solution is using this: Sudo Tool for Alfresco WebScripts. With this tool you can grant your user (if this users is part of a certain custom group) temporarily admin privileges. If not, it acts as a normal user with his own privileges. It requires some Java coding, though.
Otherwise, the solution number 1 is what we achieved for an our client. We developed a custom webscript with a custom url known only to their manager users, that can run script with "runas=admin" option, and make what they want. In this case, what you can do is: expose a link to the "user management webscript", only if the manager user is logged in, otherwise the link doesn't appear, and you respect some sort of "security". It's not very elegant but does the trick.