After authentication and synchronization on alfresco whit LDAP, what role have they on Alfresco?
i.e. There is a group in LDAP for Human Resources. I want give those users Consumer role in Alfresco. Is there a way to do it during the authentication or synchronization process? Do I have to do it manually through web browser?
To be more precise Alfresco roles works on per-folder basis.
If you want to make them Consumers of some site you can follow this tutorial to make a webscript wich will apply permissions.
Since Alfresco site is just a folder, in parameter to the Webscript, suggested in tutorial, you'll need to provide the site name and group name. By default permissions are inherited from parent to a child so they will be applied for the whole document library of the site.
Another approach would be just create a Public site, so that not site members by default would be a Consumers of that site, since they will be inside EVERYONE group.
Could you please clarify if you want them to be members of some site or some space?
Related
since anypoint platform url anypoint.mulesoft.com is publicly accessible anyone can access the resources. Is there anyway i can restrict access to my org users apart from creating access roles.
Can i create org specific url with org secific access so that others cant access?
Can put some network related restrictions?
I think you confusing two different things:
Accessing a public URL (ie https://anypoint.mulesoft.com)
Authorization inside your organization's account
You can not restrict access to a site that you don't own, it is publicly accessible and needs to be accessed by other users. It doesn't even make sense really. Would you attempt to restrict access by others to google.com or twitter.com (or their API URLs)? It is not the right approach and it is just not possible.
What makes sense however is to manage permissions inside your organization in Anypoint Platform. It means when an user belonging to your organization logs in you can manage what of the available roles are permissions that user will have. You can do that in the Access Management page. You can also create custom roles with specific permissions and teams to better organize your users.
As mentioned you are not able to change MuleSoft's main URL (ie https://anypoint.mulesoft.com), one option being to control from Access Management page, both mentioned by #aled
There are two main ways you can get what you need:
If your organization already has some MFA tool that requires you to be in your corporate VPN, you could use that MFA as the MFA for the Anypoint Platform e.g. Users will need Username/Password, connect to the VPN to be able to get access to the MFA generator/auth and then use that code to finish logging into the platform. As Admin in Anypoint Platform you can enforce EVERYONE to have MFA set up (keep in mind ClientApps authorization for your automation users)
If your company already has an Identity Provider you can configure identity management in Anypoint Platform to set up users for single sign-on (SSO). The fragments below extracted from the official docs external-identity:
After configuring identity management, you must add new SSO users using your external identity management solution and internal provisioning process. If you use the Invite User feature to add users to your organization after you have configured an identity provider, the credentials for these users are stored locally in your organization rather than with the identity provider.
Users that log in with SSO are new users to the system. If the new user has the same username as a user that already exists in your Anypoint Platform organization, the new user co-exists with the original user with the same username. Users with the same username are managed independently from one another.
I'm new to ActiveMQ so please bear with me if my question seem dumb :D
I have installed activemq on a CentOS machine and I'm connecting to it for writing to the qeueue and consuming from the queue through the admin user (which I dont think its the ideal way). I'm wondering if I can create a user for read only to read (consume) from the queue and another user for write only or just a single user who has read/write privileges only so this user wont be able to delete the queue or do anything that its not supposed to do.
I tried youtube and checked out activemq security documentation which talks about simple plugin and tried it but I'm not sure if I'm doing the right thing or reading the right resource?
Thanks in advance!
ActiveMQ works on different login and authorization modules , by default it picks up the PropertyLoginModule in the karaf realm. This is the admin user you are talking about. /etc/users.properties file contains these users and groups.
For Authorization you have plugins in the activemq.xml which can provide fine grained control on the Queues , Topics , Advisories and temporary queues.
The idea is to group users and provide them with read / write /admin access to Queues , you can specify all the queues your application has one by one , group them with wildchars ( as per AMQ doc ).
You can edit the users.properties file and add a few more users and tie up these users in authentication and authorization sections.
Also there are LDAP and SSL modules available for authorization and authentication.
This is all with v8.2, with plan to migrate to 9 at a later date
Here's what we're looking into. To access one folder, users would need have AD authentication, for two other folders, user would need to authentication via Kentico's user management. The rest of the site would be wide open.
We also need to ensure any bookmarked URLs send the user to the correct authentication method, if applicable.
I'm digging further in to the documentation for this too.
Yes this can happen. You'd need to enable/setup Mixed Mode Authentication within Kentico.
Secondly, for ensuring proper access to specific nodes in your site, I'd default to whatever more pages need; either require authentication or not. So if the majority of your pages required authentication, then on the master page level in the Properties>Security, set Access to require authentication. This will then propagate through the rest of the site.
For each of the nodes which are "public" simply go to the parent node Properties>Security and set Access to not require authentication.
I'm building a Web Application using ASP.Net and MVC4. This web application is going to be used by another company but we are hosting it. We were told that we had to use ADFS. We don't know what kind of information is going to come over to us in the authentication but we need to allow for users to have roles. I assume that when authenticated a username should be returned. So i'm thinking I would build a user table in the database for admins and super admins. When a user comes over, we will check if there username exist in the database and if so we would read their role from the database If they do not exist in the database they are public.
All that being said here is my dilemma that I need to solve. How do I do this without writing custom code everywhere in the application to check for authorized and check for role? I would like to use the [AuthorizeAttribute(roles)]. Should I create a custom role provider? All ideas are welcome. BTW, we can not have the client manage the roles and pass it over because this company is a Fortune 100 company and they do not have time to handle these request.
I would recommend looking at some of Dominick Baier's work on securing MVC with claims. He's worked with some other developer's as well to build Thinktecture, which has both an Identity Server component and libraries for assisting in the processing of claims while abstracting some of the nitty-gritty details.
As for the roles portion of what you need to do, you can build a custom ClaimsAuthenticationManager and have that perform whatever transformations or additions to the users claim set at initial login. Dominick has a couple of excellent PluralSight courses that go into much more detail on this process. He also has this free video out there, which details the authorization portion around minute ~44.
I recently went through the effort of getting ADFS setup and authenticating some of the MVC apps at our company. The resources I have referenced were invaluable in helping me in that process.
I have a scenario that should be possible with RavenDB imho but I can't find any piece of information that could help me to implement this.
I've deployed the RavenDB as IIS application to my regular hosting. I have no dedicated server so this is almost all options I have. Another option is to create web application with embedded RavenDB which I think is more complicated and I want to keep things simple now. Having RavenDB as IIS application seems to be very handy.
I want some users to be able to log in into RavenDB application and edit documents. Other users (anonymous) can only read the data.
I found that there are 2 optional bundles in the app:
Raven.Bundles.Authentication.dll
Raven.Bundles.Authorization.dll
Unfortunately the documentation on this bundles is not complete enough :(
Here is a description of what I'm aiming for: http://www.youtube.com/watch?v=bS4UMp12PZM&feature=player_detailpage#t=899s
So the questions are:
How can I store user information in RavenDB and authenticate against this
information?
How can I grant edit rights on document collections for specific users?
How can I grant all (admin) rights to some specific user?
Here is a few resource that you can follow:
Authentication options with RavenDB
http://www.youtube.com/watch?v=bS4UMp12PZM
Authorization Bundle
http://ravendb.net/docs/server/bundles/authorization
http://ravendb.net/docs/server/bundles/authorization-bundle-design
Edit
For simple cases, use application users instead of database users.
Store a User entities and authenticate the users against it. Each user should have a user type property which says what permissions that have. Than control what action a user can do in the application level, not in the database level.