Can usergrid support User's in (Group or Role) have access to ALL user's in same (Group or Role)? The way i understand it is because users are in /users/user1, you would have to iterate over all the users in the group and give explicit permissions to a (group/role/user). Can you prefix user's /users/group_user1?
Could use the organization / application but /users and permissions are specific to a single application.
Basically I want to model organization and groups within a single usergrid application, things such as inheriting permissions, etc.
Any ideas? I am going about this in the wrong way? Other frameworks/apis?
Users are linked within a role, so depending on how you configure your roles you can do set a resource within a role like this:
/roles/{role uuid}/users/*
Which would look more like this in a real example:
/roles/7a7fbe9ec74-70f39f37-1825-379f-8385/users/*
You can then set your verbs (GET, POST, DELETE) as you see fit within that role to allow all members of that role to see or change users within that role. I assume you're looking for them to be able to do a GET but if you have additional linked resources below that user, you can add them explicitly as well like this:
/roles/7a7fbe9ec74-70f39f37-1825-379f-8385/users/*/mylinkedrsource/**
Then you can set the verb to GET for roles/{id}/users/* and add POST or PUT for the resources linked below /users/*/{linked resource}
Cross posting from the usergrid google group:
I think you can do what you need with groups.
The idea with groups is that all users in that group get the group's permissions.
So if you do this:
create a group.
give that group permissions for various resources
add users to that group
all users in the group will have the permissions of the group
or
create a group
create various roles, each with various permissions
add the various roles to the group
add users to the group
all users in the group will have the roles (and thus the permissions) of the group
So in this way, you could create various roles for your users. And add users to roles as needed to satisfy the needs of the users. Then, you can create one group for admins. Add all the roles to that admin group, then add your admin users to that admin group. They will have the collective permissions of all the roles.
Related
I'm using Keycloak 19 and I'd like to give my users the authorization to create other user within their own group.
I was able to give access to users to see only the users from their own group by combining the realm_management:query-users role and the activation of fine grained permissions on the concerned group and setting a Group policy on the view-members permission.
I wanted to do the same for groups but it seems that the realm_management:query-groups allows one to see all groups. I was expecting it to work like its users counterpart but it seems like it works more like the realm_management:view-users role.
Moreover when I want to create a new user, it tells my I actually need the query-groups role in addition to the query-users role. So I feel like I'm reaching some kind of dead end here.
How could I configure the roles and permissions to allow users of a specific group to be able manage users within their own group or sub groups ?
The only solution I can think of is to move this in an external app that will handle the additional security of not letting a user see the groups. The app would be the one in charge of doing the change once it verified the user has the rights.
net core application. I am trying to implement authentication and authorization. I have users they are split into multiple regions. For example I have below regions.
GE GSAS
- user1
- user2
APAC
-user3
-user4
SE&A
-user5
-user6
These users have different permissions or roles. For example, RegionalAdmin,GlobalAdmin,Users etc
These users will be creating some orders in the portal. For example, Regional head can reassign orders within that region only to other users. For global head he/she can reassign orders to anyone. Users can create orders and view delete and users cannot reassign orders. All these users are part of Azure AD tenant. Now I am trying to implement authentication and authorization. I started thinking the design strategy like this, I can create groups as per regions and add users to groups. Based on the groups I can have authentication or authorization. But these users have different permissions like RegionalAdmin,GlobalAdmin etc and these users have some extra functionalities aloowed in web/api permission. Can someone help me regarding this and how to organize groups or roles with respect to above scenario. Any help owuld be greatly appreciated. Thank you
Assuming regional admin you mentioned as a custom role in your application(as there is no such role in AAD), it is always better to use the administrative-units and a suggestable approach would be to create groups separately for regional admin, global admin users and assign roles to these groups accordingly.
A user can be assigned to multiple groups and roles can be assigned to individual users/groups.
Authorize applications based on the role permissions granted by the administrator to groups. Please refer this link for the detailed documentation on how to create/manage roles for an application in Azure AD.
net core application and trying to implement authentication and authorization. I have set of users and these users belong to different regions. For example I have region APAC and I have some users in it. Then I have roles like global admin or regional admin. Now these users are type of regional admin global admin etc. Now I want to return role claim in my token. To return role claim in my JWT token I should add app roles in manifest. So how should I return app roles now. If I select as group then all users belong to that group emits this role details. I am little bit confused here. I have grouped users according to regions. Inside each region users are of type regional admin, global admin etc and they have different permissions inside app. Segregation of these groups vs roles I am finding lot of challenge and no use full document also I found. Can some one help me to segregate these groups vs roles.
As I understand you have users with different roles under the groups segregated by the regions. When you are trying to authorize by group all the users with different roles of the group emit the group role details.
Assuming regional admin you mentioned as a custom role for your application(as there is no such role in AAD) following is a suggestable approach.
A user can be assigned to multiple groups and Roles can be assigned to individual users/groups.
Create groups separately for regional admin, global admin users and assign roles to these groups accordingly.
If you are using the role claim in the token for role-based access control, authorize applications based on the role permissions granted by the administrator to groups. Please refer this link for the detailed documentation on how to create/manage roles for an application in Azure AD.
A user has a company_id and a many to many relationship with tasks.
Each user has a role.
Each role has permissions.
An admin should be able to see all tasks within the company.
A user should only be able to see his own tasks within the company.
What are the pitfalls of each approach?
Assign all admins to the m2m when a task is created
Include a see_all_tasks permission as part of the admin role
Given that you already have roles and permissions configured in your application. You should be assigning the users the roles against a company, like Admins will have a Administrator role in all Companies.
Any user in the application will be having a role per company that allows him to perform his task in the context of the company.
Ex: I can be a Admin for CompanyA & Enduser for CompanyB. This should give you the desired result.
In case of having a consolidated list of tasks being shown across all companies, I will aggregate roles for each task based on the companyId and then enforce permissions.
While reading the web2py manual, I came across this following:
'Once a new user is registered, a new group is created to contain the
user. The role of the new user is conventionally "user_[id]" where
[id] is the id of the newly created id.'
which makes me wonder why Web2py does this. More specifically, why do we need to have so many seemingly redundant groups created where each only contains a single user? For example, what is the purpose of having a group called 'user_2' created just for containing the user with id '2'?
If no particular justification exists, is there any way to disable this default behavior of automatically creating unique groups for individual users, so that more meaningful groups can be created separately? Thanks.
The very next sentence says:
The creation of the group can be disabled with
1. auth.settings.create_user_groups = False
It goes on to say:
Users have membership in groups. Each group is identified by a name/role. Groups have permissions. Users have permissions because of the groups they belong to.
It is a role-based access control (RBAC) system, so groups/roles rather than individual users are given permissions, and users gain access by virtue of the groups to which they belong (including their own user-specific group). This is explained more fully in the chapter intro.
If you don't need to give specific permissions to individual users but only to more broadly defined groups/roles, then feel free to disable the automatic user-specific group creation as per the above.
You can add user2 to group of user1 so user2 obtains permissions of user1. Its usefull in many cases ...