how can i create a group so that a user can only view customers, no option for edit or create?
I have made a group and given it only read access and assigned it to user but still user is able to create/ modify records.
Kindly guide how to proceed?
Check what other groups that user have. There must be one group with higher privilege would be assigned to the user. because that you are not able to see the effect of your newly created group.
Related
I'm using Keycloak 19 and I'd like to give my users the authorization to create other user within their own group.
I was able to give access to users to see only the users from their own group by combining the realm_management:query-users role and the activation of fine grained permissions on the concerned group and setting a Group policy on the view-members permission.
I wanted to do the same for groups but it seems that the realm_management:query-groups allows one to see all groups. I was expecting it to work like its users counterpart but it seems like it works more like the realm_management:view-users role.
Moreover when I want to create a new user, it tells my I actually need the query-groups role in addition to the query-users role. So I feel like I'm reaching some kind of dead end here.
How could I configure the roles and permissions to allow users of a specific group to be able manage users within their own group or sub groups ?
The only solution I can think of is to move this in an external app that will handle the additional security of not letting a user see the groups. The app would be the one in charge of doing the change once it verified the user has the rights.
Hello again every one,
I have a question: I successfully implemented django-auth-ldap, the LDAP users can request successfully my DRF API. But nows, for my projetc needs, I have to define permissions depending of the group.
Indeed, I will have like 12 groups in my app. Depending of the group, I will authorize or not the user to request a given route, BUT even if I defined the global var AUTH_LDAP_MIRROR_GROUPS = True, and saw in my database the are linked to a group (see capture):
Users in database
Groups from LDAP inserted in db thx to django-auth_ldap settings
User linked to the groups defined
But now, I have some other problems: I do not know how to implement permissions depending of the group the user belong. In fact, if a user belong to the group ServerAdministrator, I want to allow him to access to every route accessible, but I dont know where to see this in the received request in my view?
As I understood, I should implement custom permissions I should write programmatically in a User object (which should inherit from django AbstractUser)
If yes, How does it work? Should I empty my whole Database and then let django-auth-ldap insert users and it also will create the given permissions defined inside the database?
Maybe it is not clear, do not hesitate to ask questions if I can be more precise.
Kind regards.
Benjamin
I have installed the Document Management Module. I have some users who represent companies, and they only belong to the knowledge group so they can view some documents. If I try this configuration, these users can view the directories, but they canĀ“t view the documents inside them. Instead of that, they get an error saying that they must be employees to view the content of the directories. I do not want them to belong to the human resources / employee group. I just want them to belong to the knowledge group. I Hope you can help me.
Thank you in advance.
You can create an access role for this.
Enable the developer mode and then -
Go to Settings > Users > Groups.
Select the group to which you want to give the access.
Go to the Access Rights Tab and then add an item into it.
Select
- object - 'ir.attachment'
- Read, Write, Create, Unlink (Check all or as per your requirement) and - - give a name to the rule (any name).
And save it.
The user belonging to that particular group will have access to the document management module.
Thanks
Shikhar S
The model ir.attachment in Odoo has some special logic for access rights. An user doesn't only need access rights to that model, but additionally need access rights to the model to which the attachments belongs.
An easy example: You have an invoice with invoice pdf as attachment. If you don't have delete rights for the invoice (maybe only read rights), you're not allowed to delete the attachment of that invoice, too.
So the only solution to your problem is to override that logic.
If you don't want user to belong to Employee group, create user as a Portal User.(Giving user access to standard apps automatically makes user belong to Employee group as most of them inherit Employee group)
Now, you have 2 options :
1) Modify Portal group to include Knowledge menu & related objects access
2) Create new group inheriting Portal group with required menu & related objects access.
Assign new user with this group access to allow accessing Documents.
While reading the web2py manual, I came across this following:
'Once a new user is registered, a new group is created to contain the
user. The role of the new user is conventionally "user_[id]" where
[id] is the id of the newly created id.'
which makes me wonder why Web2py does this. More specifically, why do we need to have so many seemingly redundant groups created where each only contains a single user? For example, what is the purpose of having a group called 'user_2' created just for containing the user with id '2'?
If no particular justification exists, is there any way to disable this default behavior of automatically creating unique groups for individual users, so that more meaningful groups can be created separately? Thanks.
The very next sentence says:
The creation of the group can be disabled with
1. auth.settings.create_user_groups = False
It goes on to say:
Users have membership in groups. Each group is identified by a name/role. Groups have permissions. Users have permissions because of the groups they belong to.
It is a role-based access control (RBAC) system, so groups/roles rather than individual users are given permissions, and users gain access by virtue of the groups to which they belong (including their own user-specific group). This is explained more fully in the chapter intro.
If you don't need to give specific permissions to individual users but only to more broadly defined groups/roles, then feel free to disable the automatic user-specific group creation as per the above.
You can add user2 to group of user1 so user2 obtains permissions of user1. Its usefull in many cases ...
I am trying to create a project that involves two roles say admin and student is it Ok to provide two radio button and then checking out which role a user select and then upon selection perticular page is constructed ??
Is my approach wrong ? what would you suggest??
Why ask for the user to choose a role? based on the role, load the page.
Your application must be simple to navigate through. Try to minimize the user interaction as much as possible. Wherever you can calculate the users need, do it. Here, provide a login page with a username and password entries only. You can then check whether that user exists in the database. If yes, check which role he belongs to, and redirect him to the page corresponding to his role.