I do have some unique requirements where I want to hide a role to be selected from specific role users.
For example I have a role name admin, department 1, department 2 and department 3.
As a admin I should be able to see only department 1, department 2 and department 3 for role management in my portal.
But if I define permission for admin that he/she can manage roles.
Admin user is able to see all the roles which are available OOTB in Liferay.
Can anyone help me with the configurations?
The administrator role is by Liferay outside of permission concept, so the admin can manage all other roles.
You can create another role like Department-Role-Admin and put them necessary permissions.
Related
Let's say I'm using one realm mycomp in Keycloak to handle all users (+ master realm for Keycloak superadmin).
I'm have role of Customer Support (CS) that should be able to view users and manage their basic data like names, email, password reset etc.
I'm able to grant realm-management permissions like manage-users or view-users to any user in 3 ways:
assign directly
by creating composite role for CS
by creating group with and adding there CS
The problem is that giving manage-users rights CS end up being able to manage roles and groups so it is able to grant other users management permissions. Thats not valid for my config - it is a role of some higher level admin.
How to grant some users permissions to view and manage basic user data without allowing them to manage roles?
So in the end of the day I finally managed to find an working solution.
Problem was that Role manage-users cant be overriten by Policy.
With help of Pedro Igor Silva from Keycloak (https://issues.redhat.com/browse/KEYCLOAK-18151) I managed to setup configuration that fullfills the usecase.
With Keycloak preview feature admin_fine_grained_authz enabled I created global composite Role user-managers and granted it query-users Role from realm-management client. Then I created Policy that grants manage permission on Users resource when user has user-manager role.
That works perfectly
net core application and trying to implement authentication and authorization. I have set of users and these users belong to different regions. For example I have region APAC and I have some users in it. Then I have roles like global admin or regional admin. Now these users are type of regional admin global admin etc. Now I want to return role claim in my token. To return role claim in my JWT token I should add app roles in manifest. So how should I return app roles now. If I select as group then all users belong to that group emits this role details. I am little bit confused here. I have grouped users according to regions. Inside each region users are of type regional admin, global admin etc and they have different permissions inside app. Segregation of these groups vs roles I am finding lot of challenge and no use full document also I found. Can some one help me to segregate these groups vs roles.
As I understand you have users with different roles under the groups segregated by the regions. When you are trying to authorize by group all the users with different roles of the group emit the group role details.
Assuming regional admin you mentioned as a custom role for your application(as there is no such role in AAD) following is a suggestable approach.
A user can be assigned to multiple groups and Roles can be assigned to individual users/groups.
Create groups separately for regional admin, global admin users and assign roles to these groups accordingly.
If you are using the role claim in the token for role-based access control, authorize applications based on the role permissions granted by the administrator to groups. Please refer this link for the detailed documentation on how to create/manage roles for an application in Azure AD.
A user has a company_id and a many to many relationship with tasks.
Each user has a role.
Each role has permissions.
An admin should be able to see all tasks within the company.
A user should only be able to see his own tasks within the company.
What are the pitfalls of each approach?
Assign all admins to the m2m when a task is created
Include a see_all_tasks permission as part of the admin role
Given that you already have roles and permissions configured in your application. You should be assigning the users the roles against a company, like Admins will have a Administrator role in all Companies.
Any user in the application will be having a role per company that allows him to perform his task in the context of the company.
Ex: I can be a Admin for CompanyA & Enduser for CompanyB. This should give you the desired result.
In case of having a consolidated list of tasks being shown across all companies, I will aggregate roles for each task based on the companyId and then enforce permissions.
In ASP.NET Boilerplate, why does it has roles and permissions to control authorization? Which is the difference between both?
Role: a group of permissions.
1. Why does ABP have roles and permissions to control authorization? What is the difference between the two?
Having both roles and permissions allows flexibility and ease for admins to control authorization.
The difference is that authorization only depends on permissions, not roles.
From https://aspnetboilerplate.com/Pages/Documents/Zero/Role-Management:
Roles are used to group permissions. When a user has a role, then he/she will have all the permissions of that role. A user can have multiple roles. The permissions of this user will be a merge of all the permissions of all assigned roles.
For example, a site moderator can be allowed to add, edit and delete any posts, including the ones written by others. A site moderator can add, edit and delete comments as well. If there are several site moderators, then a role can be easily assigned instead of individual permissions to each user.
2. Does a permission necessarily belong to a role? And does a role necessarily need permissions?
No, a permission can be assigned directly to a user.
No, a role does not need permissions. A role with no permissions is like a position (e.g. employee).
From https://aspnetboilerplate.com/Pages/Documents/Zero/Permission-Management:
Role Permissions
If we grant a permission to a role, all the users that have this role are authorized for the permission (unless explicitly prohibited for a specific user).
User Permissions
While the role-based permission management can be enough for most applications, we may need to control the permissions per user. When we define a permission setting for a user, it overrides the permission setting defined for the roles of the user.
In addition, there are also Organization Unit Roles (not documented yet). That is, a role can be assigned to an organization unit and users in that organization unit are considered to have that role.
I have three roles: admin, instructor (combination of teacher and course creator) and student.
I created a child theme based from clean theme. In my child theme, I customize the layout of the login page. In my login page, there are three buttons: Login as Admin, Login as Instructor and Login as Student.
How can I force the login to be as specific role? I did check out the /login/index.php but I'm having a hard time understanding the flow of the login process.
For an additional info, the dashboard content and design depends on what role the user logged in.
First, San is wrong. There are very much global roles in Moodle. You can access these under:
Site Administration -> Users -> Permissions -> Assign system roles
Second, you talk about 'forcing' a role when you login. This makes no sense in Moodle terms. This is how Moodle works:
Create a user.
Assign them a system role (by default they will be under the role 'All Users')
Login as that user and they will have that role.
Why bother creating three different login buttons? All you need to do is create three accounts, each with different login details, and assign them each a separate role.
If this does not answer your question please give me more details on what you are trying to achieve?
First, there is no global role in Moodle for any user.
User roles are assigned to course level in Moodle.
For dashboard content and design you can check user course level role and show data as per user role.
If a user is a student in any course then, I consider it as a student and show data related to a student only for a course in which user is a student.