I have a requirement where I have 300 Agencies with multiple users and 5 Regions with multiple users and Admins. Multiple agencies report to one region.
When a user login as a agency user and creates a list item and on submission the item has to give permissions to all users related the users agency and the region agency belongs to. This is mapped using a reference list which agency belongs to a region.
Can permission for groups an item be set using SharePoint Designer workflows dynamically. I was able to get this working if I hardcore the group names in SP designer workflow I am not sure how to pass group names dynamically to workflow.
The SP groups and their users are already defined in SharePoint permissions.
I figured out solution using InfoPath and SP lists.
First I created a reference list called "Regions" and stopped inheritance on the list added SharePoint groups and users into the groups and on each list item gave list permissions to SP groups that have access to the list item.
In "Survey" list added lookup field from the "Regions" list now when the user adds new item he would see the region and agencies he belongs to.
On the "Survey" list I created folders for "Regions" and "Agencies" and set the folder level permissions similar to "Regions" list.
Related
I am a beginner in Odoo and I would like to create accounts for Managers and Simple Users respecting these conditions:
Manager A (of the Team 1) can see his own records as well as the records of the Users X1 and X2.
Manager B (of the Team 2) can see his own records as well as the records of the Users Y1 and Y2.
Manager A cannot see the records of Team 2.
Manager B cannot see the records of Team 1.
I created Team 1 and Team 2 as Groups using Settings --> Users and Companies --> Groups and I affected the users and the managers to their respective groups but nothing happened. When I created a new event, it was still visible for all the others.
Do I need to add a special record rule or something?
I am using the Events module of Odoo 12.
Generally, groups are defined to have different permissions(read,write,delete,edit) on model level (not on records level). For e.g, User,Manager,Director,Admin,etc. In your case, teams have same permission on event model but you only want subset of records to be visible to respective teams. (I am curious if there is a term for such permission) So, you have to use record rule.
First, add new field team_id in user.
Then, add record rule to make event only visible to respective teams. [('create_uid.team_id', '=', user.team_id.id)]
New to LDAP. The way our LDAP is arranged is People and groups. The people have user information such as name, uid, and mail. The groups have group name and multiple member field which has value like cn=First Last,cn=people,dc=comic,dc=com, listing the People that are members of the group.
Currently starting with userid and password, doing two searches:
1) Get user by searching on People base domain on uid=value. Then from the user get the first and last name.
2) Search on Groups base domain based on member=cn=First Last,cn=People,dc=comic,dc=com and iterate over the list of group objects returned to the group name field.
Am just wondering is there way to do all this in one search or are two searches necessary?
Unfortunately you cannot do what would like in one operation.
Also, what you are doing will not always work. Instead of retrieving the users first and last name you should retrieve their distinguished name (dn attribute) and do your group search based on that. First and last names can be modified within LDAP and can happen due to marriage / divorce / etc.
It is possible, provided that you implement a Reverse Group Membership Maintenance Overlay.
To determine which groups an entry is a member of without performing extra searches, the memberOf overlay is exactly what you need.
The memberof overlay updates an attribute (by default memberOf)
whenever changes occur to the membership attribute (by default member)
of entries of the objectclass (by default groupOfNames) configured to
trigger updates. Thus, it provides maintenance of the list of groups
an entry is a member of, when usual maintenance of groups is done by
modifying the members on the group entry.
You may find this Server Fault post useful for a how to.
Once you have memberOf attribute ready to be used, you may have to run ldapmodify manually on each group entries, but just once, so that all members entries can be provisioned with the corresponding group dn in their respective memberOf attribute.
Finally, to perform a group membership search for a given user, you would just search for the user entry and iterate the memberOf attribute to get group dn's.
I have created a module named Purchases containing menu item: Purchasesand views: Received purchases, Pending purchases and want to give access to this module to only the Employees\Employee.
I have created a new user with email emp1#gmail.com from the Settings and added it to user group Employees\Employee. I have given the Employees\Employee group access rights to the Purchases, Received purchases and Pending purchases views.
When I log in as the employee emp1#gmail.com I still do not get the Menu Item Purchases. I only get the Settings and Discuss menu items.
I got it wrong. It seems that I should have added that model to the access rights first and give permission to view,read,write,delete. Thanks.
I have an OU with users within. I want to extract all the emails of those users. I'm using Softerra LDAP explorer. It seems that the extract option doesn't allow to do this "the easy way". So I'm looking at an SQL command to do this.
"cn=xxxx,ou=users,ou=sync,ou=accounts,dc=xx,dc=xxx,dc=net" this is a user. The email is in the "email" field.
The group is here: "CN=group,OU=server,DC=xx,DC=xxx,DC=net",ou=users,ou=sync,ou=accounts,dc=xx,dc=xxx,dc=net"
What command should allow extracting all "email" fields for only users within the group "group" ?
Would be very helpful
It depends on what is the entry
CN=group,OU=server,DC=xx,DC=xxx,DC=net",ou=users,ou=sync,ou=accounts,dc=xx,dc=xxx,dc=net
As you suggest by :
only users within the group "group"
It is a group with members, and a cross reference (ie. on each user entry you have a kind of memberOf attribute which contains the dn of the groups he is in)
Then you can search all users which match the filter :
(memberOf=CN=group,OU=server,DC=xx,DC=xxx,DC=net",ou=users,ou=sync,ou=accounts,dc=xx,dc=xxx,dc=net) and retrieve the mails attributes
If the directory you use does not maintain group membership, you will have to retrieve the users members DN, and make another request to retrieve the mails attributes of all these members
As you suggest by :
I have an OU with users within
It is a branch and all the users you want to retrieve are under this branch
Then you just have to search all the users under the subtree corresponding to this branch and retrieving the mails attributes.
I am retrieving users for Active directory in Jira 7 by using LDAP. I am trying to reduce the number of users brought from LDAP to a particular group that we have created. So in order to do that i put (objectCategory=group)(cn=WebAgileDevs) in the group object filter along with the default settings. The only thing i change is the Base DN and credentials required. When i save and test it does show me that it is testing 1 group and 15 users which is what i want!(See the screenshot). BUT, when i go and sync it, it brings in 43000 users!! What am i missing???
Test Remote Directory Screenshot
The group filter is used to filter the list of groups that are imported to JIRA, and the user filter is used to filter the list of users that are imported to JIRA. The two need not necessarily correspond. Your group filter would be instructing JIRA to bring in only that one group (into the list of groups), but without further refinement, your user filter will still be pulling in all users, as you noticed. This means that you need to adjust the user filter too.
From your question, you want to import only those users who are a member of a specific group. Atlassian provides some general guidance here.
The last example on that page is particularly relevant for you:
(&(objectCategory=Person)(sAMAccountName=*)(memberOf=cn=CaptainPlanet,ou=users,dc=company,dc=com))
This tells JIRA to pull in only those user objects that are a member of the group cn=CaptainPlanet,ou=users,dc=company,dc=com. You would want to replace this with your cn=WebAgileDevs (plus whatever trailing qualifiers you need to fully qualify the group name).