How would i go about blocking users from being able to access the Parent site from a sub-site
also in the ribbon where you can click the small folder and you get a tree view of the sites, i want the Parent site not to be visible for users which belong to the sub-site
I've tried giving the sub site separate permissions which doesn't work for me.
Can you check what kind of permission user has on top site.
Useally when user is created in sub site and granted with permissions he is automatically granted with min rights to be able to pass through the top site collection.
Try to find user in the readers group on top site level collection.
Check which rights he has and try to ungrant permissions...
Hope it helps,
Andrew
look at powershell script that can map you all the autherizastions the user have , it can assist the problem solving
Related
I have a user with permissions across many projects (see image below).
I have a new user who just joined the company. I want to give him the exact same permissions. How can I do this? I don't want to do it manually because that will take me ages and the Google Cloud Documentation is useless! I cant find much on using gcloud command line to do this with examples.
There must be a easy way to duplicate permission?
Thanks
It is indeed possible to grant a role to a member for more than one project:
Open the IAM & Admin Projects page in the GCP Console.
Select all the projects for which you want to grant permissions.
Click the Show Info Panel, followed by the Permissions tab.
Enter an email address in the Add members field, and select the desired role from the drop-down menu.
Click the Add button. The member will be granted the selected role in each of the selected projects.
Granting access rights to project is an action fraught with security risks, so bulk gcloud commands or simple copying of roles are understandably not supported.
You can find more detail on the "Granting, Changing, and Revoking Access to Resources" documentation page.
It's my 1st time i'm working with Yii2's RBAC system.
I used http://www.yiiframework.com/doc-2.0/guide-security-authorization.html to get myself familiar with topic.
As i needed some kind of administration for roles / permissions, i installed this extension: https://github.com/mdmsoft/yii2-admin
I'm working on application that let's users submit articles. There are two kind of users, Administrators, and normal Users.
I created 2 roles for that purpose. Admin role and User role.
Users (both admins and users) must have ability to edit articles. Admins should be able to edit any article, while users can edit only their own articles.
For that i created 2 permissions. "Edit" permission and "EditOwn" permission. Than i created "IsOwner" rule and attached it to "EditOwn" permission.
I assigned "Edit" permission to Admin role, and "EditOwn" to User role and everything works great.
Now i'd like to create "lock" status for each article. If Article is locked, user can not edit it even if it's he's own article. Admins should be able to edit it even if it's locked.
For that i created new rule "IsLocked" but i dont know how to add it to "EditOwn" permission. I don't know is it even possible to have 2 rules attached to one permission?
EDIT:
Right now, i have this "dealt with" in way that i have additional permission "EditOwnIsLocked" to which i attached "IsLocked" rule which is than child of "EditOwn", which is child of "Edit".
This works, but it feels dirty and plain and simple wrong.
As it turns out, there is (for now) no way to attach multiple rules to a permission.
You can deal with need of multiple rules in way i do right now, by creating additional permission and attach rule to it and than make child<->parent connection, or you can edit your rule to check for all situations (in my case to check for IsParent and IsLocked).
Those solutions arn't perfect but it's what it is for now. First solution spawns unnecessary permissions, and clutter your permission list (in case you are using yii2-admin or similar extensions), but keeps your rules clean, and second solution keeps your permission list clean but makes you retype same code in multiple rules which is kinda oposit of what OOP stands for.
I'm trying to make the "Edit" button on the Project form to only be visible if the user logged into the system is the Project Manager of that project. I've been reading various answers online regarding this, gathering some understanding of Access Rights vs. Record Rules but I haven't been able to get this working. To my understanding, Access Rights over-ride Record Rules. So, if I create a record rule under the group "Project/User" that has read and write access with the domain as the following:
[('user_id','=',user.id)]
This will be over-ridden by the Access Rights for Project/User anyway? So How would I get this to work?
Thanks to anyone who can help.
As far as I know, Record Rules can override Access Rights.
Here is an example where record rules are used to change the base_user edit capabilities depending on the Task state: https://github.com/OCA/project-service/tree/8.0/project_baseuser/security
However, the "edit" button is not dynamically visible depending on the Task Status: it's always visible but the rules may or may not allow to write upon "Save".
Access Control List is checked before Record Rules.
Because Access Control List is a CRUD security on models (create/read/update/delete).
Only if ACL is passed next record level security comes in.
As far as I understood you want to give Project User permission to edit his own projects (he is in group Project User not Project Manager but set as Project Manager for exact Project by Project Manager group user LOL).
I did this by doing the following:
1) Give project users Project Manager role.
2) Restrict them to only modify own projects by creating a Global rule (no group is set) with the following domain on update / delete operations:
['|', ('user_id','=',user.id),('create_uid','=',user.id)]
P,S, Here is screenshot - http://awesomescreenshot.com/0083nqyf76
For the model project.project, provide the write permission only to the group project manager.Go to settings/techical/security. There you can see the access control list. CHeck what all group is provided to the project.project model.for every group other than project manager, remove the write permission
I have to create a list with different permission levels. I can see my list, but my teammates can't, but my manager can see all list.
I tried to use filters, but I couldn't define a filter for my manager. I was able to filter the list between teammates.
Is there any way to create groups of permissions. For example, the owners can see the full list, but the members can see their own part
Access to lists or items in them is determined by permission levels. You can check permission level for particular user or group by Check permission Button on List Permission Settings page.
You should also know that there are some users that can access lists and items without explicit permission grant in list's permission list. Farm admins, Site Collection admins or users have granted access at Web application level in Central administration.
I have to programmatically create a task for a user that was not explicitly added in the site users. He has permissions to contribute to the task list, though, because he belongs to an AD group that has been granted those permissions. I can assign the task to the user through the UI; how do I do it through code though?
The accepted way of assigning tasks to users is to set the AssignedTo field of the task to an SPFieldUserValue pointing to that user. Except it cannot be done in this case, because the users cannot be found in SharePoint, only his group! Assigning the task to the whole group is a bad idea, for obvious reasons. And our system administrators categorically refuse to add the users to Sharepoint one by one, because that would duplicate the data they have in Active Directory, and generally be a pain to manage. What do I do?
When a user authenticates to SharePoint, an entry is created for them in the profile store, even if their permission to the site comes from an AD group.
I did a quick test by adding new user (TGroupsUser) and group (SPtestPermissions) to my AD, so there is no chance the user was ever on my site before. I added the user to the group and gave the group "Member" permissions to my site. I then authenticated to SP with this new user.
To show that the user is part of this SPWeb, I wrote a quick webpart to enumerate the users on the web. Note that there are three groups of users with the SPWeb. All Users, Site Users and Users. See this link for full description of these properties. Basically, users are users on the web. Site Users are users and groups on the site collection. All Users is all users of the site including those granted direct permission or granted through group and then visited the site. Here are the results, minus the system accounts.
All Users
SPSDEV\rross
SPSDEV\sptestpermissions
SPSDEV\TGroupsUser
Site Users
SPSDEV\rross
SPSDEV\sptestpermissions
SPSDEV\TGroupsUser
Users
SPSDEV\rross
Since this account (TgroupsUser) is part of the user collection for the web, you can treat just like a user added directly to the site. To finish the testing, I created a task with the following code for the assignedTo field.
TaskItem[SPBuiltInFieldId.AssignedTo] = web.SiteUsers.GetByEmail("myemail#domain.com");
Here is a screenshot of the new task assigned to TGroupsUser.
FYI - I needed to use AllowUnsafeUpdates on the web object.