In alfresco execution of webscript, we can define whether the webscript authentication. Advanced Description Options
But I want to know "Is it a single webscript can be executed as admin or member of some group only modifying authentication property?"
I want to write new programs for member of some group, not member of admin group, can create new users, upload users and delete existing users. All webscripts[user-csv-upload.post, person.delete, people.post] to do these tasks require admin authentication. If I changed to authentication of these webscripts to user and run these webscript as admin like <authentication runas="admin">user</authentication>. All normal users can create new users. So I want to check that these webscript can only invoked one condition is met.
If I cannot check, I have to do two ways.
I have to write the same logic to two different webscripts, one for admin and one for member of some group
write authentication checking inside controller file with sudo like tool for current user is admin or member of some group.
I want to get any of your suggestion. Any help is greatly appreciated.
Solution:
I found exact code for my needs in sudo-like-tool-for-alfresco-security-aspects
Like Will Abson said in another question post, the most elegant solution is using this: Sudo Tool for Alfresco WebScripts. With this tool you can grant your user (if this users is part of a certain custom group) temporarily admin privileges. If not, it acts as a normal user with his own privileges. It requires some Java coding, though.
Otherwise, the solution number 1 is what we achieved for an our client. We developed a custom webscript with a custom url known only to their manager users, that can run script with "runas=admin" option, and make what they want. In this case, what you can do is: expose a link to the "user management webscript", only if the manager user is logged in, otherwise the link doesn't appear, and you respect some sort of "security". It's not very elegant but does the trick.
Related
So I have the users in a table and I know my login system works because I use it for other workspaces. However across all the applications in this particular workspace I am having an error where users roles are not being recognized in particular I can't even get the admin page to work for me and I am a developer. If anyone has any clue on how to fix this it would be greatly appreciated.
If that first image is the default Admin pages, then wouldn't that mean you have access since you can see that page?
(which by default, if you let APEX create it for you through New Page > Features > Access Control) has Administration Rights set as the Authorization scheme
You have two places to check to find the issue:
Shared Components > Security > Authorization Scheme
Go to or Click your Administation Rights, under Authorization Scheme, you need to make sure you are using Is in Role or Group IF that is the requirement and you are to use the created roles. Make sure the role, Administrator (if default roles exist) is listed.
if validation is once per session, and you're still in the same session. log out and log back in. The problem should go away
Shared Components > Security > Application Access Control
Check under Role Assignments if your username is there.
Click Administrator under Roles, and make sure Administration Rights under Associated Authorization Schemes has the Is in Role or Group as the scheme type
If there is a different Authorization scheme (not Is in Role or Group) or you have different roles, then I would suggest post a new question with more details on your setup.
I want to auto-assign a few of the Projects to the user who is logging in using the LDAP credentials. Currently, if LDAP user logs in, I have to go in Report Portal using super admin credentials and assign Member Role and Projects to that specific member.
I have recently tried this LDAP feature and facing this issue of the new user gets creating and assigning projects and members to each one of them. I wan some auto-assignment (like can we passed while setting LDAP setting in Report Portal)
Below is my LDAP user nperiwal with which I logged in Report Portal. But as you see this got created a new user and no project got assigned to it automatically. I want some process or code or settings which can fulfil my requirement.
FYI, see the below snapshot where I manually assigned projects and admin role.
Please help.
Simple way:
It can be done via scripting, see which requests are send to server in browser Network tab and put the same into the bash/shell script. Parametrize according to username and required access.
Long way: wait until our team will implement it within ReportPortal as feature, based on regular priority
Best way: request payed support from our team, and we will implement this capabilities for your company with highest priority. Drop mail at support#reportportal.io
I am using external LDAP service to define Camunda Groups, Users and User Group memberships.
I can see the Groups and Users from LDAP in the Admin UI very well.
I can also use Authorisations for example to provide or revoke read access to my deployment.
But no matter what I do, any application user can see complete list of the currently running [CMMN] tasks in the /tasks REST endpoint.
I am taking an LDAP user that is a member of 2 groups.
Neither the user, nor any of his groups have any Authorizations set up in Camunda, except for ACCESS to an application (I restrict to 'cockpit' only).
Still, when I login with that user the GET /tasks lists complete list of all currently running tasks.
My test user cannot see any data /process-instance (even though there are some running), but at the same moment it can see all process instance variables via /variable-instace.
What's the purpose of restricting /process-instance without restricting /variable-instance ?
What am I missing here? Can access to the /tasks and /variable-instance be restricted?
Can the reason be that the User Tasks that I try to restrict access to had been generated by a CMMN process?
Update
Yes, my unprivileged user can see all CMMN tasks but no BPMN tasks.
So the authorization is working but it doesn't cover CMMN :(
According to this (Closed) feature request:
https://app.camunda.com/jira/browse/CAM-5875
The CMMN is 100% Enterprise version feature available since version 7.6 (I am on 7.7)
According to this (Open) feature request:
https://app.camunda.com/jira/browse/CAM-6754
The CMMN Tasks are not yet covered by the authorisation even in the enterprise version.
:(
I am working with a lot of MODX since 2010. From time to time i coudl need another user group with restricted permissions. Like "Can edit content, but not change settings". So the user can't break anything which is relevant for die CMS itself.
I added users, placed them into roles and groups, but somehow it never works the way I expect it to work. A role is not a "role" but a level of authority. A group is just a link to a set of permissions, which is already setup as a ruleset. Still, if I create and setup the group "content editor", I never get it running as expected.
Is there a guide (or even an extra?) to setup restricted user account without breaking ones brain?
There's a basic tutorial available in the official documentation: https://docs.modx.com/revolution/2.x/administering-your-site/security/security-tutorials/giving-a-user-manager-access
My personal recommendation would be to ignore roles altogether. Whenever you need to enter a role (when adding a policy to a user group, or when adding a user group to a user) just pick "Super User - 0". They're an added complexity to allow, essentially, different permissions within the same user group, that 99% of the people don't need.
The primary thing to do is to create a policy, based on the "Administrator" policy set, that contains the permissions you want the user to have in the manager. Those would include the relevant resource/document permissions, but not settings, for example.
Then you add that policy to the user group of your choice as a "mgr" context policy.
The usergroup will also need context permission to be able of interacting with specific contexts. So on the contexts tab in permissions, add the different contexts you want, with the contexts policy.
As #optimuscrime commented, ACLs can be a little complicated, but that's the general approach.
I guess this question basically boils down to some misunderstanding that I have about how the SonarQube LDAP plugin works in general. We have integrated the LDAP plugin and our users are authenticating against our corporate LDAP server. When we we want to create a new group and add users to that group for a new project, we have assumed that the users themselves must authenticate into SonarQube first so they get added as a user to SonarQube. After that, then we are able to put them into the appropriate groups that they belong to. This is a pain for our administrators since the people that need to be added are logging in at differing times or forgetting to log in at all. What we would like is something that Nexus provides where we can do a lookup of that user's account id, then add them and place them into the appropriate group(s). In that way, the user is not bothered by having to login first and then the administrator has to give the privileges and then the user logs out and logs back in. Is this a misunderstanding on my part? I ask because when I go to the users page and click on 'Create New User' it not only asks for the user's id but also the user's password which I obviously don't know so this is telling me that this will be a local account.
By default SonarQube's LDAP plugin works like you think it does. You can configure LDAP group mapping so that when the user enrolls, he/she is automatically added to the appropriate group.
In other words, create the group for the project in SonarQube, and then create the same group in LDAP and add users to it. Then when users login for the first time they will be in the appropriate group, and on each subsequent login any group changes will be reflected in SonarQube.
This, in my opinion, is infact better than adding users manually.