How do I query effective permissions on an Active Directory Object? - permissions

I'm trying to programmatically determine whether the current user has certain permissions on a given Active Directory object (specifically in this case, I'm trying to determine whether the user has the "Send As" permission for another Exchange user or distribution list object).
I already figured out how to access the ntSecurityDescriptor attribute using ADSI: I can enumerate the ACEs in the IADsSecurityDescriptor's DiscretionaryACL property. But:
How do I determine from that data whether the "Send As"-permission is explicitly allowed or denied for a trustee?
How do I discover this when the permission has been granted indirectly via group membership? Do I really have to parse the effective permissions myself by (recursively) checking all groups the user is a member of? Surely there must be an API for that task...
FWIW, I'm coding in Delphi (i.e. native Win32 code) using the ActiveDs.dll typelibrary, so .NET-specific solutions won't really help me much unless their source code gives me clues to how to do the same thing in native code. The same goes for PowerShell.
Before anyone starts: I already know about the PR_EMS_AB_PUBLIC_DELEGATES and PR_EMS_AB_PUBLIC_DELEGATES_BL_O Extended MAPI properties. However, this is not what I'm after. These properties refer to the "Send on behalf of"-right (a.k.a. delegates), not the "Send As" permission, which is quite a different thing.

Here's the MSDN article that explains - http://msdn.microsoft.com/en-us/library/windows/desktop/ms675580(v=VS.85).aspx. There is an attached sample that shows how to call the API.

Related

How to retrieve online presence status in Outlook using VBA

Problem
I need to get online presence status from Microsoft Outlook using VBA.
The status is presented as a green-yellow-red-grey light displayed near the contact name and usually provided by some instant message(IM) application (e.g. Teams, Skype, Zoom, Jabber etc.).
Here is how it is usually look:
Available data
Unfortunately the status is not available in Outlook structures AddressEntry or ExchangeUser, which are pretty easy to acquire.
Note: Please do not confuse online presence with calendar availability, which can easily retrieved using function GetFreeBusy.
Alternative view
The only relevant and pretty decent description related to the topic I found here: https://learn.microsoft.com/en-us/office/client-developer/shared/integrating-im-applications-with-office .
But here the topic is presented from the different angle - what should be done from the IM application side to provide this status. In short: the IM app should add some data to the registry under ...\Software\IM Providers\... and implement interface IUCOfficeIntegration, so Outlook can use it to retrieve the status.
So an intermediate idea was to retrieve the status via this interface from the IM app directly. But there is very few information about calling COM interfaces from VBA.
Does anyone can provide any hints how the status can be retrieved?
The Outlook object model doesn't provide any property or method for that. Graph API provides the Get presence methods for that.
You can use Graph for that. I don't think you'd be able to use VBA though.
https://learn.microsoft.com/en-us/graph/api/presence-get?view=graph-rest-1.0&tabs=http

Alfresco permissions depending on whether document is currently part of workflow or not

Out-of-the-box, an Alfresco user can read a document based on:
The document's permissions
The user's role
The user's groups
Whether the user owns the document or not
Maybe some other factors I forgot?
Now, I want to add a new factor: Whether the document is currently part of a workflow.
Alfresco's permissionDefinitions.xml allows me to define permissions based on authorities such as ROLE_LOCK_OWNER etc, but it does not seem to be the right place to add permission conditions.
I guess I will have to write some Java source code, but I am not sure what classes are responsible for this, and whether there is an Alfresco way to customize them?
So, I assume you want to somehow have nodes that are attached to a workflow have different access rights? You need to think about the behavior you want in all of the UIs and protocols you are exposing (e.g. share, WebDAV, CIFS, FTP, etc.).
If you want to set a permission on a node, you can do that via JavaScript as well as Java (See http://docs.alfresco.com/5.2/references/API-JS-setPermission.html and http://docs.alfresco.com/5.2/references/dev-services-permission.html). As was mentioned in one of the comments, you can also get the number of active workflows on a node by referencing the activeWorkflows property in JavaScript (http://docs.alfresco.com/5.2/references/API-JS-ScriptNode.html) or in Java
Depending on the specifics, I might implement this in different ways, but if all you want to do is have the permission change, you could just update it at the beginning and end of your workflow with a simple javascript call. The only thing bad about that is that it doesn't take into consideration the workflow getting canceled. You could also create a policy/behavior on an aspect you attach or even have a rule or job run that updates content based on the activeWorkflows values.

Queries in DFC and WDK in documentum

I have below queries in DFC and WDK:-
1) TBO is type base objects and is for specific object type in documentum. SBO is for global use. Can we make a SBO code to act like a TBO, if yes then how? How can I make my SBO specific for a particular object type.
2) How can I call a behavior class from an action.xml in WDK? If I dont want to use the component in my WDK customization. Any examples to support these queries will be appreciable.
3) Why is scope required in WDK? What is its role and can scope override over privileges in terms of hierarchy. If a user is provided a scope for a component in WDK but he/she doesnt have sufficient privileges to access it in documentum. Can the user still access the particular component?
4) Can folder security values override basic object level permissions? Which will come first folder security or basic level permissions or privileges?
Thanks!!
Deb
This is not kind of question for SO, at least in most parts. However:
1.) TBO and SBO are just architectural approaches for specific requirements. If you have specific code that you want to run for objects of specific type and not only for objects of subtypes, than you need to change object model to apply logic for all objects in type hierarchy. This isn't a problem with Documentum object/type model.
For example: You have custom_document as subtype of dm_document and custom_child1_document and custom_child2_document, both subtypes of custom_document. You have TBO set to custom_child2_document.
You don't want to apply SBO to have custom logic available everything under dm_document.
Just add TBO to type custom_documentm and you'll have your logic for all types under dm_document.
2.) You cannot call behavior class without invoking component. If you have specific code you want run from other places, isolate it at some other place and run it at will.
3.) You don't need to specify scope for your WDK configuration. However, once you learn WDK in details you will find it useful.
4.) Folder is object. You need to know that when you access objects via folders you need access permission for both folder and document linked to that folder (Read level is enough). You need only permissions on object id you access that object from DQL for instance. Basic and extended permissions are meant to be used in specific cases, you don't need extended permissions to read object content if you have Read basic permission on your object. However you need Relate basic permission + Run procedure extended permsission on target Workflow to start workflow with that specific object as attachment/package. Different rules go when you want to add object inside specific folder. But this is long story.
Regarding folder security - check this article.

Get lasting permission to write to a specific directory with the new Sandbox requirements

I need a way to get & keep permission to write to a specific directory in OS X. How can that be done while abiding with the new Sandbox requirements?
The recipe:
Ask the user to select the directory - use a standard open dialog limited to directory selection. Apart from a few special directories (music, pictures etc.) there is no way to gain access apart from asking the user.
Create a security-scoped bookmark using the URL returned by the standard open dialog, just search the Apple docs for "security-scoped bookmark".
Persist that bookmark, either in user preferences or in the Application Support folder for your app.
On application launch, or before you need access, read in the saved bookmark and activate - you'll find out how to do this in the Apple docs as above.

RavenDB: how to check permissions for a user, wanting to perform an operation on a specific document

I have a multi-part, possibly confusing question... it's been a while
since I've dug in to the Authorization bundle, so it's taking me a bit
to remember how it all works. Bear with me as I struggle to make sense
of my thoughts, here :)
The majority of the code that I'm writing in my system uses a call to
the documentSession.IsAllowed method to check and see if the
AuthorizationUser has permissions for the Activity specified. This has
been working wonderfully for us, no problem. I'm expanding my app's
authorization to make use of tags now and I'm wondering:
Does the documentSession.IsAllowed method account for Tags on document
permissions, role permissions, and user permissions?
For example:
If I have Bob assigned to the Manager role. The Manager role is
assigned a permission to allow a "Review" operation, with a Tag of
"ReadyForReview" on that permission. How do I make a call to
documentSession.isAllowed in a way that verifies that Bob can "Review"
things that are tagged "ReadyForReview" ?
I realize that I may be asking the wrong question and/or looking at
this from the wrong perspective. If I am going about this wrong,
please let me know.
The end goal is really to say "Can Bob review this assignment?" Where
an Assignment is a document in RavenDB that may or may not have a
"ReadyForReview" tag. Bob should only be allowed to review assignments
that have the "ReadyForReview" tag. I would like to have a method that
gives me a boolean value telling me if Bob can review that document.
Derick,
In addition to simply IsAllowed, you also have IsOperationAllowedOnDocument.
That allows you to ask security questions about a specific document instance, not just globally.