I'm working with Fisheye and I created a few repositories and a few projects referencing them. I want to show them to anonymous users, but although repositories are shown to anonymous users (non-registered), projects aren't.
I went to Administration, Repository Defaults, Permissions, Anonymous Access and set 'Allow anonymous access to the repositories', but how can I do the same with the projects?
The projects tab actually stems from Crucible rather than FishEye (you can have one or the other, but they run together if both are available), see the header on the project administration page:
A project is a set of Crucible content combined with a set of
customisable FishEye content.
Consequently this is a Crucible setting, which is orchestrated via Permission Schemes under Security Settings within Administration, thus a bit more complex. You'll have to review and experiment with the various permissions yourself on how to achieve the desired goal (each permission has a separate Allow Anonymous users setting), but I venture the guess that adjusting the View -
Ability to view a review. setting accordingly should be all you need.
Related
Please explain how content security works on SenseNet.
Especially how to read the following SN database view:
PermissionInfoView
What EFEntries(LocalOnly) flag is used for?
In a nutshell: it works very similarly to the file system permissions in Windows.
You can define permissions for individual users, or (more preferably) groups and org units. Defining a permission happens on a content, usually on a container like a workspace or folder. For example you give Open and Save permissions for the Editors group on the Articles folder.
There is inheritance: child content will inherit permissions you defined on the parent folder (unless it was defined as local only, which means not propagated to children). For example if you define a local only Save permission on a document library for John, he will be able to modify the doclib content itself (e.g. change its display name), but not the files inside the library.
To make things a bit more complex, you can break permissions on a content, for example to remove an inherited permission. This may be necessary if you want to hide a subfolder.
For details please visit the Permission System article.
Permission overview GUI
If you have installed the WebPages component of SN7, you get a Permission Overview page that may help you understand the current permission settings in the tree.
The Permission info database view
In case you have the Services component only (so no GUI) or you really want to look under the hood, you can check out this db view to see all the permission settings in the system.
The records here contain all the defined permission entries in the system (so inherited ones cannot be seen here, they are calculated in memory). The Path is the content where the permissions are defined, the Identity can be a user or group, LocalOnly means not propagated to children (see above), the rest is a list of permissions (e.g. Open or Save) and whether they are allowed, denied or undefined.
For details about this and other db elements please visit the DB structure article.
I want to make access polices on the folder each of costumer:
DocumentLibrary/Custumers/CostmerA
DocumentLibrary/Custumers/CostmerA
.
DocumentLibrary/Custumers/CostmerN
Then the CustomerA (tenant user) can't access the folders of other another Customers
I think abut doing this using "Tenants", and a would like to see an exeample.
The Multi Tenant (MT) feature in Alfresco does not do what you ask for. Especially, tenants don't share the same document library, they are completely separated.
You could use MT to achieve complete separation of tenants. This separation would include not only documents but users, groups, permissions, everything you deploy in the Data Dictionary.
I recommend to use a single (default) tenant and normal folder permissions if you just want to handle read/write permissions.
Before using Multi-Tenancy, pay close attention to the features you will be giving up, which are documented here.
The correct way to do what you are attempting to do is to simply use permissions. Give all of your customers access to the /customers folder. Then, in each customer-specific folder, break the ACL inheritance (Manage Permissions, Un-check Inherit Permissions), then assign the specific customer (perhaps using a group) to the folder with the appropriate access.
You might even consider using a separate Share site for each customer, which would make this easier.
The caveat to this is that if you are trying to hide all of your users and groups from each other, then really what you want are separate repositories, and that's what Multi-Tenancy provides, at the expense of the features I referenced at the top of the post.
If you go that route, you'll have to use the tenant console to create each customer-specific tenant. Your tenants will be separated into their own repositories. And you won't have a way to view all of your customer documents side-by-side without switching tenants.
Honestly, due to the stability of the multi-tenancy feature and the other features you have to give up, I'd be more inclined to use completely separate servers, even though that increases your maintenance burden. Alfresco doesn't even use their own multi-tenancy feature in their own cloud product.
You really should have no problems. MT is already there, you just need to enable it. There's no additional work that you should do in order to hide tenants from each others - that's the whole point of this feature.
http://docs.alfresco.com/5.1/concepts/mt-intro.html
We have multiple apps that use OpenLDAP for authentication and for storing data. We have quite lot links to these OpenLDAP entities from DBs from multiple applications (each app has its own DB), so when you change OpenLDAP entity you have to track object changes (currently we are using DN as a reference key). And inside LDAP we have few references, like what user can access which objects, as they can have very specific access rights (access right are not depend on hierarchy), LDAP also doesn't track these changes, so once these referenced objects are moved we need to track them both in LDAP and in multiple DBs.
I'm new to linux and OpenLDAP (we have it running on linux), but to me this all seems like a wrong way to handle things and it seems like we are using LDAP in the way it wasn't designed to be used (The idea of using it like this came from senior developers).
My questions is:
Is there anything bad to use LDAP in way i have described.
How can i change the OpenLDAP schema to create something like GUID for all object classes we are using, this way at least we can store object GUID instead of DN and don't have to track changes. If I change schema will I be able to perform search and filter by this GUID?
Sorry, but your architecture description is not clear for me, so I can't write if it's bad to use it like this.
Having multiple directories in a company is very common in middle to big companies (most of the time it's due to historical reasons) but for single sign on "Meta directories" are setup to have a single authentification point.
In my point of view the DN is obsolutly not the way to point an object in a directory, jus because moving an object is changing his DN. Each directory has got an attribute inherited from the "top" class that contains an unique identifier inside the directory. In OpenLDAP it's entryUUID.
entryUUID: bec561c4-c5b0-102a-81c0-81bc30f92d57
If you want to link datas in a not too big Directory you can also use referential integrity, that the way users are linked to groups (when you move a user you don't have to look at each group it belongs to) in operating systems directories (RefInt Overlay in OpenLDAP).
I have multiple projects in TRAC. I'm using mod_wsgi, and my wsgi script file TRAC_ENV_PARENT_DIR variable is pointing to the folder containing folders with all these projects. A few users have access to different projects. When a user visits the TRAC URL, she can see the listing containing all these projects, yet has no access to some of them.
Is there any way to show to a user only those projects this user has access to?
Please advise.
Preamble: I abhor security through obscurity. Your request could be read as cosmetics in web site presentation. Don't aim at improved access control, because knowing a valid path will still give access to each Trac environment depending on it's settings. Of course better navigation is a good reason.
Requiring to hide folders depending on user's permission means you require authentication before granting access to TRAC_ENV_PARENT_DIR. This could be done with standard mechanisms that your web server supports. This is just the precondition.
As you say, you have some non-public Trac instances in your Trac environment folder collection. How complicated it is to identify all folders correctly, that depends on how much you want to spend on initial implementation vs. maintenance.
I should be trivial, but error-prone, to provide a list of either the public or the private directories, of course whatever is easier to maintain. Zero additional configuration would require to open each Trac environment and look up user permissions. )** This sounds rather cumbersome and means probably a performance penalty for applications with large user base and frequent access. You will at least work with a cached list, if you go down this road.
You can't use Trac's auto-generated Available projects list but you'll have to deliver at least two versions of an index page for authenticated/unprivileged and authenticated and privileged users.
For the sake of maintenability you'll want to consolitate configuration and permissions. For access to each Trac environment you could use trac.ini inheritance and a shared .htpasswd file. However you can't inherit permissions, because these settings are stored inside the Trac db. You could give TracUserSyncPlugin a shot, but it seems not yet fit for production, or at least lacks feedback of all the happy users, if they exist.
)** While I'm not aware of dedicated documentation about this, there are actually several possibilities. Since permissions are stored in the Trac db, all involve reading/querying the permission db table. It's structure is documented with all other tables of the Trac db schema. To read you'll want to open the Trac environment(s) and then use a direct query on the table (see a AccountManagerPlugin changeset for an example) or construct and query a PermissionCache object.
It may be an old question, but so far i've found the answers to be rather complex without need.
I think using the information stated here, http://trac.edgewall.org/wiki/TracInterfaceCustomization#ProjectList , one could build a template that checks for users and permissions and then show the data it should.
In my case, i just needed to point the "TRAC_ENV_INDEX_TEMPLATE" variable to blank HTML, and that was enough for me.
(I am newbie to tortoise SVN)
I have 2 folders in my tortoise SVN.
Each need a different set of authorization
(I do not want
people who have access to the first folder to have read / write access to the second folder).
How can I accomplish it? I noticed that all permissions are defined in a file in the root level.
This is covered in the Subversion Book section on Path Based Authorization. You can check out the link for more details, but I would just draw your attention to this part:
A lot of administrators setting up Subversion for the first time tend to jump into path-based access control without giving it a lot of thought. The administrator usually knows which teams of people are working on which projects, so it's easy to jump in and grant certain teams access to certain directories and not others. It seems like a natural thing, and it appeases the administrator's desire to maintain tight control of the repository.
Note, though, that there are often invisible (and visible!) costs associated with this feature. In the visible category, the server needs to do a lot more work to ensure that the user has the right to read or write each specific path; in certain situations, there's very noticeable performance loss. In the invisible category, consider the culture you're creating. Most of the time, while certain users shouldn't be committing changes to certain parts of the repository, that social contract doesn't need to be technologically enforced. Teams can sometimes spontaneously collaborate with each other; someone may want to help someone else out by committing to an area she doesn't normally work on. By preventing this sort of thing at the server level, you're setting up barriers to unexpected collaboration. You're also creating a bunch of rules that need to be maintained as projects develop, new users are added, and so on. It's a bunch of extra work to maintain.
Just to round the post of codeka up. You can't set (at least I never have found out how) any permissions for the repo in tortoise as it is the SVN client application. You would have to set the permission on your svn server. If you happen to be running VisualSVN Server (free) you can setup user rights in a windows-easy manner (point and click).