I am trying to integrate Salesforce API's.
I have created a Permission Set and assigned a salesforce license. When I call API(GET) url/PermissionSet/{id}. It gives me list of permissions that are either true or false. Now There are few permissions that I want to update like PermissionsIsContactCenterSupervisor or PermissionsIsotopeCToCUser These permissions are not updating when I hit patch call from http client.
While I call desribe against PermissionSet I can see that there are few properties against each sObject that tells us whether that sObject is updateable or not but against above mention permissions updateable is true. So It means I can update it but it gives me The user license doesn't allow the permission on Patch call
So my question is Do we have any API or SOQL that let us know that which permissions in a PermissionSet that you can't update it against a specific license?
Thanks
Related
I am using force.com sites with VF page and apex controller. In class I am doing update dml operation based on Field Level Security check on fields using [objectName].fields.getMap().get([fieldApiName]).getDescribe().isUpdateable(). This statement is returning false always even though guest user profile has Edit access on fields.
Removing this if check is a option for now although I am wondering if there is any existing limitation to use this check. Any insights are appreciated.
Thank you
Salesforce removed the update permission from Guest users a while ago.
Documentation
Guest users can’t have more than read access to data
Guest users can’t have the update or delete permissions on objects. Guest users can only update or delete records in System Mode.
If Guest user profile has create permission on object and edit permission on field, isCreateable() will return true, but since the profile lacks the update permission isUpdateable() will return false
I am trying to create a subscription during the application run time, the code should be able to create a subscription and clean it up after it finishes.
I want to do this with the least possible permissions to the service account I am using. For now, I have created a custom role and gave two access to the role pubsub.subscriptions.create , pubsub.subscriptions.delete.
Although this is allowing the creation and clean up of a subscription, it is allowing not only to delete the current subscription, but also the subscriptions created by other users in the same project.
How can I assign permissions, to be able to create subscriptions in Pub/Sub, delete the subscription created by this service account?
Another way to put it could be, how can I, create a subscription at run time and modify only this subscription's permission to include pubsub.subscriptions.delete. (with the same service account).
Is there a way to make a service account admin/editor for the resources(topics, subscriptions, compute engine, etc.) created by this account? something like an IAM role - make admin after resource creation.
Related Documentation Links:
https://cloud.google.com/pubsub/docs/access-control
This is impossible due to limitations of the Google IAM by design.
In Google IAM permissions correspond 1:1 with REST methods. To call a method, the caller needs that permission. In other words, permissions are granted on methods so that call them, and not on objects so that modify/rename/delete them, as would be necessary in your case. You want to delete a certain object, right?
To get more granular access, you need to assign a Policy with a Custom Role on a Subscription object explicitly, but you can hardly assign a Pub/Sub Custom Role below the Project level.
A Subscription creator does not become an "Admin" of the created object as it could be in an access management service with permissions assigned on objects. If explicit assigning of a Policy with a Custom Role on a freshly created Subscription was possible, it must be done by an account with a Role that can manage permissions: pubsub.admin for example. That means that you would have to grant this Role to your service account in addition to the existing Custom Role with the pubsub.subscriptions.create and *.delete permissions. As soon as you do this, the least privilege principle becomes meaningless.
Understanding IAM custom roles
Cloud IAM Documentation > Understanding roles > Pub/Sub roles
Access Control > Required permissions
Access Control > Roles
I have been trying to set the following values on a group using graph using the beta API:
{
"hideFromOutlookClients": true,
"hideFromAddressLists": true
}
However, I get the following error:
{
"code": "ErrorGroupsAccessDenied",
"message": "User does not have permissions to execute this action."
}
The application does have the required permissions for updating a Group, in fact, updating a group's description works just fine. These two properties were added a few months back but they seem to require different permission. I cannot find any other "group" related permission to assign.
Has anyone used these properties before that could shed some light on the subject?
I have tested your scene.
To update "hideFromOutlookClients" and "hideFromAddressLists", we have to assign Group.ReadWrite.All Delegated Permission.
The other two Delegated Permissions Directory.ReadWrite.All and Directory.AccessAsUser.All don't work. (But these two permissions work for updating "description")
The beta version of Microsoft Graph API is continuously improving, so there may be some unexpected issues.
UPDATE:
You are using Application permissions rather than Delegated permissions. Unfortunately, Application permissions are not supported currently based on my test. You need to assign Group.ReadWrite.All Delegated Permission and call this API on behalf of a user.
I need to give users access to edit specific Azure Logic App workflows. I find I can support this with the Logic App Contributor role. At times, I have workflows that contain an XML Validation action. I do want users to be able to edit business rules before and after that action, and even configure the action such as selecting a different XSD. However, I do not want them to be able to configure the Integration account that supports the XML Validation action, or even have a read-only view to the Integration account. When I have such an action, a would-be editor is blocked with the error:
it does not have permission to perform action 'Microsoft.Logic/integrationAccounts/join/action' on the linked scope(s)
Is there a way to apply roles so that a user can edit such a workflow with no direct access to the Integration Account?
You should be able to configure a custom role that matches your scenario.
Essentially you would grant the user the following permissions
Microsoft.Logic/workflows/*
Microsoft.Logic/integrationAccounts/join/action
The Microsoft.Logic/integrationAccounts/join/action perimssion allows the user to modify a logic app linked with an integration account, but does not grant any permissions on the integration account itself (the user would need Microsoft.Logic/integrationAccounts/* for that)
You can restrict the Microsoft.Logic/workflows/* permission further (e.g. by scoping it down to write action only).
As mentioned by #SzymonWylezol, MS made a change on its end and the error no longer occurs. In the case where the IA in a separate Resource Group than the Workflow, I find the user must be given the join action permission on the IA, in that Resource Group.
When logged in as a standard user, an attempt to update a Salesforce field fails with the following:
HTTP response error code 400 (Bad Request).
The body of the response has:
{"message"=>"insufficient access rights on cross-reference id", "errorCode"=>"INSUFFICIENT_ACCESS"}
Attempting the update with Admin privileges succeeds. So, are standard users not allowed to update records? Is there a role definition that allows update on records that the user has access to in the Salesforce application?
Thanks,
standard users can update records that have edit rights to, check their profile settings, and make sure they have access to both the record you're trying to edit, and the record they are trying to reference.