What is the graph query to read users from AAD that are rooms and match a particular room type for example Conference Rooms, Reserved Space?
For example:
https://graph.tenant.com/v1.0/users?$count=true&$search="displayName:room"&$filter=endsWith(mail,'tenant.com')&$orderBy=displayName&$select=id,displayName,mail
On trying the above query, I see UnsupportedQuery error.
Set the ConsistencyLevel header to eventual .
Then your query
https://graph.microsoft.com/v1.0/users?$count=true&$search="displayName:room"&$filter=endsWith(mail,'tenant.com')&$orderBy=displayName&$select=id,displayName,mail
should work
Resources:
Advanced queries
Related
I have database of Workspaces with members and some other data. For each workspace there is a members Map, where key is the UserId and value is the email
It is structured like this:
\Workspace01
--- name:
--- color:
--- members:
------ userid: "email#email.com"
I am trying to query workspaces where the current user is a members.
In Security Rules for instance, I can try something like
allow read if uid in resource.members.keys()
and it works fine (I think). It allows read, etc.
However, if I try to query the same thing, for instance in kotlin/android, it gives a permission error:
collection.whereArrayContains("members.keys", uid )
I have also tried FieldPath.of(), or whereNotEqual("members[uid]", null), still the same thing.
I also tried using emails as keys and uid as values... Obviously no difference
There also was a suggestion of using orderBy("memebers.uid"). That also gives a "bad permission". However, this orderBy query works just fine in the Firebase console
I am completely out of ideas.
Help?
You say that the members field is a map, so it makes sense that you can't query it with whereArrayContains.
If you want to check if the uid subfield has a specific value, that'd be:
collection.whereEqualTo("members.theUidValue", "theEmailValue")
I'm not entirely sure that your security rules will allow this, so I'd start with more relaxed rules to first see if the query works.
If you want to simply check whether the UID exists, that isn't possible on a map structure. To allow that, add an additional array field with just the UID values from the map (e.g. memberUIDs), and then query with whereArrayContains on that.
I am trying to fetch a list of users from the Microsoft Graph API.
A lot of users don't have an email address, those users are systems users that I don't need.
So my query looks like /users?$filter=mail ne null
For another overview I need to show the manager of each user so I tried to add &$expand=manager. But doing so will result in an Unsupported Query.
When I remove the filter parameter it does work.
How can I only fetch relevant users and their managers in a single query?
Optionally I'd like to only receive the ID from managers, as an optimization. I only need the ID because I already fetched all users and their data. /users?$expand=manager($select=id) is what I was trying but I get the error Invalid $select properties.
If you want to use $select inside $expand to select the individual manager's properties, the $levels parameter is required, such as expand=manager($levels=max;$select=id). For more details, please refer to here
For example
https://graph.microsoft.com/v1.0/users?$expand=manager($levels=max;$select=id)
Update
If we want to use Not equals (ne) operators on the $filter query parameter, we must set the ConsistencyLevel header set to eventual and, with the exception of $search, use the $count query parameter (either as a URL segment or $count=true query string). For more details, please refer to here
For example
https://graph.microsoft.com/v1.0/users?$filter=mail ne null&&$expand=manager($levels=1;$select=id)&$count=true
For authentication in Jitsi Meet, we would like to read out a Windows AD group with an ldap query. Unfortunately our ldap query does not work.
LDAP_URL=ldaps://server.domain.local:636/
LDAP_BASE=DC=domain,DC=local
LDAP_BINDDN=CN=bind_user,OU=Administrative Accounts,OU=Benutzer,DC=domain,DC=local
LDAP_BINDPW=*
LDAP_FILTER= (&(|objectclass=user))(|(memberof=CN=group,OU=Jitsi,OU=Sicherheit,OU=Gruppen,DC=domain,DC=local)
(primaryGroupID=4989))
The error must be due to the filter, it works with the filter LDAP_FILTER = (sAMAccountName =% u).
Can you tell me what is wrong with our query.
A few things stand out to me:
The | in front of objectClass should not be there.
You have two closing parentheses after the objectClass condition, but the second one should be moved to the end of the whole query.
Oddly, objectClass=user will actually end up including other objects than just user accounts (like computer accounts). If you want to filter to only user objects, you have to use both (objectClass=user)(objectCategory=person). But that would only matter if you have other types of objects as members of that group.
Maybe this is just an error with pasting into the question, but there is a line break before (primaryGroupID=
I've never used Jitsi, but it may or may not like the space after LDAP_FILTER=. The other examples I see online don't show a space there.
It should look like this:
LDAP_FILTER=(&(objectclass=user)(objectCategory=person)(|(memberof=CN=group,OU=Jitsi,OU=Sicherheit,OU=Gruppen,DC=domain,DC=local)(primaryGroupID=4989)))
That means: find all user objects that are either members of that group, or have a primary group ID of 4989.
How can I use a a search filter to display users of a specific group?
I've tried the following:
(&
(objectCategory=user)
(memberOf=MyCustomGroup)
)
and this:
(&
(objectCategory=user)
(memberOf=cn=SingleSignOn,ou=Groups,dc=tis,dc=eg,dc=ddd,DC=com)
)
but neither display users of a specific group.
memberOf (in AD) is stored as a list of distinguishedNames. Your filter needs to be something like:
(&(objectCategory=user)(memberOf=cn=MyCustomGroup,ou=ouOfGroup,dc=subdomain,dc=domain,dc=com))
If you don't yet have the distinguished name, you can search for it with:
(&(objectCategory=group)(cn=myCustomGroup))
and return the attribute distinguishedName. Case may matter.
For Active Directory users, an alternative way to do this would be -- assuming all your groups are stored in OU=Groups,DC=CorpDir,DC=QA,DC=CorpName -- to use the query (&(objectCategory=group)(CN=GroupCN)). This will work well for all groups with less than 1500 members. If you want to list all members of a large AD group, the same query will work, but you'll have to use ranged retrieval to fetch all the members, 1500 records at a time.
The key to performing ranged retrievals is to specify the range in the attributes using this syntax: attribute;range=low-high. So to fetch all members of an AD Group with 3000 members, first run the above query asking for the member;range=0-1499 attribute to be returned, then for the member;range=1500-2999 attribute.
If the DC is Win2k3 SP2 or above, you can use something like:
(&(objectCategory=user)(memberOf:1.2.840.113556.1.4.1941:=CN=GroupOne,OU=Security Groups,OU=Groups,DC=example,DC=com))
to get the nested group membership.
Source: https://ldapwiki.com/wiki/Active%20Directory%20Group%20Related%20Searches
And the more complex query if you need to search in a several groups:
(&(objectCategory=user)(|(memberOf=CN=GroupOne,OU=Security Groups,OU=Groups,DC=example,DC=com)(memberOf=CN=GroupTwo,OU=Security Groups,OU=Groups,DC=example,DC=com)(memberOf=CN=GroupThree,OU=Security Groups,OU=Groups,DC=example,DC=com)))
The same example with recursion:
(&(objectCategory=user)(|(memberOf:1.2.840.113556.1.4.1941:=CN=GroupOne,OU=Security Groups,OU=Groups,DC=example,DC=com)(memberOf:1.2.840.113556.1.4.1941:=CN=GroupTwo,OU=Security Groups,OU=Groups,DC=example,DC=com)(memberOf:1.2.840.113556.1.4.1941:=CN=GroupThree,OU=Security Groups,OU=Groups,DC=example,DC=com)))
My project requirement is something like this:
On Top, there will be Administrator, who will have all d access, first level
Under Administrator, there will be Department Heads, who will have all d access, apart from Creating Department Heads
Under Department Head, there will Other Members, who will be managing their allocated department wise data.
Now, all different department heads will have their own information and members, and all department heads / Members will have access to their own specific records, which they are entering / managing.
Now, with CakePHP's ACL Component, I can divide the roles and their access level, but all department heads can see the other department head's information, as they will have same level of access, and All Other Members can see the other members information on diff departments, as of they will have same level of access.
My project complexity is that - they should be visible only their assigned or created information / data, though they have same level / role assignments as of others.
Can anyone suggest me best suitable option, to manage all these things with already available plug-ins with CakePHP.
I can work by customizing the default ACL Component, but that will take some more amount of time, than what is expected.
Any better ideas / suggestions would be appreciated !
the way i see it, ACL is not that magical. For exemple: ACL could manage the permissions to tell who has access to add/edit/remove a product.. but it wont be able to change a query to filter the products accordingly to the defined permissions (like "users from department A can only see products from department A").. well actually that's a lie, ACL could manage that but it might not be practical, because every time you add a product you'd have to create an ACO, and set the permission in the AROS_ACOS table and since the AROS is a tree structure, so it could easily become a nigthmare, if your planning to query your data
I'd use a group-only ACL to control the access to certain pages/actions and make rules like:
"Department Head can access the page
'products list' and add/delete/modify
products"
"Administrators can access
all pages"
"Other users can access
'products list' and they can add
products but not delete them"
and i'd adjust my queries accordingly to the connected user, so in the controller of 'products list' page, i'd do something like:
If connected user blongs to Department Head then select all products where product.department_id=connected_user.department_id
If connected user is Admin then select all products
if you have too much queries and you dont want to do thousands of if's sentences, you could create a component, a behavior or maybe extend the find() method in the app_model. The idea is to catch all queries and check if one of the models used on the query have field called "department_id", if they do then add the model.department_id=connected_user.department_id condition to the query.
I did that for one website that can be seen in multiple languages and each language has it's own users, data, logs, etc., and there's one Admin that can see all the info.. and it's working great for me =)
Good Luck!
EDITED:
the behavior i use is:
<?php
class LocalizableBehavior extends ModelBehavior {
/**
* Filter query conditions with the correct `type' field condition.
*/
function beforeFind(&$model, $query)
{
/**
* Condition for the paginators that uses joins
*/
if(isset($query['joins']) && !empty($query['joins'])){
foreach($query['joins'] as $key => $joinTable){
if(ClassRegistry::init($joinTable['alias'])->hasField('lang')){
$query['joins'][$key]['conditions'][] = $joinTable['alias'].".lang = '".$_SESSION['lang']."'";
}
}
}
/**
* condition for the normal find queries
*/
if($model->hasField('lang') && $model->name != "User"){
$query['conditions'][$model->name.'.lang'] = $_SESSION['lang'];
}
return $query;
}
}
?>
it's quite simple really, i change the query to add a condition to match to the current language ($_SESSION['lang']). In the controller all i need to do is to attach the LocalizableBehavior and use find method as usual:
$this->Products->find('all');