I was going through this doc: https://learn.microsoft.com/en-us/graph/delta-query-groups#deltalink-response to get incremental changes for groups. I have an AAD group in which I added 5 users. On running delta link, I see the response showing 5 users. I deleted these 5 users from AAD (Note that I deleted users from Azure Active Directory). And these users were automatically removed from the AAD group that they belonged to. On running the delta link, I see no response:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#groups",
"#odata.deltaLink": "",
"value": []
}
Is this a bug? Why is the response not showing the users removed from the group because they were deleted from AAD?
From the response the odata.context is https://graph.microsoft.com/v1.0/$metadata#groups. You are calling delta query on groups not on users.
Call delta query on users.
GET https://graph.microsoft.com/v1.0/users/delta
Based on this comment, delta query on groups doesn't show any group membership changes due to the deletion of a member.
Related
I'm using MS SQL Server + TypeORM with Nestjs to build an API.
There are different tables created on the already created in the database, like:
User, Client, Country, Building, Asset.
I want that the content that users are able to see is filtered based on some criteria (like Client and Building), for that reason I've defined some intermediate tables to assign permissions to users:
ClientUserPermission, BuildingUserPermission.
All these tables are mapped with TypeORM with their own Entity Repository.
So to get the data from each entity, and what I do to filter the content per user is:
First call to retrieve the ids of an entity from its corresponding permissions table, using the id of the user.
Second call to the targeted entity, filtering the data by the previous ids using the IN operator.
For example, to load all assets that a user can see:
Assets have buildingIds assigned, and BuildingUserPermissions have possible combinations of userId and buildingId, so I do the following:
public async findAllAssetsByUser({...}: QueryParamsDto, userId?: string): Promise<Asset[]> {
...
// Call permissions service, and get allowed buildings per user.
const allowedBuildings= await this.permissionsService.findAllowedBuildingsByUser(userId);
// Retrieve assets filtered by users allowed buildings.
const data = await this.assetsRepo.find({
...,
where: {
...,
buildingId: In([allowedBuildings]),
...,
},
...,
});
return data;
}
I think that there's probably a better way of doing this so I don't have to do one ore more extra calls to get first the permissions.
I've thought that maybe it would be better to query the data using a query builder to automatically do joins with the corresponding permissions table.
If there are better ways please tell me.
Is there a way to retrieve Users in an organization including Groups that each User is a member of, in a single call to Microsoft Graph?
Something like https://graph.microsoft.com/v1.0/users?$expand=MemberOf
This call does not return the Member groups. If I call the beta endpoint with same URL though I get the member groups in the response. the problem with the beta end point is that it returns a big response and I could not find a way to combine $expand with $select to only return the MemberOf property for each User and User's id field.
This call does not return the Member groups. If I call the beta
endpoint with same URL though I get the member groups in the response.
the problem with the beta end point is that it returns a big response
and I could not find a way to combine $expand with $select to only
return the MemberOf property for each User and User's id field.
Not all relationships and resources support the $expand query parameter, $expand is only supported for beta and typically returns a maximum of 20 items for the expanded relationship. And not all resources or relationships support using $select on expanded items, I also tried https://graph.microsoft.com/beta/users?$expand=memberOf($select=id,name) in beta, the error prompts valid for this. For the details, please read here.
According to the introduction of this document, "with Azure AD resources that derive from directory Object, like user and group, $expand is only supported for beta and typically returns a maximum of 20 items for the expanded relationship".
Base on my test, you can use this API below to list out all the memberof.
'GET /users/{id | userPrincipalName}/memberOf
So there is no way to retrieve Users in an organization including Groups that each User is a memberof by using a single call to Microsoft Graph.
As other has mentioned, it's not possible with a single request.
For retrieving all users of our organization, and the groups they are members of, I resolved to this
Fetch all groups (https://graph.microsoft.com/v1.0/groups/)
For each group, fetch all members (https://graph.microsoft.com/v1.0/groups/[groupId]/members)
In memory flatten the groups (a group can have another group as a member), so that groups only has users as members, and includes any member groups users.
This produced a list of groups, each with a list of all users that are directly or indirectly (user could be a member of a group that the original group has as a member). Should be relatively easy to convert it to a list of users each with a list of groups they are members of, if that is what you need.
We have a JIRA in our company configured to connect to our Active Directory filtering users by the AD Group "JIRA Users".
This works perfectly fine, but our company has more than 1000 groups that would be imported if I don't set a filter for groups. So I set an additional filter for specific groups I want to import on a different subtree.
Not all users in group JIRA Users are in a group in this subtree I want to select for the group import.
Now the problem is, that users in a group in my import subtree are correctly importet into JIRA. But if the user only is in groups in another subtree. The user does not get importet to JIRA.
Base DN: OU=company-shortname,DC=companyname,DC=de
Additional Group DN: OU=Subgroup,OU=Groups
User filter is:
(&(objectCategory=Person)(sAMAccountName=*)(&(memberOf=CN=JIRA User,OU=Groups,OU=company-shortname,DC=companyname,DC=de)))
Groupobjectfilter is:
(&(objectCategory=Group)(cn=*))
I can't go up one level on the additional group DN because then I have all 1000 groups. Ho can I set this correct?
Can you solve it by 'tagging' the groups you need to import, say by adding JIRA to the description or info (Notes) field and then pointing the group search to the top level OU and using (&(objectCategory=group)(info=JIRA*)) or similar?
I'm working on an social network app and want to create an activity feed so people can keep up to date with all of their connections (classic facebook stream). I have a DB table called activity setup for this like so:
activity_id (int)
user_id (int) //who posted it
group_id (int) //the group of connections that have permission to view
type (enum) //the type of activity performed
time (datetime) //the time the activity was performed
I would then do a select * from activity where user_id in (connections) to get the latest news.
Here's the catch. User's activities do not always have visibility to the complete set of connections. Users can create groups of user ids to form smaller sets within their super set of connections. Its like how facebook allows you to specify who sees a particular post instead of allowing all friends to see it.
I have a separate groups table setup with the following schema:
group_id (int)
connection_id (user_id, int)
user_id (group creator)
I have a group_id in my activity table. The group_id is the link to the subset of connections that have permission to see the post.
My question is, what is the best way to do this type of feed, and is there an optimal single select statement that will get me the output desired (a list of my connections activities that I have been granted permission to see)?
Thanks.
If you're open to offloading your activity stream functionality to a service via an API, Collabinate (http://www.collabinate.com) may be useful to you.
I have admin API access for my organization. I'd like to run the same SOQL query, but get back results as visible to various users in my org: running "SELECT Name FROM Account" for user A, should only return account names accessible to user A.
I know this is easy if each user provides my application with their password and security token, so I can log in as them and run the query, but I want to do this only using my admin account.
this is very similar to:
Salesforce: impersonation using the API
but in this case I do have access to the data, I just want to filter it as though the request came from a specific user. It looks like there's an Apex "unit testing" method called System.RunAs() which looks close, but I want to run this via REST.
I think that you can filter the first SOQL query using HasReadAccess from UserRecordAccess table.
You could try building a set of RecordIDs first and then using this to filter the Account query.
Set<ID> sRecordIDs = [SELECT RecordID FROM UserRecordAccess WHERE UserId = :u AND HasReadAccess = True];
Account[] accs =[SELECT ID,Name FROM Account WHERE Id in :sRecordIDs];
More details on the official documentation