We have a simple system, running Bugzilla 5.0.6. One Product, ProductA, multiple components. Two users, User1 & User2, no groups.
User1 is a member of conconfirm, User2 is not. ProductA is set to "Allow UNCONFIRMED Bugs"
User1 creates a bug for ProductA and the status defaults to CONFIRMED. All well and good.
User2 creates a bug for ProductA and the status still defaults to CONFIRMED, even though they are not a member of the in built canconfirm group.
I'm missing something fundemental here, how can I set up Produts / Users in Bugzilla so that certain users can raise bugs but are raised as UNCONFIRMED, whilst other users can raise bugs for the same product but raise them as CONFIRMED?
Related
I am trying to help someone troubleshoot an extremely odd AD\ADFS issue and am about out of ideas.
We are using ADFS to return the security groups (among other things) that a user belongs to. If that user has a specific group, then we grant them access. This is something that works on several other systems\environments. In this case, ADFS is not returning any domain groups for the user (and I have checked a few users).
If I use
Get-aduser username -properties memberof | select -expandproperty memberof
nothing gets displayed. If I do
get-aduser username -properties memberof | measureobject
it does give me a count of one.
Here's where things get really interesting.
If I check the user in ADUC, I see that it is a member of domain users, but that's it. If I go look at the group in question in ADUC, it shows this user is also a member of that group (but does NOT show this group under memberof for that user.)
If I check get-adgroupmember it shows that this user is a member of the group that I truly need returned. The SID is the same for the user that it shows as belonging to the group as it is for when I use get-aduser to check the user in question (where this group doesn't show up).
Now, all of that aside - if I go and query ADFS - I don't get any domain groups returned for the user in question (neither Domain Users nor the other one that it SHOULD be in)
I assume this is LIKELY something security related, but am at a loss.
This same exact configuration for ADFS works absolutely perfect in several of my test environments.
Any advice\suggestions?
A few things:
memberOf shows you only:
Groups in your AD forest with a group scope of Universal
Groups on the same domain with a group scope of Global
It does not show:
Groups with a scope of Domain Local on any domain
Groups on other domains in your forest with a scope of Global
There's more: the Domain Users group is a bit odd. Members of that group are not usually in the members attribute of that group. User objects have an attribute called primaryGroupID, which contains the RID of that user's "primary group". The RID is the last portion of the SID. That's what makes them a "member" of that group.
All this means that you can't rely on memberOf. You can search the member attribute of groups for the user (using the user's distinguishedName):
Get-ADGroup -Filter { member -eq "distinguishedName" }
And if you need the primary group, find that separately too.
But there is a PowerShell cmdlet that does all this for you: Get-ADPrincipalGroupMembership
It returns group objects, so if you just want the name, then pipe it into Select:
Get-ADPrincipalGroupMembership username | Select -ExpandProperty Name
Okay, I am going to try and explain this in a way that will make sense in the question that I am needing help with. Let's say that I have over 100 locations that I am pulling data from in a report that I have built already.
The following columns have the correct data coming through for each location:
User | Active | Admin | Organization | Department
User Column: This is where the name of the user is display
Active: This is if that user has an active account on that location
Admin: This is if that user has an admin account at the location
Organization: This is to display the organization for that particular location provides
Department: This is to display in what department of where the user works
Before I get into the question, I have a parameter set up to where the person receiving the report will have to choose the location that they are wanting to see before the report is shown. Another way to state that is to say the parameter is set to show only those users in that location once a locations is selected.
The question I have for a client is that some users are admins and those admins have access over 2 organizations. But some new users are not attached to an organization just yet. Is there a way for me to format a column/subreport to show those individuals that are not attached to an organization? I would be eternally grateful for someone to walk through the logic with me.
Designing data model for STANDARD and USER SPECIFIC records for SAAS based model.
In my SAAS based application, I have users and their associated (One to One) roles. Tenants can create their own roles specific to their company and assigned to their users. And the SYSTEM have some standard roles provided for the tenants to use. The SYSTEM defined standard roles are common to all tenants.
I have the ROLE and COMPANY tables as follows:
Table: COMPANY
COMPANY_ID | COMPANY_NAME
100 | Acme Inc.
101 | E Technologies.
Table: ROLE
ROLE_ID | COMPANY_ID | ROLE_NAME | IS_STANDARD_ROLE
1 | | ADMINISTRATOR |Yes
2 | |MANAGER |Yes
3 | 100 |MyAdmin |No
4 | 100 |MySpecialist |No
5 | 101 |Supervisor |No
Here I have ROLE.COMPANY_ID references COMPANY.COMPANY_ID
I am trying to figure out the best way to accommodate both standard and user defined roles in the same table and have Hibernate 3.0 with annotations can pull with no complexity.
Here are the alternatives I am having in place.
I can have both standard and customer defined roles in the same table as above and leave the ROLE.COMPANY_ID field blank(if mysql permits) for standard. But the challenge is for hibernate3.0 to pull both ROLE.COMPANY_ID=100 OR ROLE.COMPANY_ID=
I can define a dummy company called SYSTEM in the company table and refer all standard/SYSTEM records to the Company called SYSTEM. Again the same challenge to pull records with OR in hinernate 3.0 with aootations.
Not sure, how to do this OR clause on hibernate 3.0 with annotations without custom HQL? Some how , team don’t like the idea of dummy company record in database.
I can create copies of standard records for each tenant and assign them to their own company_id. But the chanllange here is, I will have at least 80 standard records for each tenant and If I expect 1000 free trail tenants, I will end up allocating 80,000 records space. Any thought with this design? Not a clover option, but Choose this with no options left..
Instead I would prefer to have one copy of standard records, where all tenants can share as they are SYSTEM records.
Any thoughts of Mr. Perfect’s design in terms of programmability, maintenance, DB space for SAAS startup.?
I've seen a couple options.
My preferred is to have two tables, one for standard roles and one for customer-defined roles. This is subtle but they are, essentially, two different entities: a role that is common to all tenants and a tenant custom role. It is possible that these will eventually differ in attributes and/or relationships.
The other is to collate them in one table as in your first two suggestions, which are essentially the same solution. The reason I don't like this is that you overload the definition of COMPANY_ID. You will almost always regret overloading a column definition.
Either way, I would select with one of the following methods:
1) Have Hibernate call a stored procedure that unions the two sets.
2) Have two calls and assemble in your collection. At a minimum you would cache the standard roles since they are not volatile. So this would not add a performance hit.
You could Add a ROLE TYPE entity, that classifies the roles in ROLE, to your data model. This would be better than having blanks in company ID, I think. It also allows you to build a hierarchy of roles if desired - just add a PARENT ROLE attribute and a recursive relationship.
Entities:
COMPANY (COMPANY_ID, NAME)
ROLE (ROLE_ID, ROLE_TYPE_ID, COMPANY_ID, NAME)
ROLE_TYPE (ROLE_TYPE_ID, PARENT_ROLE_TYPE_ID), NAME)
Relationships:
COMPANY to ROLE is 1:M
ROLE_TYPE to ROLE is 1:M
ROLE_TYPE to ROLE_TYPE is 1:M
Creating an activity tracking system for a social site. All user activiti from pooint of login til logoff are to be tracked. This means the first use case is the user's login. Every activity will have the same format so once I figure out how to track one activity then I can create chema for all activities. Currently for login I have steps like:
Two solutions I have:
Activity 1: User attempts to login
Activity 2 A: User has successfully logged in
Activity 2 B: User failed to login.
Activity 2 B A: User failed to login due to invalid password
Activity 2 B B: User failed to login due to locked account.
OR
Activty 1: User login - with result = Pass or Fail and if Fail reason = flag_id of reason.
Accordingly I have to create the schema. For now I have it like this:
activity_id
object_id (fk)
session_id (fk)
user_id (fk)
flag_id (fk)
created_dt
friend_id (fk)
result (pass/fail)
But ofcourse this a work in progress.
It sounds like this requirement is simply stating (well, attempting to state it simply) that there should be an audit of login attempts to the system, to include reasons for failed logins. The table might look like this:
LoginAudit
ID (some kind of primary key, whatever your standards are)
UserID (FK to whatever table holds users, or whatever uniquely identifies a user)
LoginTime (time stamp of attempt)
IsSuccessful (bit, true or false, was the login successful?)
Status (FK to a table of known statuses, or just the status itself for a flat de-normalized structure, indicating "success" or a reason for failure, such as "invalid password" or "account locked")
(more relevant data, such as user's IP or location, etc.)...
This would be a write-heavy table (so watch the indexing) and data shouldn't ever be changed. You might want to put some triggers on it to prevent updates, etc.
On a side note, and this may go without saying but I feel I should say it anyway just in case, make sure you don't present the login failure reason to the user when you're storing it here. All the user should see is that the login failed. The reason for the failed login gives an attacker additional information that they can use to manipulate the system.
I am writing a user security module using SQLServer 2008 so threfore need to design a database accordingly.
Formally I had Userinfo table with UserID, Username and ParentID to build a recursion and populated tree to represent hierarchy but now I have following criteria which I need to develop.
I have now USERS, ADMINISTRATORS and GROUPS.
Each node in the user hierarchy is either a user, administrator or group.
User
Someone who has login access to my application
Administrator
A user who may also manage all their child user accounts (and their children etc) This may include creating new users and assigning permissions to those users. There is no limit to the number of administrators in user structure. The higher up in the hierarchy that I go administrators have more child accounts to manage which include other child administrators.
Group
A user account can be designated as a group. This will be an account which is used to group one or more users together so that they can be manage as a unit. But no one can login to my application using a group account.
This is how I want to create structure
Super Administrator
administrator
-------------------------------------------------------------
| | |
Manager A Manager B Manager C
(adminstrator) (administrator) (administrator)
|
-----------------------------------------
| | |
Employee A Employee B Sales Employees
(User) (User) (Group)
|
------------------------
| | |
Emp C Emp D Emp E
(User) (User) (User)
Now how to build the table structure to achieve this. Do I need to create Users table alongwith Group table or what?
Please guide I would really appreciate.
I may write down a more complete answer later, but I should begin by pointing out that a user is really a special case of an administrator, specifically an administrator who has no child users. I would probably design the users with this in mind.