I created one report and moved it to a folder and shared the folder only with the Role called "Role 1" and when I login as a user with a different role say "Role 2", I am still able to see and run the reports. I expect the folder will be only visible to the user with "Role 1" Or when I ran I thought I might get "Insufficient privileges'...." but it behaved differently. Is my understanding on the report sharing is correct ?
Related
I have a Microsoft Teams free account that I created under an earlier organization name that I now wish to change. This is because my second Teams site undesirably reveals that it exists under the original organization name of my first Teams site.
Now, inviting users to my second Teams site inadvertently discloses to them that I also run the first Teams site. It comes up during certain Microsoft authentication screens. I don't want them to see that; it's distracting. Although both are non-profits, one organization has nothing to do with the other. A new user entering my second Teams site by invitation may feel confused when, upon initial entry, they're presented with my first organization's name.
I've since learned that I can indeed change my original organization name. Creating my first MS Teams site implicitly created the organization by that name within a personal Azure account that uses my credentials. It's at https://portal.azure.com, and my first Teams site shows up in there. It appears as a group within Azure Active Directory (AAD). My personal directory itself bears that initial name of my organization. The same name was automatically applied to the group representing my first Teams site.
Now, the directory itself is identified both by
the organization name, and
a corresponding subdomain name.
Both were the same, except the subdomain had no spaces embedded in it, obviously.
While I can change the directory's organization name, I don't see how to change the URL subdomain name (e.g., MySite.onmicrosoft.com) for my Teams site.
I know Microsoft Teams users aren't ever exposed to that technical subdomain information in normal everyday use anyway. However, that original name does become revealed when a new user is invited to the new Teams site. On the Android app, for example, upon initial login and setup, the new Teams user is asked to tap on the organization name. And there was my first disappointment, because it was the name of the other unrelated organization! After tapping it, users are then led to the correct Teams site that I did intend to make available to them.
That's what prompted me to want to change my organization name.
I was successful with that by changing the organization name under Properties for my directory. THis resolved the issue for the newly authenticated Android Microsoft Teams user.
However, I cannot see how to rename the subdomain itself. And that's important, because PC users at least (or those trying to enter my Teams site from a web browser) are in fact presented with a permissions prompt where that undesired subdomain name appears!
Is there a way to rename the subdomain?
POSTSCRIPT - Guess what? I can create new directories in AAD alongside my original one! What if I move my Teams group from the unrelated directory to a new one I create? Would that be safe? Will my Teams site still be functional?
To answer your edit. a teams organization is associated with a specific azure active directory, even if you have a second directory, i don't believe there is any way to "move" things across. you would have to create everything from scratch.
to answer your general question, you would probably have to create a new directory as you described, then create a new teams, replicate the information, remove all the users from the old teams. and remove them from the original directory. then invite them to the newly created one.
The reason for this is, if you invite someone, you are essentially adding their email / login to your azure tenant. of they have been invited to multiple teams tenants. then when they log into teams there is functionality for them to switch between all the directories that they are a guest of. so they will be able to see it. the only way to remove that is to delete the guest users from azure ad.
I have a report set up for a department. The data is accessed on a replicated server on the backend with a fixed password.
What I normally do is add a new role for the user accessing the report as a browser, then they can see the report and work from there.
However, the machine that is being used to access a new report is logged on under a general user account and neets to remain this way, the report that is being accessed is confidential and can only be accessed by certain staff members.
I have played around with the security settings to see if windows authentication would work but i struggled.
What I was hopping to achieve was the following:
let a user access the report on the machine via a password to run the report (preferably their user log on detais even though the machine will be logged on under a different user).
If this is not possible, would it be possible to create a password protected report using parameters?
apologies If i am not clear, I am happy to explain further if needed.
As far as I know it is only possible to protect a report using AD credentials. This works fine, but is not useable if there are non-AD users who have to access the report.
What you can do is generate an SSRS report as a password protected PDF using SQL-RD and send it on a schedule.
You could try setting the access to the report itself at the report level. In Reporting Services you navigate to the report and click the down arrow to the right of the report name.
On the next screen you make sure the Security tab is highlighted. You can then add groups or users (Domain\User) and their roles for that report. Even though this is not password protecting the report it is limiting access to only authorized individuals.
I have come up with a work around.
I have added the users I wanted to have access to the Security tab.
Using powershell I have created a script to ask for credentials to open "internet explorer" as the user I want to have access.
Start-Process -FilePath "C:\Program Files\internet explorer\iexplore.exe" http://PATHTOMYREPORT -Credential (Get-Credential)
From here I then created a batch file that would execute this powershell script for me
#ECHO OFF
PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\powershellscript.ps1'"
I then created a shortcut to the batch file on the desktop, in the shortcut options I set it to run as minimized so the batch file output wouldnt appear, i renamed the shorcut after my report. Gave it an inconspicuos icon.
So what happens when someone double clicks the icon?
they get asked for their organisation log on details in a neat window.
when they enter their details the report should open successfully in internet explorer provided they have been added as a report browser to the security element of the report as outlined by #B.Serbele.
If a non intended user opens it, enters their details, it just crashes out.
No doubt you may find issues with this, i.e. someone can access the C drive and delete the powershell script or shortcut etc etc.
But its the best I could do with the set up we have at the moment.
Hope it may help someone.
Need a Process builder access for the Non-admin user in Salesforce Org.
Here I have following permissions based on my profile/user,
Flow User Enabled - User Record
Manage Flow Permission enabled - System permission(Profile).
And having a View All permission for all objects - Object Settings (Profile).
So I don't know where I am missing anything more for access process builder.
Where
currently if I check process builder via quick find i am not able to
see the option (link for process builder).
Helps appreciated. Thanks in advance.
The system permission "View All Data" is separate from the object-level "View All" permission, and is not the same as having "View All" on each object.
As documented in Create a Process, the permissions required are
To create, edit, or view processes: Manage Flow AND View All Data
You will need to add the View All Data system permission. Be aware that this bypasses large sections of the Salesforce security architecture.
I'm trying to setup a ActiveDirectoryUserStoreManager as a secondary user store. But I cannot seem to get the Role assignment of users correct.
What I have done so far:
- Made the AD ldap-connection
- Retrieved the users from the AD
- Retrieved the roles from the AD
- Can view Users that are connected to a specific role in API Manager Gui
My problem:
When I go to a user and click "View Roles" in the API Manager Gui ({IP}:9443/carbon/user/user-mgt.jsp) I get a "No matching roles found" dialog. But when I go to a Role ({IP}:9443/carbon/role/role-mgt.jsp) and click "View Users" I can see that the user I "View Roles" of above is actually in that role.
So obviously I have some sort of miss connection between the Users that are connected to Roles and the Roles that are connected to a User. I just cannot figure out where I'm getting it wrong.
If anyone would give me any hint or even ask a question about something I haven't already tried that would be awesome!
Seems to be a problem with your RoleDNPattern. You can first try by commenting it and see if it resolves the problem. If it does, then have to compose the correct query for that.
Using InstallShield 2012 Professional to install a ASP.NET website, and a custom app pool running in securitry context of a network service account. When I test the website, I encounter a permissions issue (file permissions), and the website fails with the message "Error: Access is Denied.".
Using InstallShield, I set permissions to each file for read access to the user "Authenticated Users". I set the permissions within the InstallShield ISM file by navigating to "Application Data" -> "Files and Folders"
Select each folder in the "Destination computer's folders"
Right-click each folder in the "Destination computer's folders"
Select context menu "Properties"
Click button "Permissions"
Add entry in "Name(s):" section for user "Authenticated Users", and domain is blank (select "Read & Execute", "List Folder Contents", "Read")
... then perform this action over and over again for each folder, then for each file.
Once I test, I find I have the problem. If I navigate to the actual files installed on the server and review, they appear correct, but do not function correctly. Infact, I - as a Authenticated User - do not have permissions to navigate the folder structure, but because I am an admin I can tweak the permissions and get in. If I manually reset these permissions on each of these files (and related folders) the website functions correctly. This means the app pool setup, the file copy, and the network service account are all functioning correctly, and the problem is strictly related to the permissions on the files IIS is trying to access.
Has anyone had this problem, and overcome it? If so, how? (I would prefer to avoid using InstallScript to set permissions.)
Notes:.
when considering settings in the "General Information" area, specifically the "Locked-Down Permissions" property - the behavior of file level permissions settings in InstallShield will differ. When selecting "Traditional Windows Installer handling", I was never successful adding explicit permissions. I noticed when doing so, all inherited permissions on the folder would dissappear. Additionally, while it appears the permissions are set in Windows, they behave like they are not set. Manual manipulation tests would show they were not correctly set.
When setting the "Locked-Down Permissions" property to "Custom InstallShield handling", I was able to add a permission and all inherited permissions remained intact. With this, I was able to apply the desired permissions to the root installation directory in the "Application Data"->"Files and Folders" area, and because I elected "Custom InstallShield handling" I am able to select the check box "Apply these permissions to child objects" in the advanced area of the permissions area of a folder property.
Steps to finalize and fix my problem:
In InstallShield (ISM file)...
Navigate to "General Information" (Lefthand pane)
Set Locked-Down Permissions to "Custom InstallShield handling"
Navigate to "Application Data"
Right-click the root folder where program is to be installed
Click "Properties"
Click button "Permissions"
Right-click top half of screen in white box area labeled "Name(s)"
Select context menu item "New"
Remove domain user leaving this field blank
Added user "Authenticated User"
Select check boxes in lower area ("Read & execute", "List Folder Contents", "Read")
Click button "Advanced"
Check checkbox "Apply these permissions to child objects"
Click button "OK"
Click button "OK"
Click button "OK"
Recompile installation program and install. Now works.