I'm trying to incorporate Azure Active Directory to a project, ultimately I'm supposed to have three layers of roles and permissions
1- Divisions
2- Locations
3- Roles
Scenarios:
Scenario 1:
A user can be a manager in location 1 in Div 0, but a regular employee in location 2 in Div 0 too
Scenario 2:
A user can be an admin in Div 1 which means he will be able to access all locations that are a member of Div 1
Scenario 3:
Div 0 is a group, locations are groups nested inside Div 0, roles are the types of roles given to users (the pages they're able to access based on which location and division they're in)
When they're assigned and everything checks out, I'm not sure what's the best way to handle it in C# MVC app.
Not sure if what I'm trying to do makes any sense or is confusing.
Help is extremely appreciated.
As what discussed in comment, I think the best way to solve your problem is creating a custom role assignment web page and page management web page so that it will be the most suitable system for your requirement and it is more scalable.
Related
Can anyone tell me what is the difference between a MS AD user created inside the Users Container and the ones that i can create, directly at the root of my domain?
I am kind of running into some issues with the authentication with the users that i created at the root
The won't be any difference between users you create yourself in both places. However, the Users container is where the built-in user objects are, and there are differences between the built-in user objects and users you create yourself.
If you tell us what issues you're having, I might be able to help more.
Usually, your user accounts should go in an Organizational Unit (OU), since policies can be applied to those (policies cannot be applied to containers).
I have a requirement for hierarchical user management system
where I have 3 hierarchies:
User
Manager
Admin
Now, Admin should be able to get a list as well as edit registrations with role 'User' as well as those with role 'Manager'.
'Manger' should be able to get a list of of registrations with role 'Users' and should be able to edit them.
I had thought of proceeding like:
router.get('/:role',auth.isAuthenticated(),auth.hasRole('admin'), users.findByRole);
where hasRole defines the minimum level of role required to access/edit the data.
However, I do not want a Manager to be able to get the List of admins or edit the list of admins.
It should have access to users list only.
This links suggests using bitwise operatorsbut I am pretty confused with the idea of integrating this piece of code with backend i.e saving and retrieving data from mongo db . Can I please get some pointers?
Look at this project: https://github.com/arthurkao/angular-drywall
This is good MEAN-stack based web app template with user management.
I have two applications in my workspace, APP 1 and APP 2.
In my case, user will log in to APP 1. from there, i put a menu(or a link) to APP 2. however APP 2 requires authentication. So it will take me to a login page. i would like to eliminate that and get the current user's credentials on APP 1 and login to APP 2.
i'm looking for a simple straightforward method (but need to consider security) to login to APP 2.
what i could think of is apex_collection..i could store credentials n use it to create a login process for APP 2. however apex_collection is session based. eventhough i've set session for APP 2, it still wont read values from my apex_collection.
Does anyone have a suggestion or a solution?
All you need to do is use the same authentication scheme in both applications and set the cookie name attribute to the same value in both authentication schemes like this:
APEX will then use the same session across the two applications and the user will not have to log in again when they navigate from one to the other, provided of course that you pass the SESSION_ID in the URL.
A Few Comments on Default APEX Workspace Authentication Security
It may also be helpful to expand on an explanation of why the solution posted by #TonyAndrews works.
For any Apex Apps within the same workspace, if they use the default "APEX Application Authentication" method, they will consult the same authentication user list... so USER1 and its password is a valid login for any of the "neighboring" applications...
This may be a concern if you are hosting different clients or users that should not be intermingling with the other applications. You can also define user GROUPS in the same place as you set up each workspace user. Each application can have its own security filter that permits access by membership of BOTH user/password authentication AND membership in the appropriate access group.
Sharing workspaces may also be a problem because of the unique user name restriction of a single workspace. You can get around that by:
Defining different name-spaces for each application:
Email addresses are good: "someuser#sampledomain.com"
An app id prefix such as: SHOP_EDNA, SHOP_GARRETT, TC_KAREN, TC_MARLOWE, MY_BORIS etc.
Different name styles: first name only, first name + last initial, etc.
To keep things simple, you can always just spin up a brand new workspace: a warning however is that common user names like `ADMIN` are NOT the same between separate workspaces. There shouldn't be much concern however because apps or workspace users may have the same or different schema access privileges to the database back end.
A Word of Caution to Administrators and Developers:
When you go live with an application or multiple applications on a user-facing system, keep in mind the deployment destination (i.e., the workspace) and what else is sharing that workspace. There are some real situations where apps are not intended to be shared or accessed by other "inside" users. Be sure to read up and understand the security constraints and methods of using Default Apex Authentication security so that it's more than luck that protects your own production/live deployed applications.
I do have the similar requirement, linking from one application page to another.
Tried the above mentioned solution, but still asking to login to second application. My Apex ver is 5.0.3 and trying in same workspace.
Created new authentication schemes for each app with same cookie name and set them as current authentication. Scheme type are Application express accounts.
Setting the link as below from first app page to second.
href="http://servername:port/apex/f?p=224:2:&APP_SESSION"
Could anyone provide a solution, please?
Just an update on this.
I am currently using v21.2 and this is how I do it:
In both applications, go to Shared Components > Authentication Schemes > (Select your Auth Scheme);
Scroll down to Session Sharing and select 'Workspace Sharing';
In one of the applications (source), create a link (as a Navigation Bar List entry, for example) like f?p=173:1:&SESSION., where 173 is the target application ID and 1 is the target page.
After some research, I've found out that this feature (Session Sharing Type) is available since v18 of APEX.
I want to do a role based access for the pages in AngularJS.
Based on the role pages should be shown to the user.
Can any give me an example? Which should be a best solution.
To access the page based on the role is very easy.
Suppose if the web/dashboard have three roles like admin, support, employee.
assign the field as userrole to the users.
Now assign the roles for those pages as ng-if="userrole=='admin'" or vice versa
now based on the roles the pages are accessible
I'd suggest you take a look at (in the following steps):
Decide on an approach for accessing the current users role.
Look into ui-router, specifically it's Resolve method.
Run some third function inside the Resolve method to see if the user is of the correct role, and handle your cases in what way you will.
Something I worked on a while back had an Authenticate method running in the Resolve method, you may want to have a look at that for reference. This was not role based however, but it may give you a nudge in the right direction.
Routes:
https://github.com/kasperlewau/metalmarket/blob/master/app/assets/javascripts/config/routes.js
Auth Service: https://github.com/kasperlewau/metalmarket/blob/master/app/assets/javascripts/app/services/auth.js
If anyone has a better idea for role based / logged-in based authentication, I'm all ears.
I am making a project and it has three types of users. My problem is I want the first 2 category of users to be able to access the information and for the third kind of user i want to display the access denied page. I know I have to combine the conditions and events in Rules under configuration page of Drupal but I am not able to get the result I want.Please help me.
If what you want to deny access is a content type, then check this module: http://drupal.org/project/content_access
Basically, it adds custom access rules for every content type in your Drupal installation. You can select the role and the the access type from the content type administration page in admin/structure/type. Also, it can show different access options depending on the node.
if you want to deny access to individual node this module node access that "override the permissions for a given content type by setting permissions on an individual node".