We have a requirement where we have users who have to be allowed to set their RSA Key, so that it will remove the unwanted burden & lead time on the ADMIN.
How do we create a Role (Access level to be provided) which can allow the user to set their own RSA_PUBLIC_KEY or RSA_PUBLIC_KEY_2
Related
ALTER TABLE tblExample
ALTER COLUMN xxx ADD MASKED WITH(FUNCTION='default()')
This makes masked for every user except admin.
GRANT/DENY UNMASK TO USERONE
I want to mask for only 1 user. I don't want to mask all users -> drop masks for all users except that specific one
Is there any way to make this happen?
Security wise this is not a good practice at all...however, if you want all current&future db users to be able to unmask and a single user not to, then you could grant unmask to public and deny it to the "pooruser" (deny supersedes grant)
grant unmask to public;
deny unmask to pooruser;
Not sure if this question has been answered elsewhere; I searched but I couldn't find a similar question.
I have a database table (tb_users) with a list of users, ID is primary, EMAIL is unique
I have another database table (tb_memberships) with a list of memberships that refer to tb_users by ID.
I'd like the memberships be added and revoked based on email addresses, not based on their IDs so that a user who HASN'T signed up yet be granted the membership when they sign up. How should I design the table so that a user (that hasn't signed up yet) can be added to the memberships table. Is it a good idea to make the foreign key in tb_memberships the users' email address? Or should these 'pending' memberships have their own table?
Solved this by adding a "ghost_account" boolean to the users table. Using a scope in Rails, I ignored all users who are considered "ghosts" so they can't log in and can sign up normally (ghost_account boolean is set to false once the user signs up). That way, I have a user ID that can be linked to everything else, even if the user hasn't signed up yet.
In my Appengine (using ndb) application I store users and both username and email need to be unique.
I also need to be able to update progress (save level if higher than previously stored level), change email and pw and delete account.
I noticed that it is not possible to query without ancestors in a transaction. But creating an ancestor is NOT a solution since that would limit the number of writes to 1 per second which is not OK if the app gets popular. So I need another solution.
Is it possible to use the Key? Yes, but that only makes the username unique, how can I make sure noone is reusing the email for another account?
You should be able to use a cross group transaction for this along with an entity that exists solely for reserving email addresses.
For your User entity, you could use the username as the key name. When creating a user, you also create an EmailReservation entity that has the user's email address as a key name.
You then use a cross-group transaction to create a new user:
#ndb.transactional(xg=True)
def create_user(user_name, email):
user = User.get_by_id(user_name)
email_reservation = EmailReservation.get_by_id(email)
if user or email_reservation:
# Either the user_name or email is already in use so stop
return None
# Create the user and reserve the email address so others can't use it
user = User(id=user_name)
email_reservation = EmailReservation(id=email)
ndb.put_multi(user, email_reservation)
return user
The User table contains administrative info like username, password, and email.
A Profile has all the other information like about me, names, social network URLs, etc.
A profile isn't required. (A profile isn't created until the user fills in profile info and saves it).
So, I've seen 2 implementations:
Only User has a ProfileId FK to Profile - ProfileId is nullable and has a SET NULL delete rule.
Only Profile has a UserId FK to User - UserId is required, thus, non-nullable, and the DELETE CASCADE delete rule.
I don't think they're equivalent. Where would each situation fit better when a user doesn't always have to have a profile associated with it?
After much searching and a few discoveries, Profile gets the UserId FK based on the Principal/Dependent concept.
User is the principal because it can exist independently without even knowledge that a profile exists. The Profile is the dependent, which bears the foreign key column, and it being dependent means it can't exist until the User is created to give its newly-generated Id to Profile's UserId.
For security purposes, is the primary identifier of an Active Directory user the 'logonname' attribute?
For example a user with the logonname "bob" is first created then removed from AD, then an another user is created again with the logonname "bob" - is this new user, from a security perspective, equivalent?
The reason I ask this question is due to some recent peculiarities with opening a PST mailfile - as the above example, a user has been removed then recreated with the same loginname, this new user is not permitted to open the previous users pst file despite sharing the same username.
Thanks.
No, the objectSid (a SID) is the primary ID when it comes to assigning permissions. A new user with the same name will have a different objectSid, and therefore will not be able to access files which the original user had permission to.