I am developing a web application for my school.
The fields of my Users table are
-Username
-Hashed_password
-Salt
-Role_ID
There are 6 roles in my Roles table
-Main Administrator
-Tech Administrator
-Faculty Administrator
-Career Administrator
-Student
-Graduated
My problem is, how can I manage that when a user with Faculty Administrator Role can see all the students and graduateds that are related to its faculty? (Faculty is another table)
And also, how can I manage that when a user with Career Administrator Role can see all the students and graduateds that are related to its career? (Career is other table)
Do I need to create another tables to give permissions to that faculty or career or how do I relation the faculty or career depending on the type of user?
In the user table you need to add ID_Career and ID_faculty, with this all the users have their career and their faculty, so if a user with Faculty Administrator Role wants to see all the students from his faculty or career you only need to take the correspondant ID and make the search for all the students that have the same ID_Faculty or ID_Career.
Related
can anyone explain the complete process to create a snowflake organization account and the way to attach/detach account from it? I looked into the snowflake console as well as in documentation but have not gotten clarity
You should submit a ticket to Snowflake Support to enable organization on one of your accounts. This will create the ORGADMIN role in the account. Then you can grant this role to one of your users. The user which has the ORGADMIN role can access the Organization page. From the organization page, you can see your existing accounts, and create new accounts. When you create a new account, it will be in your organization automatically.
If you have an account which you can't see on the organization page, that means the account was created in another organization. In this case, you need to submit a ticket to Snowflake Support and ask them to move your account to your organization.
Normally, it's expected that each customer should have one organization, but if you have multiple organizations, you can also ask Snowflake Support to move your account from one organization to antother (that's how you would detach). If you want to drop an account, you should also contact Snowflake Support, it can't be done through the organization page.
I am orgadmin for my organization and wanted to create new user for one of the snowflake account. In primary URL i can create new user and role but how can be created for another account under organization umbrella?
Find the URL for the account you want to create the user.
Once you log in, you have to create the user in that account.
I have a question regarding 1 user belongs to 2 different user group in SQL Server and I am trying to manage object permission in the server.
In our database, there is one view with sensitive permission that only certain people can see it, and most of our user are manage in the group.
such as: Sales Group, Manager Group
Ideally, we want only grant permission to Manager Group and deny permission to all the other user,
Let's say manager John is in Manager group, but he is also in Sales Group since he is the manager in Sales department.
My understanding is, if 1 user in 2 different user group, if you deny permission to any of the group, even the user have granted permission in another, he can still not see the object.
How can I overcome this situation?
Thanks!
Replying my own question, we found the solution,
under database security, we can create database role, in database role we can assign single table permission to different role, then we assign database role to user group. in this case, ex.
there are 3 table in the database,
table A is the one with credential information. only manager can see
Table B and C is just the regular table.
create database role 'Normal Access' and grant permission to table B and C.
Then create another database role 'credential Access' and grant permission to table A.
in your Server level security. all the user group should only belong to 'Public', in Server roles level.
and in Use mapping, select the database and only choose the database role you assign.
in my case, Assign database role, 'Normal Access' and 'Credential Access' to Manager group. so he will have all the access to ABC table
Sales Group should only have 'Normal Access' so it cannot access A table.
thanks
I want to modal a use-case in neo4j.
UseCase :
User
Role
Department
Permission
Here a user can have multiple roles and user can be associated with multiple departments through multiple roles.
Ex:
User A is connected with Department X with role role A,role B and same user is connected to department y with role A and role c,further each role will have set of permissions.
Suggest neo4j data-model.
http://neo4j.com/docs/2.1.5/examples-user-roles-in-graphs.html and http://neo4j.com/docs/2.1.5/examples-acl-structures-in-graphs.html both provide a very good reference which you can consult to build up your model
I'm trying to set up security for my application for users. I am not sure about my logic. Is the following possible:
I want to create 1 login for 'all users' in Active Directory. Then I want an admin (in the program self) to choose which user is in which server role (e.g. marketing, sales, ...). Then I want to give those roles permissions to the tables in the database.
Some questions about this:
Is this safe? The admin of the program has to be db owner?
Is it possible to list the users by name, instead of the login 'All users', the admin has to be able to place a user in a role after it is created in Ad.
I use the function SUSER_NAME(), will this return the current user or the groupname 'All Users'
If this isn't the right way to make security, please send me in the right direction.
Thanx!
Part of the best solution already lies in your desire to use the Active Directory to authenticate your users. Let it authorise your users as well. Marketing isn't just a database role that specifies access to your tables. It's a department of your company with file shares, mailing lists as well as a role to play in your application. Get your domain admin to make an AD group called Marketing and let them add and remove people as appropriate. Likewise for the Sales department and other departments who touch your database.
When that is done, add the MYDOMAIN\Marketing group as a login on your server and as a user in your database. It will behave more or less like the roles you've described so you can still go ahead and create the roles, add that domain group to the role and grant to the role or grant to that user directly since it identifies a group of people. This also gives you the chance to reconsider your role definitions. Are they really about Marketing people and Sales people or are they CustomerEditor, CustomerViewer, ProfitAndLossViewer roles?
User and group management is a standard function of AD administration; let them do what they do best. It probably doesn't need to feature too strongly in your solution unless you get very poor service from the domain admins, in which case, why use your AD to manage your users?
This very small change will probably free up a lot of your dev time and release you from reinventing a user management facility that already exists and is easy to use.
Good luck!
here's what i would do:
create two roles on the database, one users, one admin. then create two security groups in ad, SQL.App.Admin, SQL.App.Users (replace app with whatever your app name is). I would then assign those groups to the roles in the database. after that you can drop users and/or security groups into those two groups.