In a stock "rails-devise-pundit" application generated using "railsapps",
does it include support for adding multiple roles for users?
A can I make John Doe have a :user role plus an :admin role
In the default "rails-devise-pundit" application, each user has only one role. However, you can create your own custom Pundit policies to accommodate multiple roles. See the Pundit documentation.
Related
I was wondering how would I go about provisioning a team that will have hundreds of guest users?
I looked at PowerShell and School Data Sync, but it's only possible to add members within the organization. Is there a way to add about 13.000 guests (in an organisation that has 250 employees), without having to add them individually?
It's an EDU tenant.
We would split 13.000 users to multiple teams, so 10k limit will not be reached per team.
Thanks
Well there are two ways to do this. One which you already mentioned - PowerShell - You can add people outside your organization(Guests). Adding guests is a two step process. 1st you need to invite user, 2nd add him to the team. Check this documentation for how to add the guest and how to add bulk users using PowerShell script.
And second option is to use api.
As per my knowledge, you have to add guest users in azure active directory. If you need some special features like MFA then for guest users you can add up to 5 guest users for 1 license otherwise there are no restrictions. In the past I created 132 guest users for my azure account.
Yes, it is possible to add guest users in your Teams organization.
Add guest users as mail contacts in your exchange organization
Add the contacts in to Teams
You can find a short video tutorial prepared in my blog explaining this in the link shown below:
If you are looking for the solution which I explain in my blog, I can help out further in preparing PowerShell script to add all users by PowerShell cmdlet
Add External Contacts in Microsoft Teams
Thanks,
Manu
We are using Drupal Commerce in our website.
We have multiple roles in this website ex. Customer, Customer representative, Content editor and Admin.
Users with "Customer" roles will be allowed to purchase product and make orders, Edit profile.
Users with "Customer representative" roles will be allowed to manage all users that are having "Customer" role. Which will include profile edit of any customer, edit customer's orders etc.
We are not sure how to make this functionality working with Drupal7 and Workbench module.
Any suggestions/ideas?? Thanks in advance!
This module allows site builders to set up fine-grained permissions for allowing "sub-admin" users to manage other users based on the target user\'s role.
The module defines new permissions to control access to edit/delete users - more specific than Drupal Core\'s all-or-nothing 'administer users'. It also provides and enforces a 'create users' permission.
https://www.drupal.org/project/administerusersbyrole
Is it possible to use sharing rules for users WITH profiles. Is there any use of them if users have profiles? Or does the profile completely override record access so that i can forget about sharing rules?
I'm in situation where ALL my users have profiles. What I wanted to do was to GRANT "Edit" access for certain records to certain user groups. Is that possible?
Thanks!
A user's role dictates which records they can SEE, while their profile dictates what they can DO with those records. Typically the only case where the profile overrides the role is if their assigned profile contains one of the "View All" or "Modify All" permissions on an object.
For example, if you have a role hierarchy set up that divides different branches of your organization, it may be useful to hide the data between these branches. In this case, you would want to set the org-wide default to Read Only, and provide sharing rules that grant access on an as-needed basis (these sharing rules would be based on a user's role, public groups, or queues that they belong to).
Sharing rules also allow you to specify whether you want to grant the ability to edit records or simply view them. So in your case, you will want to create a sharing rule granting edit access on records owned by one group of users to your second group of users.
See the Overview of Sharing Settings for more information.
I'm starting out with force.com development, and I'm currently a little hazy about what the above terms all mean. Could someone give an overview, and if possible explain how permissions are defined on each one (if at all)?
User: a user who can login to Salesforce. Also includes customer and partner portal users.
Account: a business account, which usually represents a company and usually has child contacts (i.e. people in the company)
Role: a hierarchical group users in an organization that is used as part of the sharing model. Users in higher roles have rights to see the records owned by users in lower roles (assuming their Profile allows it). Users do not have to belong to a role.
Profile: a collection of permissions and access rights for a user including CRUD permissions. A user must belong to exactly one profile. Also see about Permission Sets, which are a many-to-many relationship with users and augment profiles.
Owner: A user or group (queue) that owns a record. Record ownership along with the role hierarchy (and a few other things) control who can see the record.
To put it all together, you could say something like:
John Doe is a salesperson for ABC, Inc, and is a user in their organization. He is the owner of the Acme account. He has the Salesperson role, which is subordinate to the Sales Manager role, so his manager can see all his records. He has the Standard User profile, so he cannot perform administrative functions in Salesforce.
I'd also recommend that you take a look at the API doc, which explains all the entities and has relationship diagrams.
I can check user in active directory, if he exist then I give him permission to open app window, but what if an application has many levels of permission? Do I create special groups of permission in active direcotry and check if user belongs to one of them? . Can application log in automaticaly, or there is always need to enter password?
Active Directory can fulfill two related but seperate functions for an application: Authorization and Authentication.
Authentication is validating that the person using your application is a valid user. If you have the user's credentials (i.e. the application prompts the user for their username and password), you can authenticate them against AD by attempting a connection using their username/password.
Authorization is what lets you determine the level of permissions a particular user has in your application. Active Directory groups are a relatively straightforward and flexible way to implement the various permissions levels. Typically, I will create very fine-grained permissions groups that represent each securable action users can perform in the application (i.e. CanDeleteWidgets, CanAddWidgets, CanEditWidgets ). Then create functional or role groups where you place the users for that role (i.e. Managers, Coordinators, Technicians, etc). Finally, you just nest the role groups into the permissions groups so if, for example, the business requirement is that Managers can delete widgets, you would add the Managers group as a member of the CanDeleteWidgets group. While this may seem more complex, it makes it extremely simple to respond to changing business security requirements (i.e. "Technicians need to be able to delete widgets" - Piece of cake. Add the Technicians role group to the CanDeleteWidgets permissions group and you're done).
As far as logging in automatically, yes, there are a number of ways you can automatically log in a user. For winforms apps, you should just be able to grab the currently logged in user and use that. For web apps, if you can use integrated authentication, you end up with the same thing. Your web server will handle the authentication piece and send over the DOMAIN\USERNAME of the user in a server header variable.