I have roles hierarchy in place.
the new requirement is to set up permission to specific external users so they will not be able to see other users records.
the sharing setting for the object is set to Private. I cannot create a user without a role. Other users should be able to see other users (in their role) records. but only this few users should be able to see only records they own.
any idea how to solve it?
thanks,
Chen
Related
If you have used Telegram messenger, there is a possibility to add several administrators to Telegram channels and groups by the owner. You can also change administrators permissions and set a custom title for each admin, etc.
I am developing a Telegram bot, in its database, one person is designated as the owner of the bot. When users use the bot, their information is stored in the database. The owner of the bot can set any of these users as an administrator so that those users can execute certain commands in the administrator position in the bot. Also, the owner of the bot can determine the permissions of each administrator in a very precise manner. For example, things like the following should be considered for every administrator:
can_add_channel,
can_delete_channel,
can_edit_users_info,
can_delete_users,
etc.
It is also necessary to record the time of promotion and demotion of administrators, etc...
But I don't know how to design its database.
I only know that it should be similar to the structure that Telegram has implemented for its channels and groups to manage administrators
I think I should have tables called users, permissions, admins, roles, etc. But I can't create a good relationship between these tables and I don't even know what columns are needed for each one.
I don't know what topic this question is about and what topic I should search on Google exactly. I need a basic and correct structure.
Please help
...........................
I'm currently working on a project where a user can have many roles, and each role has assigned one or many permissions. Permissions describe the actions that a user can apply to ressources. For example let's consider that I have three ressources that I can interact with using my API : users, books, payments.
I'd like to have all users able to update their personal informations like phone number... etc. This led me to give update permission on user's ressource for all users. But the problem is that I want them to be able to updates their own profiles only. Furthermore, some users have admin permissions and can change other users permissions, therefor they have another kind of update permission on user's resource.
So my question is : what's the best way to design the permission table. Below you can find my schema design. Thank you for your answers in advance.
User(firstName string, lastName string, roles Role[])
Role(name string, description string, permissions Permission[])
Permission(name string, effect 'Allow' | 'Deny', resource string, action string)
Well I am not entirely sure what you meant by resource and action. If you meant URI template and HTTP method, then ok. Otherwise you might need a different solution or somehow add parameters to your design if you want to allow or deny individual resources per id.
If we are talking about a REST API, which I assume, then you can do something like PATCH /api/v1/current-user/profile {...} for updating your profile and PATCH /api/v1/users/{user-id}/profile {...} to update somebody else's profile. If you meant controller classes and their methods, then you can do the same with two different controllers, something like CurrentUser.partialUpdate(params) and User.partialUpdate(params).
As of updating user permissions, I wonder how to do it, because you can update only role permissions and give or take away roles for the users in your model.
Another thing I don't understand that why do you need the allow|deny flags. If roles collide because users can have multiple roles or permissions collide, because you can both allow and deny the same thing, then how do you resolve it without a hierarchy? And if you don't have a hierarchy, then this flag is completely useless and just deny all and allow what is added to the role.
As of the one user multiple roles approach it is not a great idea, at least in places where people take security seriously a single account or at least a single session can have only a single role. Since this would make a lot of repetition I would solve this on a role level and make composite roles or support role inheritance. So for example the Administrator role would be the composite of the OwnProfileEditor and ProfileEditor sub-roles, which I would rather call Features or Capabilities or PermissionGroups rather than Roles.
Usually RBAC is not that flexible, so people tend to add per User Permissions to override Role Permissions. I would not do it, because you will end up with a mess if you follow that approach.
I have the 2nd highest Role in my Org assigned to me and In a process of Data cleaning, I want to edit an "Account" record whose owner doesn't have a Role. Every time I am trying to edit it, error says "You do not have the level of access necessary to perform the operation you requested. Please contact the owner of the record or your administrator if access is necessary".
Is it a permissions issue or something to do in sharing settings? what kind of access should I get from the Admin/ Record owner in order to edit the record? (I have Edit access to all the objects in the Org)
If you're using a Public Read Only or Private sharing model, as it sounds like is the case, your position near the top of the role hierarchy is irrelevant to your access to this record because you have no relative position to the Account's owner.
You'd have access roll up to you if you were above that user in the role hierarchy. But you're not - they aren't in the role hierarchy at all.
You could be granted Modify All Data or Modify All permission on the Account object, but it's unlikely your org will wish to do that. It's too broad a grant of power. The easiest solution is for the record owner to manually share the record to you with write permission. Alternately, a superuser in your org (like a System Administrator or some other designated person who has Modify All permission) can share the record to you or make you the owner outright.
Some orgs also choose to do data cleaning processes using Data Loader and an integration user that possesses elevated privileges to avoid this type of issue.
I hope you're fine, this is my first question and I really don't know where to start from, so here it is,
I've been trying to build a sample with Microsoft Web api Template where I have to authorize users based on roles for example "Admin, Moderators, etc..." so, the thing is the I don't want to put all those roles on the top of the controller like
[Authorize ( Roles ="Admin, Moderators, etc...")]
I see this as not a good practice because What happens if I create another role in my db? I will have to modify the controller to add the new Role xD, really bad, isn't it? so the question is. How to extend some class like AuthorizeFilter to get the roles from database and validate with the controller? I mean if there is a user who is in the role admin authorize it and viceversa?
the other question is How to build a great authorzationfilter which can manage something like if a user if in Moderator Role but the only right he has is to user the Create action in the controller?
I hope you can help me with an example...
Thanks in advance
Ps. Sorry for my english
I agree role based authorization is somehow limited and authorize attribute is a bit rigid.
In some scenarios role based authorization is not enough, you need to extend it. You can introduce the permission concept. Instead of be a requirement that you have to be a member of a specific role to execute an action, you could state that to be authorized to execute an action you need a specific permission. So instead of authorize attribute you use RequiredPermisionAttribute. Of course you need to write RequiredPermissionAttribute as an authorization filter.
In the database you have the Permissions Table, the RolesTable, the RolePermissions table and UsersInRole table.
So a user can be a member of one or more roles. A role can have one or more permissions. A user has a specific permission if he/she is a memeber of a role that has that permission.
The required permission filter checks if the logged in user is a member of a role that has the permission, if not, then returns 401 not authorized.
This is a more flexible approach, actions are not tied to roles and roles don't have a fixed number of permissions.
Is it possible to use sharing rules for users WITH profiles. Is there any use of them if users have profiles? Or does the profile completely override record access so that i can forget about sharing rules?
I'm in situation where ALL my users have profiles. What I wanted to do was to GRANT "Edit" access for certain records to certain user groups. Is that possible?
Thanks!
A user's role dictates which records they can SEE, while their profile dictates what they can DO with those records. Typically the only case where the profile overrides the role is if their assigned profile contains one of the "View All" or "Modify All" permissions on an object.
For example, if you have a role hierarchy set up that divides different branches of your organization, it may be useful to hide the data between these branches. In this case, you would want to set the org-wide default to Read Only, and provide sharing rules that grant access on an as-needed basis (these sharing rules would be based on a user's role, public groups, or queues that they belong to).
Sharing rules also allow you to specify whether you want to grant the ability to edit records or simply view them. So in your case, you will want to create a sharing rule granting edit access on records owned by one group of users to your second group of users.
See the Overview of Sharing Settings for more information.