I'm new in odoo world and I'm wondering if it's better to create a new account in order to use odoo, or just use the default admin account directly?
I do not like showing the admin in the contact list, so I would prefer to use the admin account directly by renaming it correctly with my personal information.
However, if it is better to use the administrator account just for installations and configurations tasks, I should use for hide admin account this module https://www.odoo.com/apps/modules/10.0/hidden_admin/ or is there anyway a more integrated solution?
Thanks in advance
There is nothing inherently wrong with using the Administrator account in production as long as whoever is using that login can be trusted. I would recommend using the user's real Name and Email as login instead of Administrator and admin.
Another consideration is that some activities are programmed to be executed under administrator (usually via a sudo call somewhere in the code). This just means that there may be times where an action appears to have been done by the Administrator account, but it may have actually been triggered by a different user. I don't have a list of those actions, but you can search the codebase for .sudo( to review them for your situation.
grep -rn /path/to/core -e '\.sudo(' --include='*.py'
If that fails for some reason you can do a more generic search. The majority of these results will still be relevant.
grep -rn ./ -e 'sudo' --include='*.py'
Related
I create successfully a ServicePrincipal (SP) in AzureAD and able to do a lot of stull like {Connect to Azure, Create resource, etc...}
I need my SP to use command Get-AzNetworkServiceTag but it always return empty values.
When I try command command Get-AzNetworkServiceTag with my own account I get expected result. I believe problem come from permission and your help is very welcome to set least privilege.
My current permissions looks like:
Do you know which one should I use ?
Alternative question is what is best practices to determine permissions based on powershell command ? Although permissions could name to determine there is so many that it's difficult to choose correct one. Thanks you.
The command Get-AzNetworkServiceTag essentially calls the Azure Management REST API - Service Tags - List, it is not related to Azure AD, to solve the issue, you need to assign the Azure RBAC role(not Azure AD admin role) to your service principal.
To solve the issue, the easiest way is to assign the built-in role e.g. Reader, Contributor to your service principal at the subscription scope. But if you want to the
least privilege, your option is to create a custom role then use it, you could follow the steps below.
1.Navigate to your subscription in the portal -> Access control (IAM) -> Add -> Add custom role, follow the screenshots.
Then skip the Permissions, in the JSON, click Edit, add Microsoft.Network/*/read to actions -> Next and create it.
After creating the custom role, wait for a while, navigate to the Access control (IAM) -> add the custom role to your service principal.
In conclusion, the Microsoft.Network/*/read action permission is the least privilege in this case, after giving the role, it will work fine.
Alternative question is what is best practice to determine permissions based on powershell command?
You just need to know what does the command do, then find the operation in the Azure resource provider operations, in this case, there is no such operation like Microsoft.Network/serviceTags/read, so we need to use Microsoft.Network/*/read at least.
You are facing this issue because Powershell cmdlet works differently than compared to MS Graph. Instead of permissions, Powershell require roles to do this operations. Please add Global Administrator role to your service principle and then try the Connect-AzAccount so that, the issue will be fixed.
For more details, you may refer to Assigning administrator roles in Azure Active Directory.
I am new to Salesforce, but am an experienced developer. I am provided a link to a Salesforce report, which mostly has the right filters (query). I would like to use an REST API to pull that information as CSV or JSON so that I can do further processing on it.
Here are my questions:
Do I need special permissions to make API calls? What are they?
Do I need to create an "app" with client-key & secret? Does my admin need to grant me permission for this too?
There are a lot of REST APIs from Salesforce, which one do I need to get the info from the report? Analytics?
How do I authenticate in code?
You'd have to work with the System Administrator on the security pieces. Anybody who knows how the company works, can all users see everything, is there Single Sign-On in place, how likely is the report to change...
You will need an user account to pull the data. You need to decide if it'll be some "system account" (you know username and password and have them stored in your app) or can it run for any user in this org. It might not matter much but reports are "fun". If there will be data visibility issues 6 months from now, you'll be asked to make sure the report shows only French data to French users etc... you can make it in report filters or have multiple reports - or you can just use current users access and then it's the sysadmin that has to set the sharing rules right. (would you ever think about packaging what you did and reusing in another SF instance? Making a mobile app out of it? Things like that, they may sound stupid now but will help you decide on best path)
The user (whether it'll be system account or human) needs Profile permissions like "API Enabled" + whatever else you'd need normally ("Run Reports" etc). If you're leaning towards doing it with system user - you might want to look at Password Policies and maybe set password to Never Expires. Now this is bit dangerous so there would be other things you might want to read up about: "API only user" (can't login to website), maybe even locking down the account so it can login only from certain IP ranges or at certain times when the job's supposed to be scheduled...
Connected App and OAUth2 stuff - it's a good idea to create one, yes. Technically you don't have to, you could use SOAP API to call login, get session id... But it's bit weak, OAuth2 would give you more control over security. If you have sandboxes - there's little-known trick. You can make connected app in production (or even totally unrelated Developer Edition) and use client id & secret from it to login to sandboxes. If you create app in sandbox and you refresh it - keys stop working.
(back to security piece - in connected app you can let any user allow/deny access or sysadmin would allow only say these 3 users to connect, "pre-authorize". Could be handy)
Login - there are few REST API ways to login. Depends on your decision. if you have 1 dedicated user you'll probably go with "web server flow". I've added example https://stackoverflow.com/a/56034159/313628 if you don't have a ready SF connection library in your programming language.
If you'll let users login with their own credentials there will be typical OAuth "dance" of going to the target page (Google login, LinkedIn, Twitter...) and back to your app on success. This even works if client has Single Sign-On enabled. Or you could let people type in their username and pass into your app but that's not a great solution.
Pull the actual report already
Once you have session id. Official way would be to use Reporting API, for example https://developer.salesforce.com/docs/atlas.en-us.api_analytics.meta/api_analytics/sforce_analytics_rest_api_get_reportdata.htm
A quick & dirty and officially not supported thing is to mimic what happens when user clicks the report export in UI. Craft a GET request with right cookie and you're golden. See https://stackoverflow.com/a/57745683/313628. No idea if this will work if you went with dedicated account and "API access only" permission.
I've written a security module for my MVC intranet that allows administrators to grant permissions to users for certain functions like viewing, editing, deleting etc. When an intranet user visits a page, the underlying security module checks the SQL database to see if an administrator has given them access to perform the task and, if they have the required permission, they can click a link or whatever.
What baffles me is that the above system doesn't work unless I republish the website after the administrator has granted the permission. The permission is stored correctly in a permissions table in the database but when the user tries to use the permission it doesn't work. As far as I can tell my security module is completely standalone and is just a case of reading and writing to a database using static methods like this:
if (SecurityManager.HasRole(Request.ServerVariables["AUTH_USER"], "edit")) { }
I'm sure this is just a basic flaw in my understanding but does anyone have any ideas how I can get this to work?
We have the angularjs application where we have different roles associated to the users. For ex: the two roles are Admin and Local. Based on the role, we show some menu items for the Admin and adds more features/screen to the Admin .
The userInfo with the Admin Property is returned from the login response and based on what we decide which all menu and screens to be rendered .
But if we user the developer tool, and the set the break point where the admin property is used, and set the admin property as true the user even he is a local user would be able to access admin privileges .
In short who has some idea about the javascript code can get the admin privileges . Is there any idea other than minification of the code to prevent this kind of security threats
Thanks
As the front-end of your application will run on the client machine there is actually no way to stop a user from debugging or modifying the code. Thus it's impossible to prevent someone from tricking their local instance of the application to think it's signed in as an administrator.
If you simply want to hide the admin interface, one possibility is to have separate (or additional) templates for administrators and restrict access to these based on the user's privilege. If there is anything to be gained from this is up to you. You will still need to validate the rights to execute any privileged action on the server anyway. Obtaining administrative privileges on the client must never be the same as obtaining them on the server side.
I have created a web page with RoR and i am using auth system that i wrote. Now i would like to create an admin panel, where i can see the user info etc..
I am not sure but what i though is to add a column name to auth system like admin? giving a default name false. Then if the admin? is true admin panel opens instead of the web page login.
I wonder if i can use the same auth system so in order to login to page it logs in to admin panel.
But in the controller it will check if admin? is true for every user, i am not sure about the burden in terms of the system requirments as it will check every user.
And i know there are other gems for admin panel but its fine i can design it. I am just not sure which way is the efficient way.
The burden on the system will be negligible. It depends a little bit upon how your auth system is configured, but I am assuming that you give the user a token when he/she is properly logged in.
When the user first tries to sign in, you should check if they are an admin. At this point, if they are, then you can sign them in as an admin, also storing that information in the session. You should perform this check on the controller actions where they need to be an admin. It will not affect performance to any noticeable degree and is important for the security of your site.
Also, you may want to check out the CanCanCan gem, which is a fork of CanCan built by Ryan Bates, for an example of how this works. Unless you're building the application for educational purposes, I highly recommend the CanCanCan gem.
Hope this helps!
In addition to that, you may try Rails_Admin, which provides an easy-to-use interface for managing your data.
And I've considered to use this gem for my project, which is a huge database, so it seems to very helpful.