Lucene indexing with restricted user access - solr

We are trying to add full text search capabilities to our custom knowledge Base using lucene respectively solr. We currently restrict what a user can see with a role based model. So there is an array of roles attached to each article and if a user is also a member of one of that roles he / she can view the article.
So of course the search should only return results the user has access to.
I am a bit stuck on where to start or how to do this. Do I need to filter the results later? Do I create a role based index?
It would be highly appreciated if someone can point me in the right direction.
Thanks. Stephanie.

I would advice storing the access roles as metadata. Let define access_roles is able to multi-valued string field.
access_roles:[user, admin] // Users and the Admin roles can access this search.
access_roles:[user, admin, anonymous] // Users and the Admin and Anonymous roles can access this search.
You should edit access roles when you want to change permissions.
When Users who have user role searches, solr will retrieve only the results that match the user's access role.
When User who have (user) role and also (admin) role searches, him searches go like:
q=mainquery
&fq=access_roles:user
&fq=access_roles:admin
&facet=on
&facet.field=access_roles
which fetches all result which contains user role OR admin role in access_roles;
When user, (user) role, member of a special team (it_department) role searches,
q=mainquery
&fq=access_roles:user
&fq=access_roles:it_department
&facet=on
&facet.field=access_roles
which fetches 'it_department' documents also
I have drawed authorization scheme for better understand
Queries adapted from http://wiki.apache.org/solr/SimpleFacetParameters#Multi-Select_Faceting_and_LocalParams

Related

Getting user role in Team or channel

I have a Microsoft Teams group tab and I'd like to implement a permission system in which users can do different things in the tab depending on their role in the team (or channel). The context I get from the Teams JavaScript API cannot be trusted, so I have to check group/team/channel role through the MS Graph API.
The only way I've found to check whether a user is an owner or only a member of a team is to call /teams/{groupId}/channels/{channelId}/members. In the response I can see which roles users have and I so I can find out if the current user has owner privileges.
The problem is that this endpoint requires admin consent (I guess because it displays data of other users). I'd like to avoid having to ask for admin consent, however. Is there another way of finding out about the role of a user in a team without admin consent? (As private channels behave differently in Teams, this would be the same as finding out about the role in a channel)
I know that I can get if a user is in a group through the optional group claims that are added to the ID token but this doesn't include the rule inside the group/team/channel.
To read a user's role in a channel currently requires admin consent, the permission needed is ChannelMember.Read.All see list conversation member documentation here. Admin consent is also required to get a member of a team or list members in a team. For your particular use case, I would recommend asking your admin to grant these permissions.

What is the best approach to design database with external users, groups and permissions?

We are removing User, User Group and Permission models from our backend in favor of Auth0.
Our first idea was to just delete User, Group and Permission tables from DB and replace related foreign keys with varchar field. In this field we would then enter IDs that we get from Auth0 in JWT (pointing to something not present in our DB).
Is this good approach? I somehow feel that there must be more "relational" way of doing this.
Generally OAuth will not do all of the permission checks for you. Instead it gives you general mechanisms to sign the user in and issue + validate tokens.
In most real world architectures you also need to manage a second level of authorization in your back end - using domain specific user data for roles, permissions etc.
A couple of write ups of mine may help:
User Data Management
API Authorization
Auth0 Community Manager Dan here,
In this scenario you may be able to leverage the RBAC to replace your existing users/groups/permissions setup.
You would register a user's roles and the associated permissions of each role in the Auth0 dashboard or programmatically via the management API. Then you can setup a rule to add user roles to the token.
To connect this user to your existing user data store you can store the Auth0 id, similarly to how you have described.
This allows you to lookup the user when the token is received, and to associate any permissions or roles the user has. You can make roles API-specific by adding a prefix to the role, or have roles be general depending on your needs.

Salesforce Roles

I have roles hierarchy in place.
the new requirement is to set up permission to specific external users so they will not be able to see other users records.
the sharing setting for the object is set to Private. I cannot create a user without a role. Other users should be able to see other users (in their role) records. but only this few users should be able to see only records they own.
any idea how to solve it?
thanks,
Chen

Parse.com - How should I structure this data?

I have a music based app I'm building using Parse for the back end. I'm wondering how I should structure my data when it comes to user identities:
A user can be a regular user, and also a musician, and also a venue owner, etc.
So the idea is that a user can have different identities.
I would love your help on how to best structure this data.
You can have a role column in your user table, assign the role based on the user. When the user logs in to the app, you will read his role and based on the role, the ui will be populated. Is this what you are looking for?

Securing Web api Role Based

I hope you're fine, this is my first question and I really don't know where to start from, so here it is,
I've been trying to build a sample with Microsoft Web api Template where I have to authorize users based on roles for example "Admin, Moderators, etc..." so, the thing is the I don't want to put all those roles on the top of the controller like
[Authorize ( Roles ="Admin, Moderators, etc...")]
I see this as not a good practice because What happens if I create another role in my db? I will have to modify the controller to add the new Role xD, really bad, isn't it? so the question is. How to extend some class like AuthorizeFilter to get the roles from database and validate with the controller? I mean if there is a user who is in the role admin authorize it and viceversa?
the other question is How to build a great authorzationfilter which can manage something like if a user if in Moderator Role but the only right he has is to user the Create action in the controller?
I hope you can help me with an example...
Thanks in advance
Ps. Sorry for my english
I agree role based authorization is somehow limited and authorize attribute is a bit rigid.
In some scenarios role based authorization is not enough, you need to extend it. You can introduce the permission concept. Instead of be a requirement that you have to be a member of a specific role to execute an action, you could state that to be authorized to execute an action you need a specific permission. So instead of authorize attribute you use RequiredPermisionAttribute. Of course you need to write RequiredPermissionAttribute as an authorization filter.
In the database you have the Permissions Table, the RolesTable, the RolePermissions table and UsersInRole table.
So a user can be a member of one or more roles. A role can have one or more permissions. A user has a specific permission if he/she is a memeber of a role that has that permission.
The required permission filter checks if the logged in user is a member of a role that has the permission, if not, then returns 401 not authorized.
This is a more flexible approach, actions are not tied to roles and roles don't have a fixed number of permissions.

Resources