loopback find Users based on they Role - relationship

Is there a way to get all Users with the same Role?
Now i only can think at doing this using multiple steps.
I have to get the Role first, then all the RollMappings, parse them and get the principalId and then get all Users.
Is there a simpler way to achieve this?
Thank you.

There are dynamic roles and static roles. For example, $everyone, $authenticated, $owner are dynamic roles and the isInRole is determined per request. For static roles, the user/role mapping is stored at RoleMapping model. You should be able find all users for a given role at:
RoleMapping.find({where: {principalType: ‘USER’, principalId: userId, roleId: roleId}, cb);

Related

Role based access control pattern design

I'm currently working on a project where a user can have many roles, and each role has assigned one or many permissions. Permissions describe the actions that a user can apply to ressources. For example let's consider that I have three ressources that I can interact with using my API : users, books, payments.
I'd like to have all users able to update their personal informations like phone number... etc. This led me to give update permission on user's ressource for all users. But the problem is that I want them to be able to updates their own profiles only. Furthermore, some users have admin permissions and can change other users permissions, therefor they have another kind of update permission on user's resource.
So my question is : what's the best way to design the permission table. Below you can find my schema design. Thank you for your answers in advance.
User(firstName string, lastName string, roles Role[])
Role(name string, description string, permissions Permission[])
Permission(name string, effect 'Allow' | 'Deny', resource string, action string)
Well I am not entirely sure what you meant by resource and action. If you meant URI template and HTTP method, then ok. Otherwise you might need a different solution or somehow add parameters to your design if you want to allow or deny individual resources per id.
If we are talking about a REST API, which I assume, then you can do something like PATCH /api/v1/current-user/profile {...} for updating your profile and PATCH /api/v1/users/{user-id}/profile {...} to update somebody else's profile. If you meant controller classes and their methods, then you can do the same with two different controllers, something like CurrentUser.partialUpdate(params) and User.partialUpdate(params).
As of updating user permissions, I wonder how to do it, because you can update only role permissions and give or take away roles for the users in your model.
Another thing I don't understand that why do you need the allow|deny flags. If roles collide because users can have multiple roles or permissions collide, because you can both allow and deny the same thing, then how do you resolve it without a hierarchy? And if you don't have a hierarchy, then this flag is completely useless and just deny all and allow what is added to the role.
As of the one user multiple roles approach it is not a great idea, at least in places where people take security seriously a single account or at least a single session can have only a single role. Since this would make a lot of repetition I would solve this on a role level and make composite roles or support role inheritance. So for example the Administrator role would be the composite of the OwnProfileEditor and ProfileEditor sub-roles, which I would rather call Features or Capabilities or PermissionGroups rather than Roles.
Usually RBAC is not that flexible, so people tend to add per User Permissions to override Role Permissions. I would not do it, because you will end up with a mess if you follow that approach.

What is the best approach to design database with external users, groups and permissions?

We are removing User, User Group and Permission models from our backend in favor of Auth0.
Our first idea was to just delete User, Group and Permission tables from DB and replace related foreign keys with varchar field. In this field we would then enter IDs that we get from Auth0 in JWT (pointing to something not present in our DB).
Is this good approach? I somehow feel that there must be more "relational" way of doing this.
Generally OAuth will not do all of the permission checks for you. Instead it gives you general mechanisms to sign the user in and issue + validate tokens.
In most real world architectures you also need to manage a second level of authorization in your back end - using domain specific user data for roles, permissions etc.
A couple of write ups of mine may help:
User Data Management
API Authorization
Auth0 Community Manager Dan here,
In this scenario you may be able to leverage the RBAC to replace your existing users/groups/permissions setup.
You would register a user's roles and the associated permissions of each role in the Auth0 dashboard or programmatically via the management API. Then you can setup a rule to add user roles to the token.
To connect this user to your existing user data store you can store the Auth0 id, similarly to how you have described.
This allows you to lookup the user when the token is received, and to associate any permissions or roles the user has. You can make roles API-specific by adding a prefix to the role, or have roles be general depending on your needs.

Salesforce Roles

I have roles hierarchy in place.
the new requirement is to set up permission to specific external users so they will not be able to see other users records.
the sharing setting for the object is set to Private. I cannot create a user without a role. Other users should be able to see other users (in their role) records. but only this few users should be able to see only records they own.
any idea how to solve it?
thanks,
Chen

Lucene indexing with restricted user access

We are trying to add full text search capabilities to our custom knowledge Base using lucene respectively solr. We currently restrict what a user can see with a role based model. So there is an array of roles attached to each article and if a user is also a member of one of that roles he / she can view the article.
So of course the search should only return results the user has access to.
I am a bit stuck on where to start or how to do this. Do I need to filter the results later? Do I create a role based index?
It would be highly appreciated if someone can point me in the right direction.
Thanks. Stephanie.
I would advice storing the access roles as metadata. Let define access_roles is able to multi-valued string field.
access_roles:[user, admin] // Users and the Admin roles can access this search.
access_roles:[user, admin, anonymous] // Users and the Admin and Anonymous roles can access this search.
You should edit access roles when you want to change permissions.
When Users who have user role searches, solr will retrieve only the results that match the user's access role.
When User who have (user) role and also (admin) role searches, him searches go like:
q=mainquery
&fq=access_roles:user
&fq=access_roles:admin
&facet=on
&facet.field=access_roles
which fetches all result which contains user role OR admin role in access_roles;
When user, (user) role, member of a special team (it_department) role searches,
q=mainquery
&fq=access_roles:user
&fq=access_roles:it_department
&facet=on
&facet.field=access_roles
which fetches 'it_department' documents also
I have drawed authorization scheme for better understand
Queries adapted from http://wiki.apache.org/solr/SimpleFacetParameters#Multi-Select_Faceting_and_LocalParams

Securing Web api Role Based

I hope you're fine, this is my first question and I really don't know where to start from, so here it is,
I've been trying to build a sample with Microsoft Web api Template where I have to authorize users based on roles for example "Admin, Moderators, etc..." so, the thing is the I don't want to put all those roles on the top of the controller like
[Authorize ( Roles ="Admin, Moderators, etc...")]
I see this as not a good practice because What happens if I create another role in my db? I will have to modify the controller to add the new Role xD, really bad, isn't it? so the question is. How to extend some class like AuthorizeFilter to get the roles from database and validate with the controller? I mean if there is a user who is in the role admin authorize it and viceversa?
the other question is How to build a great authorzationfilter which can manage something like if a user if in Moderator Role but the only right he has is to user the Create action in the controller?
I hope you can help me with an example...
Thanks in advance
Ps. Sorry for my english
I agree role based authorization is somehow limited and authorize attribute is a bit rigid.
In some scenarios role based authorization is not enough, you need to extend it. You can introduce the permission concept. Instead of be a requirement that you have to be a member of a specific role to execute an action, you could state that to be authorized to execute an action you need a specific permission. So instead of authorize attribute you use RequiredPermisionAttribute. Of course you need to write RequiredPermissionAttribute as an authorization filter.
In the database you have the Permissions Table, the RolesTable, the RolePermissions table and UsersInRole table.
So a user can be a member of one or more roles. A role can have one or more permissions. A user has a specific permission if he/she is a memeber of a role that has that permission.
The required permission filter checks if the logged in user is a member of a role that has the permission, if not, then returns 401 not authorized.
This is a more flexible approach, actions are not tied to roles and roles don't have a fixed number of permissions.

Resources