I have a SalesForce.com account that I use for demos. In many cases, I need the users (anyone on the web) to be able to browse the tables without making any changes.
Is there a way to make the tables public or create a guest account?
You can add a new user and create a special permission set to only allow read access. Dev orgs come with two users, but you can deactivate/re-activate users to get around the limit. Or ask SFDC support to add a few more users to your dev org.
There are several places User log-in time and date are logged so you can track them.
Related
I understand this is a really open question but I wondered what approaches you would all take.
Backstory:
Making a website that will have many different Roles that should have different access levels to the site.
Imagine a Role of Admin, Mod, Team Leader and Member. But there are say 3 teams with each of these roles within them. The Roles should only have permission level access to their own Team. all can access their own accounts and each others but only certain levels can change details as you go up. Admin is top level with full access, Mod can access say blogs and wikis, Team leader can manage the Team's details ect
What tools would you use to achieve this?
We are currently using AWS Amplify, Cognito and potentially AppSync.
Could i achieve this efficiently with IAM Groups or IAM Roles or AppSync?
Im new to all of this.
My initial thought was to grab the Cognito Group, Role and Tag Details when they login and store their TeamID and Tag/PositionID upon initial login and then do checks on the pages to compare the stores group and access levels and change the UI accordingly but is that the best way? Is there better free tools out there?
Thanks
Sam
Roles / groups are confusing.
Best explanation is you give roles to AWS services most of the time, and you assign real humans to a group.
If there is a dev or leader that has access to multiple different AWS projects, you can give them a role as well.
A majority of the time, roles are saved for Amazon services, like EC2 instances that need to access AWS services.
The majority of the time you put humans in groups. Unless the dev has an IAM account that is not under you. For example, if you are name#projectOne and projectOne is the root account, and someone else is name2#projectThree which is in a different part of your company. You could give them a role because their IAM account they are logging into is from a different root account.
Majority of the time, save roles for AWS instances like Ec2, etc. Just put IAM users in groups. If they are not under your root account, give them a role and then once they are in, they can get put in groups too, or can assign themselves into a group.
Don't give lower dev's roles, unless they are coming from a different dev team. If it is the same dev team (under the same root) just assign them to groups.
Continually check what permissions are being used by the devs in your group. Click on their name and then click on security advisor. If you see they aren't using a bunch of things (because it will show last day used...) then modify the group they are in, or create a new group for those specific activities and put them in that. AWS recommends giving the least access necessary.
I’ve been asked by a customer to find a way to collect all permissions for all app registrations in the customer’s AzureAD tenant. The customer has 1500+ App Registrations, so checking each manually isn’t an option. Most of these are redundant but the customer wants to review all of them to look for Graph API permissions that they’ve deemed sensitive. The problem is, there isn’t a way to export this info in the portal and Get-AzADApplication doesn’t give me actual permissions, just friendly descriptions of them. The customer would like the ACTUAL Graph API, such as Mail.Read.
I’ve attempted to script this with the assistance of a few more senior PFEs, but we’ve been unable to make any progress passing various properties between Get-AzAdApplication, Get-AzADServicePrincipal and Get-AzureADOAuth2PermissionGrant. We reached the point where we were able to get the Graph API permissions from the Service Principals, but the resultant permissions were in an unusable format.
If anyone has any suggestions on how to get this information into a concise format with (preferably) the Graph API permissions as mentioned above, I’d greatly appreciate it. I’d rather not go back to the customer and say it isn’t possible, as this is a new customer and I’d rather not say ‘No’ to my first task. 😊
Use Microsoft Cloud App Security for that purpose. This is tool designed, beside other features, especially for that purpose.
You open https://security.microsoft.com/ as a Global or Security Administrator, then you have quick overview on central place:
This will bring you to the MCAS portal, where you have solicit view on all applications with a rating, according to Microsoft standards for "Highly priviledged" access:
A direct view to applications, which users are using these applications, what permissions are granted. It even has filtering capabilities allowing you filter apps based on access level sevirity or even some Graph permissions - like Access e-mail on behalf of the user.
Your customer should really be using the Microsoft Security Center and monitor their security score: https://learn.microsoft.com/en-us/microsoft-365/security/mtp/overview-security-center
Then looking at MCAS: https://www.microsoft.com/en-us/microsoft-365/enterprise-mobility-security/cloud-app-security
You can use this script to list all delegated permissions and application permissions in Azure AD.
The key of the script is Get-AzureADServicePrincipalOAuth2PermissionGrant -ObjectId.
Based on my test, the permissions in the result is in this format: email offline_access openid profile User.Read.
I think it's what you need.
We are developing an app which our customer would like to install for some of their teams. However, we have not yet listed this app on the App Marketplace and would like to install this application for our client's sub-org without needing to do so. Is there any way to have the admin grant access to our app for only this sub-org?
We checked out domain wide delegation, but it seems to be for the whole domain. The only other method seems to be using OAuth, but this would involve every person individually signing up, and not a one time action by the admin.
Thanks!
As far as I know.... no.
But you definitely could simulate that. For instance make your app completely public, but on the login page check for the IP of the logged customer and then decide if it comes from the right subdomain. If not, send the customer to a "403" page.
Or you might be able to create ONE user, using the same email for the whole organization?
We are trying to build one simple website using force.com sites.Here User logged into website and need to perform different actions by moving to different VF pages.
We are facing a Problem to maintaine Session of particular user. We need help regarding how to maintaine session for particular user.
Kindly give your help. Please provide any sample code.
Thanks.
You can't ;)
Think about it, you can store usernames/passwords in your data objects and if they allow you to login and maintain a session for that user and use it to walk around apex pages and builtin forms why would you buy a salesforce license? You could operate a 1000 employees rig with just one administrative license and a site URL. For that reason salesforce does not allow you session control, it grants you one when you buy and expense a license.
For sites, you have to purchase either Customer Portal license or volume-based High Volume Customer Portal set and then use those to "promote" a contact into a login user with the above license. Then, when that user logs into site it has its own session.
This document http://wiki.developerforce.com/index.php/Authenticating_Users_on_Force.com_Sites might be of great help.
This tutorial shows you how to authenticate users on Force.com Sites. It provides a description of Customer Portal, which is needed for the authentication, and shows you how to set up such a site and process to allow site visitors to become authenticated users.
The points on customer portal are correct, and you have to pay for these licences. If you build your own auth on Force.com Sites and salesforce.com finds out they'll be very unhappy. That said you can still do it using cookies (http://www.salesforce.com/us/developer/docs/apexcode/Content/apex_classes_sites_cookie.htm) but it's not perfect because it's client-side.
I highly recommend that you steer clear of this approach though. You're better off building your UI layer on another platform (Google App Engine or Heroku) and using web services created on the Force.com platform through that UI.
We have installed SharePoint Server 2010 and Project Server 2010 without AD. We're a disconnected bunch and thought we'd take it for a spin since being part of BizSpark. But now I'm seeing an issue with editing user account info like email address. Can anyone give me some hints on how life might be like without AD or how to supplement what we might be missing by running the system without AD. Many posts note it is supported but little has notes on what you might be missing.
Thanks in advance.
What you need is to check out the User Profile Service Application area.
Go to SharePoint Central Administration
Go to Manage Service Applications
Select User Profile Service Application
This area is the home of the accounts that are in SharePoint, as well as all the information about the users and how it is displayed on their "My Site"/profile page areas.
If you select Manage User Profiles, this is the area where you can override information from Active Directory about users that are in sharepoint. If you connect to AD, you'll see a little database icon next to the fields that indicates it is synchronized. Even if you use AD, these field can be individually overriden with new information. If you don't have AD, then these will all need to be populated manually by you.
If you go to Manage User Properties you will find all the options to show which fields are editable and which fields are not on a user's profile. This includes, but is not limited to:
Email
Display Name
Homepage/Url
Department
Manager
If you have AD, you'll rarely visit this service admin page, because everything will just work. If you don't, then you'll need to check out this area to change the information about the people that are using your SharePoint instance.
Hope that helps!