I want to modal a use-case in neo4j.
UseCase :
User
Role
Department
Permission
Here a user can have multiple roles and user can be associated with multiple departments through multiple roles.
Ex:
User A is connected with Department X with role role A,role B and same user is connected to department y with role A and role c,further each role will have set of permissions.
Suggest neo4j data-model.
http://neo4j.com/docs/2.1.5/examples-user-roles-in-graphs.html and http://neo4j.com/docs/2.1.5/examples-acl-structures-in-graphs.html both provide a very good reference which you can consult to build up your model
Related
In snowflake i have a role XYZ
I want to view all the users who are granted this role XYZ using sql commands.
How can i do this.
I know we have
SHow roles
show users
show grants
Can we use the above and get what I am looking for
You can use the following to list all users and roles to which role XYZ was granted:
SHOW GRANTS OF role XYZ
https://docs.snowflake.com/en/sql-reference/sql/show-grants.html
I am developing a web application for my school.
The fields of my Users table are
-Username
-Hashed_password
-Salt
-Role_ID
There are 6 roles in my Roles table
-Main Administrator
-Tech Administrator
-Faculty Administrator
-Career Administrator
-Student
-Graduated
My problem is, how can I manage that when a user with Faculty Administrator Role can see all the students and graduateds that are related to its faculty? (Faculty is another table)
And also, how can I manage that when a user with Career Administrator Role can see all the students and graduateds that are related to its career? (Career is other table)
Do I need to create another tables to give permissions to that faculty or career or how do I relation the faculty or career depending on the type of user?
In the user table you need to add ID_Career and ID_faculty, with this all the users have their career and their faculty, so if a user with Faculty Administrator Role wants to see all the students from his faculty or career you only need to take the correspondant ID and make the search for all the students that have the same ID_Faculty or ID_Career.
I have Azure AD Premium and O365 Enterprise License assigned for my users. Is it possible for me to allow the users to update their AD profile information, such as Job title, Department ?
Is it possible for me to allow the users to update their AD profile
information, such as Job title, Department ?
Yes, you could make this, you need to Assign roles to users. Because it requires a Global administrator or user administrator to add or update a user's profile information.
For the details, you could read this doc.
I have a question regarding 1 user belongs to 2 different user group in SQL Server and I am trying to manage object permission in the server.
In our database, there is one view with sensitive permission that only certain people can see it, and most of our user are manage in the group.
such as: Sales Group, Manager Group
Ideally, we want only grant permission to Manager Group and deny permission to all the other user,
Let's say manager John is in Manager group, but he is also in Sales Group since he is the manager in Sales department.
My understanding is, if 1 user in 2 different user group, if you deny permission to any of the group, even the user have granted permission in another, he can still not see the object.
How can I overcome this situation?
Thanks!
Replying my own question, we found the solution,
under database security, we can create database role, in database role we can assign single table permission to different role, then we assign database role to user group. in this case, ex.
there are 3 table in the database,
table A is the one with credential information. only manager can see
Table B and C is just the regular table.
create database role 'Normal Access' and grant permission to table B and C.
Then create another database role 'credential Access' and grant permission to table A.
in your Server level security. all the user group should only belong to 'Public', in Server roles level.
and in Use mapping, select the database and only choose the database role you assign.
in my case, Assign database role, 'Normal Access' and 'Credential Access' to Manager group. so he will have all the access to ABC table
Sales Group should only have 'Normal Access' so it cannot access A table.
thanks
I'm trying to set up security for my application for users. I am not sure about my logic. Is the following possible:
I want to create 1 login for 'all users' in Active Directory. Then I want an admin (in the program self) to choose which user is in which server role (e.g. marketing, sales, ...). Then I want to give those roles permissions to the tables in the database.
Some questions about this:
Is this safe? The admin of the program has to be db owner?
Is it possible to list the users by name, instead of the login 'All users', the admin has to be able to place a user in a role after it is created in Ad.
I use the function SUSER_NAME(), will this return the current user or the groupname 'All Users'
If this isn't the right way to make security, please send me in the right direction.
Thanx!
Part of the best solution already lies in your desire to use the Active Directory to authenticate your users. Let it authorise your users as well. Marketing isn't just a database role that specifies access to your tables. It's a department of your company with file shares, mailing lists as well as a role to play in your application. Get your domain admin to make an AD group called Marketing and let them add and remove people as appropriate. Likewise for the Sales department and other departments who touch your database.
When that is done, add the MYDOMAIN\Marketing group as a login on your server and as a user in your database. It will behave more or less like the roles you've described so you can still go ahead and create the roles, add that domain group to the role and grant to the role or grant to that user directly since it identifies a group of people. This also gives you the chance to reconsider your role definitions. Are they really about Marketing people and Sales people or are they CustomerEditor, CustomerViewer, ProfitAndLossViewer roles?
User and group management is a standard function of AD administration; let them do what they do best. It probably doesn't need to feature too strongly in your solution unless you get very poor service from the domain admins, in which case, why use your AD to manage your users?
This very small change will probably free up a lot of your dev time and release you from reinventing a user management facility that already exists and is easy to use.
Good luck!
here's what i would do:
create two roles on the database, one users, one admin. then create two security groups in ad, SQL.App.Admin, SQL.App.Users (replace app with whatever your app name is). I would then assign those groups to the roles in the database. after that you can drop users and/or security groups into those two groups.