Could not understand why my composite role not added to access_token. I created a simple role (named Child) and assigned it to a user. Then I created a composite role (named Parent) and linked with Child role. I suppose that composite role will be added to access token, but this didn't happen.
A user to whom is granted a composite role will inherent all roles within the composite role. Notice the word "within".
So if the role "Child" was composed by the role "Parent" (Child -> Parent) and you assign the role "Child" to a user then that user will also get the role "Parent" assign to it. However, if you had just assigned the role "Parent" to the user, then that user would only get the role "Parent".
This is what is happening in your use-case, you have the role "Parent" that is composed by the role "Child" (Parent -> Child) if you assign the role "Child" to the user you will not see the "Parent" there. However, if you assign the role Parent to the user, you will see both the "Parent" and "Child" roles assigned to that user.
Related
My customer has created roles with the names of the company's business divisions and sub-divisions. He wants to take the role the creating user is in, along with the next level up Role and populate that into two fields on the opportunity, to then use those two fields. (ROLE and SUB-ROLE) as Dashboard filters. Since the role is in the setup section and is also not a field on the user record, I'm assuming some type of Apex Trigger or Flow would be needed to take the role names of the creating user and then insert them?
They are new to Salesforce.. they have not tried anything yet.
I am currently investigating using OrientDB to implement an authorisation system and I'm having some trouble with the edge arrow notation.
The graph has four different vertex types:
User
Group
Role
Resource
And four different edge types:
IN_GROUP
HAS_ROLE
CAN_ACCESS
INHERITS
And the structure is:
User -IN_GROUP-> Group
Group -HAS_ROLE-> Role
Role -CAN_ACCESS-> Resource
Role -INHERITS-> Role
A role may inherit other roles. This means that Role A may inherit Role B which may inherit Role C. I want to produce an Orient query that can say 'For a specific user, give me all of their roles, including any that they inherit'
Currently to get a roles inherited roles I'm doing this but it only retrieves the first level of inherited nodes:
match {class:User, where:(name='Sean')} -IN_GROUP-> {class:Group} -HAS_ROLE-> {} -INHERITS-> {class:Role, as:role} return role.name
What I'm trying to retrieve is the entire chain of nodes that this initial role inherits, can anyone help me with this please?
what you need here is a WHILE condition on the INHERITS relationship:
match
{class:User, where:(name='Sean')} -IN_GROUP->
{class:Group} -HAS_ROLE-> {} -INHERITS-> {class:Role, as:role, while:(true)}
return role.name
In my database, I have table "User" and "Role" and I search to put a role in a user when the user sign up. The problem is that when I retrieve the role from database and post the user, a new role is create and I don't want it. I want the a existing role are put as foreign key.
In JPA you don't think as foreign keys. What you model is an Object which can have relations to other objects, such as a class User may have a list of Role references.
You'd then annotate it with the according JPA annotations to map this relation to your database tables. You may check the Oracle Java EE tutorial on JPA to learn how to do that.
Then, when putting a new Object (meaning one with a new ID) into the list, it will result in getting a new entry in the referring table when persisting it.
These are the object privileges for a user on a netezza database. It says (S)elect, but the user cannot see views, only tables. Why is that?
Object Privileges
(L)ist (S)elect (I)nsert (U)pdate (D)elete (T)runcate (L)ock
(A)lter (D)rop a(B)ort (L)oad (G)enstats Gr(O)om (E)xecute
Label-A(C)cess Label-(R)estrict Label-E(X)pand Execute-(A)s
Administration Privilege
(D)atabase (G)roup (U)ser (S)chema (T)able T(E)mp E(X)ternal
Se(Q)uence S(Y)nonym (V)iew (M)aterialized View (I)ndex (B)ackup
(R)estore va(C)uum (S)ystem (H)ardware (F)unction (A)ggregate
(L)ibrary (P)rocedure U(N)fence (S)ecurity Scheduler (R)ule
LIST permission allows you to see an object, and a TABLE is a different object class than a VIEW.
If you want a user to see a view then you must grant LIST on that view (or the general object class of VIEW). Being granted LIST or SELECT on a table (or the object class of TABLE) has nothing to do with whether a user can see a VIEW.
If you had two views called VIEW_1 and VIEW_2 you could either do something like:
GRANT LIST, SELECT on VIEW_1, VIEW_2 to USER1234
or if you wanted them to have those permissions for all views in the database scope you grant to VIEW which is a reference to the object class for all views.
GRANT LIST, SELECT on VIEW to USER1234
Similarly you could grant to TABLE (which represents the table object class), and that would apply to all tables in the scope.
I am trying to create an ACL where users may have different roles in different departments.
The user is given a role in the form of role::guest or role::user depending if they are logged in. This is their userRole. (There is also a role::superuser that has access to all departments).
I have also added departmental roles to the ACL in the form of department::role (Eg. bookings::user). This is their departmentRole.
The users departmental roles are stored in the Zend_Auth identity.
The access control part works by extending Zend_Acl and over-riding the isAllowed function.
This successfully allows or denys each user.
public function isAllowed($role = null, $resource = null, $privilege = null)
{
$identity = Zend_Auth::getInstance()->getIdentity();
$userRole = $identity->role;
$departmentRoles = $identity->departmentRoles;
if (parent::isAllowed($userRole, $resource, $privilege))
{
return parent::isAllowed($userRole, $resource, $privilege);
}
else {
foreach ($departmentRoles as $departmentRole)
{
if(parent::isAllowed($departmentRole, $resource, $privilege))
{
return true;
}
}
}
return false;
}
The problem I am having is that Zend_Navigation requires an instance of the Acl and a single user role. My view script which builds the navigation menu uses $this->navigation()->accept($page) which only validates against the single user role.
How can I have multiple Acl roles for each user and have Zend_Navigation display menu items that they have access to?
If there is a better / different / correct approach to this please share.
Thanks
EDIT:
The fact that this approach meant over riding a core function in isAllowed() got me thinking this can't be the correct way to do this.
Now, in my ACL model I fetch all users, departments and associations and loop through creating an array for each user made up of their various roles within their relevant departments. I then create one role for each user and inherit the roles in the array previously created.
This is working well up to now and also means I can also add the users as resources and allow the relevant admin and department managers rights to amend their details etc.
It also means that I can pass a single role to Zend_Navigation and the menu structure should be relevant to their department roles.
IMHO having multiple ACL roles for single user looks like anti-pattern. Zend_Navigation rules are binded to (multiple) resources for single role which makes perferct sense.
What are your constraints that forbids you to allow resources for your (department) roles?
You can always use inheritance for your ACL roles.
If you prefer having multiple roles for single user, you might need to have separate ACL rules.
Zend_View_Helper_Navigation_HelperAbstract::setDefaultAcl($acl);
Zend_View_Helper_Navigation_HelperAbstract::setDefaultRole($role);