Will the designer be able to publish forms to a particular user(client)?Because now if he/she publish forms, it can be view by all users with client access na?
No we cannot publish a form only to a particular client using the designer page in formsflow.ai as of now. However we.can customise the code to check the group access and show the forms list to the users belonging to that particular group in Keycloak. We will be doing more refining as part of Multitenancy feature we will bring in future release.
Related
I scrolled through the documentation of KeyCloak and also set it on my machine to explore.
I also explored fine-grained permissions however I didn't get much detail in documentation around the n-level of nested hierarchies.
Here https://www.keycloak.org/docs/latest/server_admin/ this talks about limiting an admin user to particular client management, however, I want certain users, within the client, to be able to create accounts but with scopes and attributes limited to what's assigned to themselves.
For an example:
For a client(ERP>Transactions) we want to create an Org(our customer) Admin who in return will create teams and team admins. Team admins shall be able to invite their teammates in there.
Now I just want to know if only Keycloak can be used to make sure a user in one Org shouldn't be able to create a user in some other org, in the same way, a team admin shouldn't be able to onboard/invite a user in some other team.
Because if Keycloak in principle can't handle this, our team will start writing custom logic in our application code base for this.
My company keeps individual employee schedules. Each employee manages their own schedule. Admin,supervisors and project manager have to go to each sheet and look for the information.
I need to create a system that allows someone to select a date range and skill set then produce a sheet with the information that matches the criteria. I have installed the Python API and worked through a few tutorials.
Now I need to know how to make command buttons, date pickers . . .
A quick read of my search results indicates that this is not part of the Smartsheet API!
Is there a way to do this through the SmartSheet API? Or how would you approach this?
The Smartsheet API enables you to programmatically access data in Smartsheet (i.e., create, read, update, delete data in Smartsheet). This is true for all APIs -- they simply provide a means for you to programmatically access data. You'll need to build the web app's user interface (UI) yourself by using HTML, CSS, JavaScript, etc.
Alternatively -- instead of building a custom web application like you've described -- I'd suggest that you look into the possibility of creating Smartsheet Reports that can provide the data you've described. You can create Smartsheet Reports via the Smartsheet UI -- so you wouldn't need to do any programming at all.
I'm working with Shopware.
I've added a new attribute "proxy" to the s_core_auth table for each user in order to show the ability to get access to the Customer Module in the backend, so that if a user is not selected as "proxy" he/she won't be able to make changes in that module.
I need help to understand what I need to write in my plugin's code (maybe having only a Subscriber file.)
I'll be very grateful!
Adding a custom column to the s_core_auth table is not a good idea. What you're trying to achieve can be done with user groups and group rights. From the Shopware Documentation:
With User administration you are able to create new users in the backend and control access rights to areas, modules and plugins in accordance with certain group policies that you define per ACL (Access Control List). Within the ACL you have the possibility to control precisely which user is able to perform which activity. Thus, it is possible to assign certain reader rights to an administration group without granting them authorization to edit or delete.
You can find instructions for User administration inside the Documentation.
We are trying to develop a web interface in Plone to manage a corporate identity management solution by interfacing openidm with plone. Please refer the block diagram for the entire setup attached here.(Here the plone-interface.mydomain.in is a user interface for calling the REST APIs of the OpenIDM to manage the roles in the OpenIDM).
There are around 4000 user LDAP directory services with different Organisational Units(OUs), The roles are created and assigned by openidm.
We are developing a plone web interface for all the users to log in and and manage their roles such as delegation of their roles to peers when they were going on leave/vacation. So we are planning to implement a customized workflow into this plone application so that a Team Member(TM) as in the diagram can initiate the role change request to his Team Lead(TL) for review and forward to his Project Manager(PM)to Approve or Reject or forward to Delivery Manager(DM) for further forwarding to other project groups, If the particular member belongs to multiple project groups for further approvals from horizontal project Heads/authority.
We are developing a module in Plone for users to apply for leave and request/delegate his role changed to another user through a workflow based approval process.
Query:
1)How can we implement a workflow such that, if a user(eg. Role --> Team Member) submits a leave application requesting for role change, it should go only to the the immediate hierarchy(eg.Team Lead) within the same group, so that no user with a role "Team Lead/Project Manager/Delivery Manager" in other groups will be able to view the request of a Team Member in another Group.
Note: The workflow in general is going to have overall four roles (Team Member, Team Lead, Project Manager, Delivery Manager)only in each Group.
Please shed some light and your valuable suggestions to achieve such a custom workflow as described in Query 1.
Thank You
A customer of ours has just purchased CQ5 and would like to externalize all of its security. We'd like to use an STS server for SSO and then leverage a custom authorization/attribute provider instead of the CQ5 repository. Ultimately, we do not want to use LDAP in any way.
Here is how we envision this (some pieces already working):
User browses to CQ5 Dispatcher running in Apache
Apache filter redirects user to STS site where login is completed.
User is redirected back to Apache with SAML Claims.
User ID token is placed as cookie into browser. (everything is working up to here)
CQ5 captures that cookie based on the SSO configuration (working)
Problem starts here: From here, we want to call a custom authorization provider for the user's attributes, roles, groups etc...
We have tried to figure out how to do this and can't seem to find the missing link.
Do we need to create a custom login module? Do we need to create a custom principal provider? Do we somehow use the existing LDAP capability in CQ5 but have it call a custom class which leverages the external auth source?
If anyone here has any idea how to do this, their karma quotient would be full for the year if they could share it. I'm not sure if this is a basic thing you do with JAAS or even where to put my classes after I've created them.
We've worked really hard on this so far and seem to be close, but we keep hitting dead-ends.
Thanks so much if you have an idea where to begin!!
-joe
Recent versions of AEM now include the SAMLAuthenticationHandler which allows you to:
Redirect users to SSO to simulate IDP initiated login, or
Allow AEM to perform SP initiated login with IDP
Specify attributes to take from the SAML Assertion and add to the user's profile node (not sure if you can use this for groups)
Specify which groups users should be added to
Set a cookie called request-path that will store the URL the user arrived at, and then redirect them to that location when they're authenticated (ie. deep linking)
This makes relying on the SAMLAuthenticationHandler better than using Apache to redirect. The current version of the handler bundled with AEM 6.2 does not properly set the cookie when using the redirect method, but Adobe does have an updated version that they can provide that will fix that problem.
I normally recommend that clients do not have their own authentication handlers developed inside AEM.
When not using LDAP, this does create an issue where users will not exist until they've logged in. Additionally, when your architecture includes more than one load balanced publisher, it is possible that a user may exist on one server user synchronization.
Try searching the google group for SSO details. Here's one useful post:
http://groups.google.com/group/day-communique/browse_thread/thread/72c235c83a501252/fba4d08a90487156?lnk=gst&q=SSO#fba4d08a90487156
It seems that you will have to implement a custom LoginModule, more information here: http://dev.day.com/docs/en/crx/current/deploying/custom-login-modules.html