i'm new in oracle apex. I want to make a custom authorization based on the user role (manager or employee). I have make an UI for the manager to custom the access role based on the user role when the user click on the checkbox and when click save button (not working for now), the user must be able to access the form based on their access. Anyone know how to do that? Please help. Thank you
The custom access form
This is a very broad question, hard to answer in a single answer. I can give you some form of direction but not a detailed answer:
This is a form of a roles/responsibilities implementation. A user gets a role (employee) but in the application every functionality is tied to a responsibility (eg time sheet, user profile). This is one way to implement this:
create a user/role mapping table. A user has a row for every role he has, eg User "John" has role "Employee"
create a role/responsibility mapping table. One row for every responsibility that is granted to a role. This table will be populated from the screen that you posted the screenshot for
create one authorization scheme in the application for every responsibility you create (one for time sheet, one for user profile, etc). In this authorization scheme you check if there is a row for the current user joined to the user/role mapping table and to the role/responsibility mapping table
Related
I'm building a platform targeted to kids with an optional parent sign up. Regular users can access the full platform experience while parent users can only access a parent dashboard to create their child's account, manage it, and see activity from their child.
Parent accounts will never become users. If they want to be a regular user they must make a separate user account.
Two ways I can create this:
A single users table with an account_type column. This is what I currently have.
Separate tables, users and parents, as well as an accounts table that has a one-to-one mapping to either (for things like email, password hash, etc.).
#2 seems like the better longterm solution. The pros are that I can evolve the two separately, and the cons are that basic user queries become slightly more complicated.
Any thoughts or recommendations on these two approaches?
Why don't you just use a role based user maangement.
you will have user, role models.
In user model you will have a column roleid having a object-type-relationship[one-to-one] with role model.
Now, in your user model you will give the permission to parent user (role account) to create a child user (role account).
ask me if you need further explanation.
In our Apereo CAS 5.3.8 protected application we need to display after login a screen which shows a dropdown with some values from which the user must select one option. The screen needs to be shown only if certain conditions are met, depending on some user attributes. In some scenarios all the attributes that we need are loaded after the login but in other cases we need to load additional ones depending on the user's choice. The user selection then has to be converted in some other user attributes which we want to store in the CAS assertion so that a client application can access the user attributes and make decisions based on these attributes.
In order to display this additional screen, we have created a custom multifactor provider. The loaded attributes are passed to a PrincipalFactory implementation.
Almost everything works fine except the part which happens after the user dropdown selection. The question is how can I load the principal attributes in two steps? I tried to update the principal and authentication objects in my custom action which gets triggered after the user selection but it does not work, it always keeps the old principal with the attributes loaded immediately after login.
I think the problem might be due to the fact the attributes are passed to a PrincipalFactory and probably they are only written once and become immutable. I tried to make use of a AuthenticationTransactionManager and a AuthenticationResultBuilder but was not able to add the extra computed attributes.
Any guidance would be highly appreciated.
I'm investigating a migration process from a legacy system into keycloak. Based on some of the ideas here: https://github.com/Smartling/keycloak-user-migration-provider we're looking to create user accounts in keycloak at the point of login by looking up user credentials from some dedicated endpoints on our legacy system.
As part of this, I need the user ID to remain the same as it was in the legacy system.
Is it possible to create a user with a specified ID rather than relying on keycloak to auto-generate it?
Running into this issue when attempting to create users via the API, I looked into the code for the users service. It looks like it is currently not possible to set the user id due to how the user is created.
From the code in https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java specifically on line https://github.com/keycloak/keycloak/blob/7cfe6addf01676939206e034a87c791460031032/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java#L115 the user is first created using the username, then updated. I believe id is not an updatable field. Thus it is not currently possible.
Checking the api I see it is now possible to add an optional "id" field in the userRepresentation object that you pass to create a new user in keycloak.
Find more information here: https://www.keycloak.org/docs-api/5.0/rest-api/index.html#_userrepresentation
I'm working with Shopware.
I've added a new attribute "proxy" to the s_core_auth table for each user in order to show the ability to get access to the Customer Module in the backend, so that if a user is not selected as "proxy" he/she won't be able to make changes in that module.
I need help to understand what I need to write in my plugin's code (maybe having only a Subscriber file.)
I'll be very grateful!
Adding a custom column to the s_core_auth table is not a good idea. What you're trying to achieve can be done with user groups and group rights. From the Shopware Documentation:
With User administration you are able to create new users in the backend and control access rights to areas, modules and plugins in accordance with certain group policies that you define per ACL (Access Control List). Within the ACL you have the possibility to control precisely which user is able to perform which activity. Thus, it is possible to assign certain reader rights to an administration group without granting them authorization to edit or delete.
You can find instructions for User administration inside the Documentation.
Im working on a "what I thought would be simple" application using zend framework. This is my 4th application with zf, but my first with a dynamic ACL. Application uses standard MVC setup with Model/Domain Layer consisting of a Service Layer to access my Models(popo) which are mapped through Mappers. For each Model I have a corresponding Service and Mapper. I would like to have my UserModel implement the Role interface and then all my model based services implement the Resource interface. Also I would like to have specified predefined privileges based on static roles, but also be able to change specified privileges for each user based on the user's role(s);
So for instance:
I role of 'vendor' that by default has access to the 'invoice' resource with 'create', 'edit' and 'view' privileges.
So my InvoiceService I would would be the 'invoice' resource with methods create, edit, view, and delete(but by default only role admin could delete an invoice.
For a specific user with role of vendor I would like to be able to grant delete privilege, or for another user with vendor role I might like to be able to deny edit privilege. This im thinking would have to be persisted in some way and dynamically loaded.
So to my actual question(s).
Am I going about this the wrong way?
Also how could a solution like this be implemented with Zend Navigation?
Any ideas pointers lessons feedback would be greatly appreciated.
Sorry if I have done a crap job with my explanation been up all night.
Yes, as David said you are on the right track. Zend_Navigation plays very nicely with Zend_Acl. You can define your navigation in an xml or ini file, assigning each page a resource and required privilege, and then inject the ACL and the navigation container into the navigation view helper. You can also set the current role for the navigation helper to whomever is currently logged in, which will show or hide navigation elements based on the ACL.
I will say that defining all those pages in a navigation container is a bit tedious and verbose, but not difficult.
As for defining your ACL, you can do something as simple as defining all your roles and resources in a single php file, or you can have a more flexible approach and store this information in a database and build the acl. You'd definitely want to cache the ACL with the latter approach.