I'm trying to create a UMS that uses the Keycloak's REST API. Some users will be users and some other managers. To differentiate them, they'll belong to different groups and they'll inherit a different set of roles.
All of the users will have a custom attribute named locale. What I'm trying to achieve on this point, is every time a manager tries to fetch the list of users using the REST API ex. {{keycloak_url}}/admin/realms/{{realm}}/users only users with the same custom attribute locale should return.
example:
Complete list of users:
USERNAME LOCALE
manager1 en
manager2 fr
user1 en
user2 en
user3 fr
manager1 requests the users list expected result:
USERNAME LOCALE
manager1 en
user1 en
user2 en
manager2 requests the users list expected result:
USERNAME LOCALE
manager2 fr
user3 fr
Any suggestions on how to achieve this using Keycloak?
Thanks in advance.
Unfortunately, it's not possible. Keycloak does not provide such functionality because it is out of the scope of the SSO definition.
But you are free to implement a custom endpoint with filtering users by attribute locale taken from the manager's token.
You can find code here https://github.com/keycloak/keycloak/tree/master/examples/providers/domain-extension
Documentation
You can obtain it with https://www.keycloak.org/docs-api/17.0/rest-api/index.html#_users_resource
putting "q" in the string, like this:
https://localhost/admin/realms/{realm}/users?q=locale:
This will return what you need.
Related
I have the accessToken of the logged in user and currently my query looks like below
https://xxx.salesforce.com/services/data/v45.0/query?q=SELECT Id,Name,Industry,Ownership,AnnualRevenue,NumberOfEmployees,Phone,Website FROM account ORDER BY LastModifiedDate DESC LIMIT 10
The above query will return last 10 modified accounts that the loggedin user has access to. What I want is to get only those accounts that are assigned to the logged in user.
You need a query similar to
SELECT Id, Name
FROM Account
WHERE OwnerId = '005...'
ORDER BY LastModifiedDate DESC
LIMIT 10
All users' ids in all SF instances in the world start with 005.
You can get the user id from the login success response. Which OAuth2 flow you've used? https://help.salesforce.com/articleView?id=sf.remoteaccess_oauth_user_agent_flow.htm&type=5 ?
In that example the user's id is hidden in the OAuth "id" field (identity, service that returns some info about the user. name, email, preferred language, locale, timezone...)
https://www.customercontactinfo.com/user_callback.jsp#
access_token=00Dx0000000BV7z%21AR8AQBM8J_xr9kLqmZIRyQxZgLcM4HVi41aGtW0qW3JCzf5xd
TGGGSoVim8FfJkZEqxbjaFbberKGk8v8AnYrvChG4qJbQo8&
refresh_token=5Aep8614iLM.Dq661ePDmPEgaAW9Oh_L3JKkDpB4xReb54_pZfVti1dPEk8aimw4Hr9ne7VXXVSIQ%3D%3D&
instance_url=https://yourInstance.salesforce.com&
id=https://login.salesforce.com%2Fid%2F00Dx0000000BV7z%2F005x00000012Q9P&
issued_at=1278448101416&
signature=miQQ1J4sdMPiduBsvyRYPCDozqhe43KRc1i9LmZHR70%3D&
scope=id+api+refresh_token&
token_type=Bearer&
state=mystate
It's bit hard to see but if you would receive this response you need to extract the 005x00000012Q9P part. If you don't trust parsing that url - well, call that "id" endpoint. See https://salesforce.stackexchange.com/q/11728/799 for response format and some more ideas.
In filemaker security I only want users from a country such as Uk to see Uk customers in a table.
How would I write the if statement for this for example
If(Country = “UK”; ????
Assuming you have a field for country in your user table, you need to compare this for the logged in user to the country field in the table you want to restrict access to.
Such as:
LoggedInUserCountry = Country
If this evaluates to true, the privilege is enabled.
LoggedInUserCountry should be a global field that is set during login, making it accessible from every table.
I want to modify the webscript alfresco-remote-api-5.0.d.jar\alfresco\templates\webscripts\org\alfresco\repository\person\people.get.js. I need to display for the connected user only user he has created.
I have modify the filter to include username in query.
filter = filter + " AND cm:creator:admin";
people.getPeoplePaging(filter, paging, sortBy, sortAsc);
This must display only users created by admin.
But it's not working(no user is returned).
How can i select only users created by a certain user ?
By looking at below definition of content model I sure , what you want to achieve is not possible ,as person(user) does not have creator property.Below link shows the content model for users.
https://svn.alfresco.com/repos/alfresco-open-mirror/alfresco/COMMUNITYTAGS/V4.2c/root/projects/repository/config/alfresco/model/contentModel.xml
https://svn.alfresco.com/repos/alfresco-open-mirror/alfresco/COMMUNITYTAGS/V4.2c/root/projects/repository/config/alfresco/model/systemModel.xml
I am using Ormauth as auth package and used it for login at backend. Now I want to give login access for group 'moderator' along with 'superadmmin' and 'administrator'. How I am to proceed ? I tried changing options in default fuelphp tables for 'user_roles', 'user_role_permissions' and so on but to no avail. I am new to this ? Any help/suggestions are welcome. Thanks in advance.
i do this:
create a base class for admin area, in function "before" of that base class use \Auth::has_access('area.permission') for check that current user has access to current controller or not,
create some permissions (in table users_permission) for your admin area, you can use any names for area and permissions here but i suggest use your application or module name as "area" and controller name as "permission",
if you wish to use "groups" so use "users_grouppermission" or if you wish to use "roles" then use "users_rolepermission" for inserting some recordes for allowing access to groups/roles,
at least assign users to that groups or roles (using user_roles and user_groups tables)
I have created Closed User Groupe My_CUG in crx and added some users user1 and user2. I would like to get the user registered in My_CUG and their email. How can I Access My_CUG programmatically?
You can do that in the following way -
If you group name is "My_CUG" then you can resolve the corresponding group object by using the correct admin privileges -
Session adminSession = resourceResolver.adaptTo(Session.class);
UserManager um = AccessControlUtil.getUserManager(adminSession);
Group naGrp = (Group) um.getAuthorizable("My_CUG");
Now you can add any user (user1) to this group by -
naGrp.addMember(user1_Object);
Hope this solves your problem.