How to secure resources with Casbin based on multiple groups membership - casbin

What is the best option to implement such security in Casbin?
I have several folders, each of them has its own security (i.e. the users allowed to accede it)
But that's not enough, the action a user is allowed to performed in a folder depends on user's group
As an example:
alice can be admin for folder1 so she can read and write within it
alice can be user for folder2 so she can only read
I was thinking of using 1 group per role (user, admin) and 1 group per folder, however this is not fine because once a user is assigned a role, he cannot change
I looked at RBAC with domains and this can work until I duplicate all my policies for each folder (yeah, all users will always have the same rights in folder...) because domain must be part of the policy itself
Do you have any suggestion on how to achieve this?
Thanks

Related

Azure DevOps Shared Query permission not inheriting from Project Administrator Group

I am in the project administrator group, since we have a requirement to set the shared query to read-only to Contributors, I toggled the permission for Contributors to Deny except for "Read"
When I try to create new shared query, it says:
TF401256: You do not have Write permission for query Shared Queries.
I clicked on the three dots and bring up the "Permission for Shared Queries" menu, searched my name and a few other people in the Project Administrator Group or Project Collection Administrator Group, it shows all "Deny" permission except for the "Read" for all of us.
When I hover over, it says our permission is being inherited through the {project}\Contributors, but we are in the Administrator group.
Why is that and How can I fix it? I cannot even overwrite the permission. It is stuck at being inherited from the Contributor group.
enter image description here
It seems you are in a different group(project administrator group and Contributors), check this doc:
In the Azure DevOps, for most groups and almost all permissions, Deny overrides Allow. If a user belongs to two groups, and one of them has a specific permission set to Deny, that user is not able to perform tasks that require that permission even if they belong to a group that has that permission set to Allow.
This is why you get the error message. You could open project settings->Permissions->Search the permission group {project}\Contributors->click the tab Members and remove your account. Then you could create new shared query
Update1
Steps:
Open project settings->Teams->select the team->click the tab Settings->add Administrator, then we could move our account.
link to MS forum for this issue (or similar posted by other people):
https://developercommunity2.visualstudio.com/t/Project-administrator-cannot-save-shared/1339863
It just doesn't sound right to me that in order to have admin permission you cannot be in any team. That maybe workable for a test account but for an organization this workaround or restriction could mess things up a lot.

Apply policy to all but specific users OR computers

Specifically I'm trying to implement a block removable storage policy.
Let's say I have 100 computers named PC1-PC100. PC1-PC10 need to allow removable storage no matter whom logs in. Additionally, a couple user accounts need access to removable storage no matter what computer they log into.
I have tried this by creating a security group, adding the computers list to it, creating a policy that targets Authenticated Users which blocks removable storage at the user level, and then added delegations for the whitelisted computer security group and the 2 user accounts, with a Deny for Apply Group Policy. The delegations worked for the 2 user accounts, but removable storage did not work on the computers in the security group unless the 2 mentioned accounts were logged in.
Can someone kindly point me in the right direction? Thanks!

Provide all users with ability to edit their own specific attributes in Active Directory

I've been working on a project that allows users in our domain to edit 3 Active Directory Attributes on their own Object, this has been written in Python and the only issue I have now is user permissions on these attributes.
Two of these are custom, the third is the Location(physicalOfficeDeliveryAddress).
I have looked everywhere and only found documentation on how to give permission for users in a group for these attributes but for ALL users or limited by group.
I'm looking to apply the permission under the Identity Reference: NT AUTHORITY\SELF so that users may only edit their own attributes.
In less words, I'm looking to write a script that will delegate permissions for three specific attributes to ALL users in the domain but only for themselves(NT AUTH\SELF).
I have a loop that will perform it for each user, I just have hit a brick wall in what to include in the loop..
Any help would be appreciated.
NT AUTHORITY\SELF is one of Windows' well-known SIDs, with a SID of S-1-5-10.
So you do it the same way you would for any other account, but grant the permissions to S-1-5-10 instead.
If you show us the code you're working with, we might be able to help you with where to plug in that value, if you need.

How do I restrict specific folders for a user with full mailbox rights?

I have a problem where Users[1..10] have Full Mailbox Access to UserA's mailbox.
UserA, now wants to restrict access so that all the Users[1..10] have access except to the "Sent Items" and "Deleted Items". In this User2 & User3 should carry on having access as previously requested.
Is there a simple way for me to restrict access to the folder without having to remove the Full Mailbox Right permission and apply each individual's user rights on each specific folder?
Sorry if this has been asked before and answered. I did look but I think Google could not understand my query.
I am doing this via powershell as this will need to be repeated numerous times across multiple mailboxes.

Sitecore - Is there a way to clone/duplicate a user in the User Manager?

I have an account setup exactly the way I'd like a number of individuals accounts setup and I'd like to create them as clones of this account so the get the initial set of permissions without me having to manually set all the permission on each account.
Note: It is fine (ideal?) if once the accounts are created that they no longer have a relationship with the original account. For instance, if User A is the base account that is being used to create all the other accounts, once User B is made from User A then all further changes on User A will not be reflected on User B.
Any ideas?
In answer to your question: no, there is no clone/copy user feature in the User Editor in Sitecore.
It sounds like you would be better off creating a role with all these permissions, then assigning this role to any new users you create. You could then modify the permissions of the individual users as necessary.
Note this would not be the ideal solution as it's always better to apply security to roles rather than individual users.
Perhaps you could achieve what you need by creating a collection of roles and assigning different combinations of them to each user?
Try installing this Sitecore Module.This will clone the user in User Manager
SITECORE USER CLONE
Sitecore User Clone is used to create the copy of the user with the same roles, name, email, and profile. It will prompt to accept the new username, password and all the editable fields same like Edit user.