I am planning to give user access programmatically. So, I want to add users to keycloak groups. Is there any way to automate this?
You can define some groups as default groups, then they will be added to any created users automatically. You can do this in the admin console.
Related
Is there a way to include the list of groups a user is a member of inside a Keycloak access token, along with the roles they are in? I've created several groups and mapped them to roles. However, I may have more than 1 group that maps to a particular role. I'd like to be able to make fine-grained authorization decisions so I know that User A is in Role A but also Group B. Is that possible?
Found the answer to this right here. All I had to do was add an additional mapper to my Client. Worked like a charm.
I have configured Keycloak with user self-registration. The keycloak instance will hold users of multiple customers which I plan to put into groups (so each customer can have admins that can manage these users through fine-grained permissions).
To map users that are self-registering to appropriate groups (using their email address, e.g.) I'd like to put them in their default group upon registering. Is this possible using either configuration or implementing an SPI? Or are there other possibilities to achieve a similar behavior?
I'm working with Shopware.
I've added a new attribute "proxy" to the s_core_auth table for each user in order to show the ability to get access to the Customer Module in the backend, so that if a user is not selected as "proxy" he/she won't be able to make changes in that module.
I need help to understand what I need to write in my plugin's code (maybe having only a Subscriber file.)
I'll be very grateful!
Adding a custom column to the s_core_auth table is not a good idea. What you're trying to achieve can be done with user groups and group rights. From the Shopware Documentation:
With User administration you are able to create new users in the backend and control access rights to areas, modules and plugins in accordance with certain group policies that you define per ACL (Access Control List). Within the ACL you have the possibility to control precisely which user is able to perform which activity. Thus, it is possible to assign certain reader rights to an administration group without granting them authorization to edit or delete.
You can find instructions for User administration inside the Documentation.
I created a new AAD user without any special permissions (no admin, just a user). Now, when I login using the Connect-MSOLService cmdlet and retrieve all users using Get-MSOLUser I can see every user within that directory.
Why and am I able to change that?
Background: I want to use a single AAD instance for multiple SAAS applications and want to prevent that a user can browse all users.
Actually, there is a way to disable user browsing in an AAD using the Set-MsolCompanySettings from the MSOnline module:
Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false
In Azure AD, Users and groups are created in a flat structure without OU and GPO. You can't restrict the user's permission to a specific scope. The user can view all the user information in Azure AD.
To isolate the users from different scopes, you can create multiple directories for Azure AD, and configure the SaaS applications as multi-tenant application for AAD.
You can refer to the article below for more details about Azure AD Directory role.
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-assign-admin-roles
If you connect to an Active Directory you usually want to read some data. As such if you're authorized to do that you can easily access information that is available and particularly "sensitive" (e.g. you can't read private keys of user objects easily). If you look at the history of Active Directory and it's typical usage within companies, it's likely that only single tenant (company) using it at a given time. As such there were even less reason to restrict the access.
If you want to have multiple tenants use the same AD you will have to figure out a scheme that works for you and setup the proper permissions yourself.
Helpful articles for this could be:
Build a multi-tenant SaaS web application using Azure AD & OpenID Connect
Question: Creating a multi-tenant AD environment
I want to create a new user group.
The members in this user group can create new users and new groups.
I think creating users or groups require admin permission. This user group does not have other admin permission except creating, editing and deleting user,group. Does alfresco provide this kind of group in alfresco community 4.0c? How can I implement it? How to add a new group with specified permission? I really appreciate for help.
You could add a custom role in permissionDefinitions.xml but I don't think that would help in this instance, since the ability to create users and groups plus the other administrative actions are hard-wired to the built-in administrators role.
Instead, you could create a custom web script which performs a check to see if the current user is a member of your custom security group. Since the authenticated user may not be a repository admin (and probably isn't) then you would need to use something like this Sudo tool for Alfresco webscripts to temporarily give them permission to create the objects.
You would need to be competent in Java webscript development in order to implement this. There are some good resources on the Alfresco wiki, documentation and training materials available online.
You cane manage that through Alfresco Share. In your Alfresco installation directory:
/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/model/permissionDefinitions.xml you'll find the permissionDefinitions.xml file. Through that file you can manage your custom roles for Alfresco users and groups.
Here, in this WIKI you can find some hints about what you need to change to accomplish that.
Hope it helps. The wiki helps here, if you need some better explanation please let me know.