I have an iOS App. Would like to explore what is needed to be done to achieve the following:
1) The user taps on the map
2) US Census Tract info is requested from database
3) Later the user wants to purchase this tract info.
The US Census Tract info would be uploaded to Cloud Object Storage.
There are 70,000 Tracts grouped by US States = 50 + 1 (DC)
I could use SQL Query to select one Census Tract by its ID.
In the iOS App I can use Apple Login and get users' name and email.
The question is how to grant/revoke access to this info automatically
after in-app purchase?
The question is two-fold. Do I have to create 70,000 CSV files and grant them an access to? Or this can be achieved dynamically with SQL?
The second part is - how to automate this process?
Does IBM Cloud has this capability?
I would expect that you would use a single Service ID that would have access to the data sitting in COS, and that a user's access to the underlying data would be handled in your application logic. The Cloud IAM access policies are not intended for end-users as much as for internal development/operations teams to manage access to various cloud resources.
Depending on the format of the census data, SQL Query could be a great way to do it. You could use SQL query to create a new object with the subset of data the user has requested, and then create a presigned URL that will expire in a whatever timeframe is reasonable, allowing the file to be downloaded to the client device.
Related
We’ve been trying to understand if Google Cloud can access data stored in Google Storage when using Google-managed encryption keys.
We want to understand if Google potentially has access to the data stored. If yes, is there a way to restrict such access?
Yes, Google can. No, you cannot restrict Google.
Google publishes data policy documents on its website on how/when/if they access your data. Data access is logged so that you can see such accesses. There is a process requiring approval. A Google employee cannot just poke around in your data. Similar to most legal documents, you must read the documents to understand the details and conditions.
Start with this privacy page:
Privacy Resource Center
I want to create an app with IONIC to manage buildings. A user can hold multiple buildings. Each building has rooms. Each rooms has logs. Each user is a member of a cooperation.
For many years I've used LAMP. Now moving to mobile and made some IONIC apps. With 2 apps I've used sqlLite as datastore on the mobile device.
But now I've read up on couchDB and pouchDB and really like the concept and the sync option. So now I'm looking into this to use as my datastore (on the mobile and also on the backend).
Now I've got 2 major questions/concerns:
1) Authentication
In my LAMP situation, I usually have an SESSION (table which holds the sessions strings and userID) and an USERS table.
When the user logs in, the user is lookup in the USERS table, and a session string is created and saved with the userID.
Now each time a request is made to the server (for example update data), the session string is also supplied and matched to the SESSION table and retrieve the correct user. From that point on, I can validate if the post is valid and the data also belongs to the correct user.
Back to couchDB, I know there is a cookie management in couchDB (http://guide.couchdb.org/editions/1/en/security.html).
So here I can validate if an user exists and validate the credentials. Now the app can send requests with a cookie.
2) Fetch/Update the right data
In my LAMP situation, I always knew which data belongs to which user. And the back end always checks if this is correct.
In my couchDB I want to create database and each document is an user with all the data.
So now here comes the problem. I can validate an user in couchDB, put there's no way to validate the data (at least as far I know of) that it belongs to the right user.
My goal is that the mobile device syncs the document to the couchDB server.
3) Database structure
At first I wanted to create a database per user. But this is not scalable. Also an user is an member of a cooperation. I also need to generate reports per cooperation/user.
So now I was thinking to create a database per cooperation. But now the problem is, when a user login, I need to know wich database to connect to lookup the user data.
Now I want to use 1 database and each document is an user and holds al data (buildings/logs).
Has anybody got some other suggestions/resources on this approach?
You can try couchdb in combination with superlogin:
SuperLogin is a full-featured NodeJS/Express user authentication solution for APIs and Single Page Apps (SPA) using CouchDB or Cloudant.
github
Tutorial
I am storing images of one user(owner) in google cloud storage bucket. I wanted to grant read permission for this image to a group of users(contacts of owner).I am planning to use Access Control List for this purpose; e.g., Owner will have full permission to his bucket and the contacts will have read permission on the images. There are chances that owner will have a very huge number of contacts, say 1 million.
So,
will there be any performance issue, if ACL contains a huge number of users?
Will this be the right approach for access control? Or should I consider signed URL?
Regards,Remya
This approach is not going to work for you. There are some significant limitations and downsides to trying to serve content like this. First and foremost, there is a limit of 100 ACL entries on a given object. You could get around this by granting permission to a group for which every user was a member, but even so, it still means that viewing the images will require that every user be logged in to their Google account in addition to however they authenticate for your site.
The canonical way to accomplish this would be to keep all images private and owned by your site's own account. When a user loads a page, verify however you like that they have appropriate authorization to view the images, and if so, generate signed URLs for the images. This allows you to use any authorization scheme without limitation while serving images directly from GCS.
I am fairly new to Power BI. I have two questions/clarifications:
Question 1:
I was wondering What type authentication is supported by Power BI datasets. I will explain with an example below:
Consider I have a Power BI dataset and some charts (a dashboard) in Power BI. The datasource is Rest WCF service on my premises. The users are my organizational users. The OData service is an HTTPS endpoint. I was wondering if authentication would work in that case? Would I be able to authenticate the user in this case. As my knowledge goes if the call to my rest service has a token in header, I would be able to call my STS and validate the user.
My question is when the dataset is refreshed, the call to my service (which is made from Power BI) does it also include a Token in the call header. I am assuming it would be because the user is already logged on to power BI using his/her organizational credentials. Can someone please confirm.
Question 2:
This question is again about user access/authentication. Consider that my organization has many users which have different level of access to data (some users would see more data/ some less based on user id). I develop some power BI datasets (models) and some dashboards. I as developer have access to all data, so essentially see all data. I then share them to end users.
The question is when any user uses the shared dashboards and refreshes the dataset, will his access (authentication) work and he sees only those data that he should ?
I am confused as to how this would work. Is it that when an user adds a shared dashboard into his profile, would he/she have his own copy of the dashboard/dataset or will it be an shared one. If it is a shared one then I guess the access thing would not work.
Please advise/suggest.
Girija
First question: if your data sources uses basic authentication it should work. You would build your Excel file or Power BI Desktop file to point to your data source, ensure it refreshes and then publish to the Power BI service. If you're looking for OAuth, then that is not something you can do on your side yet.
Second question: depends on how you implement your solution. If you're using the a REST API, the data is retrieved as the user who entered their credentials. So if you share your report built on your data source, then the people you share with see your data. However, if you use something like Analysis Service tabular as the data source, you can implement row level security in Analysis Service tabular, your users would instead login as themselves and see just the data they have permission to.
I'd like to use Amazon SimpleDB to store data for my iPhone app. Different users will own items within the same domain. I'd like for users to be able to delete their own items but not each others', and for this restriction to be enforced server-side.
I am hoping to use anonymous TVM.
What is the best way to do this?
Using IAM User Management you can create a custom policy for each user or group to allow or deny access to delete items in SimpleDB. If each user has their own domain you can restrict access to the domain by using the arn format arn:aws:sdb:<region>:<account_ID>:domain/<domain_name>
I think that you can't use IAM - you seem to say that you have one domain where all user data is stored.
One way to achieve what you want is to use item name prefixes that are user based, e.g. user jimsmith would have all items stored under an item name that beings with 'jimsmith' or some random string, unique to jimsmith (which could be stored somewhere).
Then you are in charge of security, so you would not be able to have the phones directly query AWS - they would need to talk to your intermediary server which would handle security. You have to assume that people could run the app on a jailbroken phone, and decompile, etc.
You can use IAM to restrict a single user to a small portion of an S3 bucket though. You could then index the bucket using a server app of your design. Then the DB could be used for searching purposes with your own code, so that iPhones only deal with S3.
From what I have researched the simpleDB user right policies aren't designed to be used in such a way you are proposing (meaning undisclosed number of users of the app) and the way to handle this might be to use some server application in-the-middle as was suggested here: Mobile app and SimpleDB direct 'Access Policy'