With the API of Connections community we can add member as described in this URL :
https://www-10.lotus.com/ldd/appdevwiki.nsf/xpAPIViewer.xsp?lookupName=API+Reference#action=openDocument&res_title=Adding_a_member_programmatically&content=apicontent
I try to add a owner not a member in a community but he always become a member even if I am posting this informations for the user :
<entry xmlns="http://www.w3.org/2005/Atom" xmlns:app="http://www.w3.org/2007/app" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/" xmlns:snx="http://www.ibm.com/xmlns/prod/sn">
<contributor>
<email>michel.nico#connelink.fr</email>
<snx:userid xmlns:snx="http://www.ibm.com/xmlns/prod/sn">My user ID</snx:userid>
<snx:userState xmlns:snx="http://www.ibm.com/xmlns/prod/sn">active</snx:userState>
<snx:isExternal xmlns:snx="http://www.ibm.com/xmlns/prod/sn">false</snx:isExternal>
<name>Michel NICO</name>
</contributor>
<snx:role xmlns:snx="http://www.ibm.com/xmlns/prod/sn" component="http://www.ibm.com/xmlns/prod/sn/communities">owner</snx:role>
<category term="business-owner" scheme="http://www.ibm.com/xmlns/prod/sn/type"></category>
<category term="person" scheme="http://www.ibm.com/xmlns/prod/sn/type"> </category>
<snx:orgId xmlns:snx="http://www.ibm.com/xmlns/prod/sn">The ID of our cloud</snx:orgId>
</entry>
It always create me as a member and not as an owner.
How can we create a user with the owner role in a community ?
Suport send a response to me :
No need to add so many field to add a person :
<entry xmlns="http://www.w3.org/2005/Atom">
<contributor>
<email>mailadress</email>
</contributor>
<snx:role xmlns:snx="http://www.ibm.com/xmlns/prod/sn" component="http://www.ibm.com/xmlns/prod/sn/communities">owner</snx:role>
</entry>
is enouth to create a person.
But I try to add me as a owner of a community that was the problem : when the admin account try to add him, he can be member only. When you try to add someone else, you can add him as an owner.
This limitation was not described in the documentation.
Now it works
It looks good, but I think the term=person item is for activities and not communities, at least that what the docs show. You might remove that and see what happens. I have a feeling it's overriding the owner role you're trying to set.
Related
I am want to create a deep link like some-app://localhost?user=123455 that when clicked opens a Maui WinUI app. When the app receives this deep link I want to be able to get the user ID off of the deep link. I was able to do this in Xamarin, but haven't figured out the Maui equivalent
I am able to register the app using (taken from this Windows doc):
<Applications>
<Application Id= ... >
<Extensions>
<uap:Extension Category="windows.protocol">
<uap:Protocol Name="alsdk">
<uap:Logo>images\icon.png</uap:Logo>
<uap:DisplayName>SDK Sample URI Scheme</uap:DisplayName>
</uap:Protocol>
</uap:Extension>
</Extensions>
...
</Application>
But when I receive the event via the app lifecycle (https://learn.microsoft.com/en-us/dotnet/maui/fundamentals/app-lifecycle#windows) I am not seeing the parameters of the URI.
I've encountered the same problem and I got it working thanks to this reply on the issue I created.
You can retrieve the launch arguments by using Environment.GetCommandLineArgs(); inside of OnLaunched.
I've looked at the documentation for creating profiles for FHIR, and I've used Forge to create some xml that I believe is valid to describe a profile. I can't find in the documentation where it actually states what request I need to make to the RESTful api to actually add a new profile.
Any ideas?
You can of course just "store" your profiles on a FHIR server by POSTing them to a FHIR endpoint, but you probably mean: can I actively let instances be validated against the StructureDefinition?
There are two ways, both of which require a bit of experimentation to see which public servers support them:
Any FHIR instance may declare it adheres to a StructureDefinition, by adding the canononical url (StructureDefinition.url) to the instances meta.profile as shown below. Servers may pick this up on a POST and validate the instance against the stated profile:
<Patient>
<id value="44Q3"/>
<meta>
<profile value="http://example.org/StructureDefinition/PatientNL"/>
</meta>
</Patient>
Actively ask a server to validate your instance using the $validate FHIR operation (see http://hl7.org/fhir/resource-operations.html#validate)
I am struggling to get my user permissions/privileges/roles setup correctly to get the behaviour I need.
I am using MarkLogic 8 and Roxy to create and deploy an application.
This application has different users that have content that should be restricted to the individual user. But they also participate in projects in which they need to collaborate together.
I have seen this helpful blog and the discussion on github issue 303 but still not able to get it right.
Default roxy app user role:
<role>
<role-name>${app-role}</role-name>
<description>A role for users of the ${app-name} application</description>
<role-names>
</role-names>
<permissions>
<permission>
<capability>execute</capability>
<role-name>${app-role}</role-name>
</permission>
<permission>
<capability>update</capability>
<role-name>${app-role}</role-name>
</permission>
<permission>
<capability>insert</capability>
<role-name>${app-role}</role-name>
</permission>
<permission>
<capability>read</capability>
<role-name>${app-role}</role-name>
</permission>
</permissions>
<collections>
</collections>
<privileges>
<privilege>
<privilege-name>xdmp:value</privilege-name>
</privilege>
<privilege>
<privilege-name>xdmp:add-response-header</privilege-name>
</privilege>
<privilege>
<privilege-name>xdmp:invoke</privilege-name>
</privilege>
<privilege>
<privilege-name>xdmp:with-namespaces</privilege-name>
</privilege>
</privileges>
</role>
My custom role:
<role>
<role-name>sccss-user</role-name>
<description>sccss default role</description>
<role-names>
<!-- TODO test which roles we really need -->
<!--
<role-name>alert-user</role-name>
<role-name>alert-internal</role-name>
<role-name>rest-admin</role-name>
<role-name>rest-writer-internal</role-name>
<role-name>rest-reader</role-name>
<role-name>network-access</role-name>
<role-name>qconsole-user</role-name>
-->
<!-- cluey app role for rest api access TODO replace with dedicated api user and role
<role-name>${app-role}</role-name>
-->
</role-names>
<permissions>
</permissions>
<collections>
</collections>
<privileges>
<!-- HK -->
<!--
<privilege>
<privilege-name>any-uri</privilege-name>
</privilege>
-->
<privilege>
<privilege-name>devices-uri</privilege-name>
</privilege>
<privilege>
<privilege-name>any-collection</privilege-name>
</privilege>
<!-- to make this role have acces to the REST API-->
<privilege>
<privilege-name>rest-reader</privilege-name>
</privilege>
<privilege>
<privilege-name>rest-writer</privilege-name>
</privilege>
<!-- TODO test this
<privilege>
<privilege-name>xdmp:value</privilege-name>
</privilege>
<privilege>
<privilege-name>xdmp:add-response-header</privilege-name>
</privilege>
<privilege>
<privilege-name>xdmp:invoke</privilege-name>
</privilege>
<privilege>
<privilege-name>xdmp:with-namespaces</privilege-name>
</privilege>
</privileges>
-->
</role>
I have tested and tried what is described in the blog above but with those settings I get no access to any document, apparently no rest extension access.
If I give my users the {app-role} it gives the problem that users can see other users' private content... because the all users have the 'rest-reader' role...
So I need to restrict the default-app role to not use the rest-reader role and use rest-reader privileges but cant get it to work...
One option I am considering is to use document-insert() permissions for the restricted content but this should be possible with the right roles and privileges if I can set it up correctly, right?
ADDITION
In repsonse to Grtjn's answer : thx 4 your comments, I think I am puzzled by the REST roles. If I look at the default roles in a roxy app on git those look empty but when I set my roxy app type to be a REST app things seem to get more complicated. The main confusion is what roles and privileges do I need for a second (independent)role to be able to use the REST endpoint? What are the xdmp:(value,add-response-header, invokes etc etc) privileges exactly doing and needed for? In my example for a user to be able to access the REST api he/she needs the following roles:
<role-name>${app-role}</role-name>
<!-- we need this to amp internal privileges-->
<role-name>alert-user</role-name>
<role-name>alert-internal</role-name>
<role-name>rest-admin-internal</role-name>
And then we get into the discussion if rest-reader should be a privilege or a role?
So a more concrete question:
What is the minimum role/privilege set I would need to access a REST endpoint create by a roxy rest type application?
I'd recommend taking the following approach here:
Use the app-role for application execution, not for content access to start with. For that reason, remove the default permissions from that role, and just give it the rest-reader/rest-writer privilege, and maybe some privs for running MLCP and such.
Next, make sure that REST extensions, and anything else that is not deployed by Roxy directly, get read and execute document permission. Think of triggers and alerts created with custom code, sql-views or schemas not loaded with deploy schemas, etc. The change_permissions function we use in slush-marklogic-node could serve as example of how to handle this: https://github.com/marklogic/slush-marklogic-node/pull/298/files#diff-a529d1d70bd21866e1d12eda3a99f7b6R96
Once there create a dedicated role for each portion of content that needs to be granted access to separately. If you need a set of docs to be accessible by one user only, you will need a user specific role. If you also have a set of docs accessible by project members only, you also need a project specific role. If you need to distinguish between read/write too, make two roles for each (two user, two project roles). These roles will have no privs, and should not inherit roles (except write inheriting the corresponding read role perhaps).
Once you have the read/write roles, you can start thinking about how to apply them correctly for document permissions at ingest. With this level of complexity, you might wanna avoid default permissions, and choose document permissions explicitly. xdmp:document-insert, MLCP and /v1/documents all take explicit document permissions, so you should have a reasonable amount of control with those.
ADDITION
Note on Roxy's out of the box ml-config file. It is not properly tuned for REST type applications. That is why the slush-marklogic-node generator patches the ml-config: https://github.com/marklogic/slush-marklogic-node/blob/master/slushfile.js#L346
The bare minimum to have read access to the REST api, is rest-reader priv, and to have update access to the REST api, is rest-writer priv. REST extensions are running from modules database, not from filesystem, so you need module access for that in addition. The change_permissions function mentioned above fixes that for you.
Anyhow, my general advice would be to use app-role for app execution, like mentioned before, and the other roles for data access. Any user that wants to use the app should inherit app-role, as well as some of the other roles to provide the appropriate amount of data access.
HTH!
I'm working with Kentico 9's REST capabilities.
I can create a user object by submitting a POST to the following URL pattern:
POST <host>/rest/cms.user/site/<sitename>
But I also need to update a user. According to their documentation, you should be able to do this:
PUT <host>/rest/cms.user/site/<sitename>/<userid>
But I receive a 404 doing this. Any ideas? Is the documentation wrong? I get better results if I change the update to a POST, but it still says it's a forbidden operation.
Use just:
PUT <host>/rest/cms.user/<id>
Or:
use codename or GUID for <id> (not int) in your original request.
See the documentation.
The modules tag in the site's root web.config file needs to be modified like so:
<modules runAllManagedModulesForAllRequests="true">
I want to give everyone who subscribes to a node the ability to both read and write to that node.
Joe created the node "test5" in the code below. When Mark tries to post, I get an error.
I am using XMPPFramework for iphone. I receive the following error IQ. It appears that openfire is telling me that I can't publish an item b/c I don't have access? What is the default access model, open?
Doesn't that mean that anyone can subscribe to the node "test5", and anyone can publish items to it?
The JID of the fake user who originally created node "tes5" is "mark#joes-macbook-air.local"
Could the unauthorized message posting be b/c mark is not the owner of node titled "test5"?
What if I want mark to be able to post to this feed as well?
<iq xmlns="jabber:client" type="error" from="pubsub.joes-macbook-air.local" to="joe#joes-macbook-air.local/838f75ba"><pubsub xmlns="http://jabber.org/protocol/pubsub">
<publish node="test5"><item><body>Helpl me</body></item></publish>
</pubsub><error code="403" type="auth">
<forbidden xmlns="urn:ietf:params:xml:ns:xmpp-stanzas"/>
</error>
</iq>
Update: I made the subscriber a "publisher". This is done by altering the publish_model of the node.
This depends on the node configurations in your pubsub service. Particularly the access mode of your node. In the XEP-0060 the access models section gives a good explanation on the different access methods. (1) The one you need in your case will be the "Open" which is defined as "Any entity may subscribe to the node (i.e., without the necessity for subscription approval) and any entity may retrieve items from the node (i.e., without being subscribed); this SHOULD be the default access model for generic pubsub services."
I hope this gives a clear answer to your question.