I am retrieving data over an API and displaying it in my web application as shown:
The obvious problem being that I need Last Edited By to show the users name, rather than their GUID.
I use Identity Server 4, so UserProfile details are all held in a separate (OAuth) database.
The flow for returning data to the web app is as follows, and I'd like to know how I could return First and Last name from the OAuth database, instead of user IDs (guids)
My query in the repository at the moment is simply:
public IEnumerable<Survey> GetSurveys()
{
var surveys = _context.Surveys
.Include(s => s.SurveyStatus)
.ToList();
return surveys;
}
The issue is that you are missing the information in your (business) database. First and last name are actually both identity information as business information. This means that first and last name should be part of both the identity model and business model.
To solve this: add a user table (containing userId, first and last name) and update the table with information when a user logs in.
Since you are logging activity of a logged in user, you always have the information you need. So there is no need to query the user table in the Identity Model. For a first setup you may want to create the new table using information from the identity database.
Though information is stored multiple times, it is not redundant. In fact, you would do the same thing when storing information about external logins.
Most of the time when you have an external identity provider, you'll keep certain claims on authenticated users as part of a local profile.
For logging / auditing, you would use their identity key from the external identity provider as well a foreign key to the user's record in your profile table. I would keep this so that you have access to the correct record in profiles even when they are not logged in (and the record will remain updated for as long as the user continues coming back).
When a user logs in, you can check their claims against your profiles table and update it. Then when you look at the audit info or logs, the db query would be getting the updated profile information.
Related
I am using FromCache() method whenever I need to retrieve data from the SQL database. There will be a lot of unique queries executed in a single method since it is getting data based on userID. The data associated with the userID will be updated through a separate process which will also trigger an event in the method that controls retrieving. When the data for a specific user is updated, I want to expire the cache for that user so that the next query on that userID will get the most recent data.
I see that EF plus has the option to ExpireTag. Would it be feasible to create a single tag for each userID and then use that to expire the cache?
Would it be feasible to create a single tag for each userID and then use that to expire the cache?
Yes, tag can be used similarly as if you use a cache key.
The best is probably using 2 tags:
Users
[UniqueUserId]
The Users tag will expire all cache related to "users"
The [UniqueUserId] tag will expire all caches related to this specific users
Is it possible to store multiple credentials for a given user in Keycloak?
They don't need to be all active/enabled at the same time. The use case for us is rather that we want to store new credentials in advance but don't want to have them active yet. They should be activated/enabled at a later time after some manual user verification.
The Keycloak REST API documentation states that UserRepresentation indeed comprises an array of CredentialRepresentation but in my few tests the GET call wouldn't even return a credentials attribute.
I would say that's impossible to have more credentials for a user.
But you can always implement your own user storage SPI that implements interface CredentialInputValidator, where you can check for the valid password.
Let's say in your DB, you have 2 colums for passwords: pas_col1 and pas_col2, and 1 more column as flag, which tells what column is used for user authentication, so in isValid(RealmModel realm, UserModel user, CredentialInput input) method you can check for your conditions.
Link to SPI: https://www.keycloak.org/docs/3.4/server_development/index.html#_user-storage-spi
I have a mongodb collection of registered users with index on the userID field. Every time an user tries to register, a lookup is done on the existing user IDs to check if the user ID chosen by the registering user is available or not. I was just wondering what happens when two users enter the same userID for registration at the same time and the lookup is done at the same time. Would both of them end up having the same userID? Does mongodb handle such a scenario on its own? One of the purposes of the unique userID would be to give each user an URL based on the userID.
I'll be using the PyMongo module.
Preventing duplicate usernames is an example of Concurrency Control, a broad area which has many issues and many ways in which databases and apps can be designed to avoid problems.
In the case of a collection of users where you are concerned to avoid duplicate userIDs, I would suggest the following design pattern:
Create a unique index on the userID field
In your app, make it check the response when creating a user; if it gets a Duplicate Key Error, then it knows that the userID has been taken, and it must ask the user to choose a different userID
Other approaches are also possible; for example you could have the database assign the userIDs, which would be a different way to guarantee uniqueness.
One transaction will occur first the UserID should be a primary key in this entity, and this will prevent the same userID from being re-used.
I'm developing an API with Sails, and now I need to securize some variables from an entity. Those variable will be accesed only from Admin or own user.
I have an structure like this:
Employee (contains your employee records)
fullName
hourlyWage
phoneNumber
accountBank
Location (contains a record for each location you operate)
streetAddress
city
state
zipcode
...
I need to encrypt phonenumber and accountbank, to avoid anyone to see the values of this fields in the DataBase. Only the owner or the admin.
How I can do that? Thanks
You are looking for a way to encrypt data so that people with no required access right could not see it.
The solution for that is not Sails.js specific and Node actually comes with tools to encrypt data :https://nodejs.org/api/crypto.html.
The key rule here is to always keep your secret password safe.
As for integration in your Sails.js application, I would use callbacks in Models. The official documentation provides a good example here : http://sailsjs.org/documentation/concepts/models-and-orm/lifecycle-callbacks
Basically you just define a function that will be called each time the record is about to be created, fetched or updated. You can then apply your encrypt/decrypt functions there.
This will encrypt/decrypt your phone numbers and bank account numbers automatically.
Regarding access control, you can use Sails' policies along with authentication to determine if the client has the right to access the resource. If not you can always remove attributes from the response sent back to the client.
We are developing an Access application with a SQL Server backend. We have a table that has records that belong to division A, B or C. The users also belong to role A, B or C. We want each user to see only their corresponding division records, as well as only certain columns.
I've thought of two ways, one making different queries for each role and then, based on the user's role, change the source object of the form. However I don't know if it is possible to retrieve it from SQL SERVER with VBA (all VBA documentation I've found so far is quite lacking).
The other solution I thought was to implement this on the server, however I don't know how a T-SQL query or view could fetch only the information needed based on the user's role
Any ideas?
PS: I can't use functions or stored procedures. For some reason the SQL Server we have been provided has them disabled and IT Ops won't enable them (Don't know the logic behind that).
Okay, it's been a while since I posted this but I'll post the solution I came up with in the end. VBA is not quite necessary in this case. It can be done perfectly with views.
To retrieve the users roles, (inner) join the table database_role_members twice with the database_principals one. Join by Id (from database_principals) on both fields. With this, you get a list of all roles and their corresponding users. To get the roles of the user querying the database simply add a where clause that checks that the user name corresponds with the function USER_NAME.
Then, don't give permission to those roles to access the table we want to restrict access to. Instead, make a view that fetches info from that table and add a where clause that looks up the value from a column against the query that retrieves the user roles.
With this you can make a link in access to the view and will allow you to see only the records that correspond to the user roles.
While this approach is easy, it doesn't allow for more complicated row level security. For a more powerful approach it might be useful to check the following link.
https://msdn.microsoft.com/en-us/library/dn765131.aspx
You could create the same tables with different schemas and assign user rights to different schemas. For example, instead of using dbo.Users you could have Accounting.Users and Warehouse.Users. Assign users in an accounting group to the Accouting schema. Or as suggested above those could be views within a schema that select data from underlying tables.