I am currently investigating using OrientDB to implement an authorisation system and I'm having some trouble with the edge arrow notation.
The graph has four different vertex types:
User
Group
Role
Resource
And four different edge types:
IN_GROUP
HAS_ROLE
CAN_ACCESS
INHERITS
And the structure is:
User -IN_GROUP-> Group
Group -HAS_ROLE-> Role
Role -CAN_ACCESS-> Resource
Role -INHERITS-> Role
A role may inherit other roles. This means that Role A may inherit Role B which may inherit Role C. I want to produce an Orient query that can say 'For a specific user, give me all of their roles, including any that they inherit'
Currently to get a roles inherited roles I'm doing this but it only retrieves the first level of inherited nodes:
match {class:User, where:(name='Sean')} -IN_GROUP-> {class:Group} -HAS_ROLE-> {} -INHERITS-> {class:Role, as:role} return role.name
What I'm trying to retrieve is the entire chain of nodes that this initial role inherits, can anyone help me with this please?
what you need here is a WHILE condition on the INHERITS relationship:
match
{class:User, where:(name='Sean')} -IN_GROUP->
{class:Group} -HAS_ROLE-> {} -INHERITS-> {class:Role, as:role, while:(true)}
return role.name
Related
I was trying to make multiple role in hasura for example assume I have techician,customer role, then I need to have users table to fetch with role attribute and if I use inheritance it works completely but inheritance is not available on hasura.
I tried using script
create table customer () inherits (users);
but I need to know if there is other way to do
My customer has created roles with the names of the company's business divisions and sub-divisions. He wants to take the role the creating user is in, along with the next level up Role and populate that into two fields on the opportunity, to then use those two fields. (ROLE and SUB-ROLE) as Dashboard filters. Since the role is in the setup section and is also not a field on the user record, I'm assuming some type of Apex Trigger or Flow would be needed to take the role names of the creating user and then insert them?
They are new to Salesforce.. they have not tried anything yet.
I'm trying to sync my roles from my LDAP to keycloak. As i have objects in my Domain that share the name of my needed roles i can't use the cn as "Role Name LDAP Attribute". Instead i want to create groups with a prefix like keycloak-mygroup and omit said prefix in the keycloak roles.
If that isn't possible, i'd like to create these groups with a prefix and use another attribute of the group as a role name. The roles i want to sync, already exist in my keycloak instance.
If i try to use an attribute like description i get an error ("Violation of UNIQUE KEY constraint "UK_J3RWUVD56ONTGSUHOGM184WW2-2". A duplicate key cannot be inserted into the dbo.KEYCLOAK_ROLE object. The duplicate key value is (, default).") and if i use an attribute like distinguishedName (those roles don't exist) everything is created.
How can i use a different attribute than cn for my role names and have it sync?
I was able to solve this problem. The error happens if a group is missing the attribute used for the group name. Every group has to have the used attribute, otherwise the sync will fail for all groups.
I'm developing a web-api that manages a two level hierarchy objects:
Group -> SubGroup.
The group are added only by their names and it is a unique identifier for the group
The sub groups are added only by their names and the group name + sub group name is a unique identifier for the sub group.
The subgroup can "live" only in the context of its parent (the group).
Both the group and subgroup have unique ids in the system (besides the names).
The user should have an option to get a certain subgroup details and i'm uncertain if i should give him an endpoint that lets him access it directly.
I researched some threads by didn't get a good answer (1,2,3)
I have two options:
Option 1:
create an endpoint that lets the user to access subgroup only by specifying its name and its parent group name:
/groups/subgroups?groupName="x"&subGroupName="y"
Option 2:
create a "direct" access endpoint that lets the user access the subgroup directly without specifying the parent group name by using its internal id (In the subgroup creation return this id)
for example:
/subgroups?id="52regfd235fdsf325f" (the id of subgroup "y")
What is the best practice for this situation? is adding a "direct" access endpoint to a nested resource is fine or it should be avoided? what will be the case for a subgroup removal endpoint for example? should it be identified by the subgroup id or by its name?
In the general case, when we have H1->H2->H3->...Hn hierarchies. For trying to access the last resource in the chain, what will be a good rule of thumb here?
I am trying to create an ACL where users may have different roles in different departments.
The user is given a role in the form of role::guest or role::user depending if they are logged in. This is their userRole. (There is also a role::superuser that has access to all departments).
I have also added departmental roles to the ACL in the form of department::role (Eg. bookings::user). This is their departmentRole.
The users departmental roles are stored in the Zend_Auth identity.
The access control part works by extending Zend_Acl and over-riding the isAllowed function.
This successfully allows or denys each user.
public function isAllowed($role = null, $resource = null, $privilege = null)
{
$identity = Zend_Auth::getInstance()->getIdentity();
$userRole = $identity->role;
$departmentRoles = $identity->departmentRoles;
if (parent::isAllowed($userRole, $resource, $privilege))
{
return parent::isAllowed($userRole, $resource, $privilege);
}
else {
foreach ($departmentRoles as $departmentRole)
{
if(parent::isAllowed($departmentRole, $resource, $privilege))
{
return true;
}
}
}
return false;
}
The problem I am having is that Zend_Navigation requires an instance of the Acl and a single user role. My view script which builds the navigation menu uses $this->navigation()->accept($page) which only validates against the single user role.
How can I have multiple Acl roles for each user and have Zend_Navigation display menu items that they have access to?
If there is a better / different / correct approach to this please share.
Thanks
EDIT:
The fact that this approach meant over riding a core function in isAllowed() got me thinking this can't be the correct way to do this.
Now, in my ACL model I fetch all users, departments and associations and loop through creating an array for each user made up of their various roles within their relevant departments. I then create one role for each user and inherit the roles in the array previously created.
This is working well up to now and also means I can also add the users as resources and allow the relevant admin and department managers rights to amend their details etc.
It also means that I can pass a single role to Zend_Navigation and the menu structure should be relevant to their department roles.
IMHO having multiple ACL roles for single user looks like anti-pattern. Zend_Navigation rules are binded to (multiple) resources for single role which makes perferct sense.
What are your constraints that forbids you to allow resources for your (department) roles?
You can always use inheritance for your ACL roles.
If you prefer having multiple roles for single user, you might need to have separate ACL rules.
Zend_View_Helper_Navigation_HelperAbstract::setDefaultAcl($acl);
Zend_View_Helper_Navigation_HelperAbstract::setDefaultRole($role);