I am using yii2 basic and have implemented RBAC using permissions, roles.
I have Employee table and I have assigned Employee model to user application component.
Now the scenario is when admin creates employee he has to assign a role to that employee using auth_assignment CRUD.
Unless and until role has been assigned, the employee should not be able to login. Login page should be displayed to him with error message. (Similar to the scenario when incorrect username or password is entered by user.)
How to accomplish this?
Related
I'm currently trying to find the best process for managing admin privileges throughout my PostgreSQL databases. What I am trying to do is assign permissions that are sufficient enough for in an admin role group where I can GRANT a user (another admin) to inherit the permissions of the role group; however, I'm not sure if this can be done or how to do this. The admin role group's privileges should be the following:
Able to add users
Able to view users and permissions in a database
Able to reset a user's password, dropping a user, or resetting a user's name
Able to show grants of a particular user
Able to add specific permissions for a user to a schema and table. (So have permissions to the database and tables)
For auditing purposes, should I even go with this approach of creating a role group or add a user (admin) with no role group? I remember reading that the role group would show as who did any changes rather than the specific user. Would appreciate clarification on this.
Thanks for reading my post.
I created a group in keycloak and i added users to the group. I want to add one user as the group admin of the group by adding ADMIN role to one user and other users should remain with USER role.
One user can belongs to multiple groups. As an example User_A can be in Group_A, Group_B and Group_C. And also User_A is the admin of Group_A and in Group_B and Group_C, he is a normal user.
Is there any way to achieve this requirement in keycloak?
Please let me know is there any solution.
You could have a sub-group admin with default ADMIN role below Group_A , and put User A in that sub-group.
Or why don't you just assign individual ADMIN role to User_A ?
As I understand groups function in keycloak, it is essentially a way of assigning automatic attributes/roles to user (and...to group them). But roles assigned via groups function are exactly the same as individual roles I think.
I have an app secured by keycloak. Going to a secured page brings up a keycloak login page and the correct user/password gives the expected results.
Within the client, I have switched on user registation. So now the login page shows a register link, which displays another keycloak page allowing the user to register with name, username, email.
This "works" in that the user is added to the keycloak user database. But the application displays the error page because a role is not mapped to that user in keycloak.
What I would like to happen is to be able to add the new user to the apps own user database, associate a role with the user, perhaps do some verification of the user.
So I don't really know what keycloak is sending back to the app except that it eventually leads to /error. Is there a way to tell keycloak after a new registration contact this url where things can happen within the app?
I came across similar scenario and the way I solved it was by enabling a default role to the newly added user.
This role can be changed later on but with a default role in place, your flow will complete.
There are 2 ways to assign a default role in keycloak. With both these configs, whenever a new user is registered even from external service providers, they will be assigned this default role:
Assign a default role directly to user:
Assign a default group to user & map a role to that default group
Please note that Default Group & Role names in above are my own and they are not predefined in keycloak.
After logging in to Keycloak admin console --> roles -> go to 'Default Roles' tab and add the role from available section to default realm roles section and save...Now when a user is registered, it will have the role assigned .
Let's assume I have several types of users in one application in fusionauth. One of them with role A can register/login by fusionauth standard login mechanism. Another one with role 'B' can login via facebook.
The user with role B receives the role A. Now he has both roles.
Is it possible to somehow allow him login both ways ? Is it possible to add a registration to this user so he can set a password a login the standard way ?
If I understand your use case correctly, this is definitely possible in FusionAuth. Here's a diagram that illustrates the relationships in FusionAuth:
User <--- UserRegistration ---> Application <--- ApplicationRole
| ^
\--------------------------------------/
Let's say your user is joe#example.com. Joe can login through Facebook initially and FusionAuth can be configured to create a User object for him. This is called "Create Registration" and is part of Identity Provider configuration.
Later, if Joe clicks the "Forgot Password" link, FusionAuth will send him an email and he can then set a new password.
This means that at anytime, Joe can now login using Facebook or using his email address and password.
In addition, Joe can have multiple UserRegistration objects. Let's say that you have two Applications, one called A and one called B. When Joe logged in using Facebook the first time, if he was signing into Application A, FusionAuth would have created a UserRegistration object for him for Application A and this UserRegistration would be granted all of the default ApplicationRoles for Application A.
Later, if Joe did the "Forgot Password" workflow and then logged into Application B, FusionAuth can be configured to create a UserRegistration object for Joe in Application B and this would have also granted Joe all of the default roles for Application B. This configuration is under the Application on the Registration tab. If you enable registrations for an Application then FusionAuth will create UserRegistration objects for Users that exist but don't have a UserRegistration for the Application they are logging into.
Lastly, you can grant Joe any additional roles for any Application using the /api/user/registration API (https://fusionauth.io/docs/v1/tech/apis/registrations).
Im familiar with the OOTB registration page that comes with Keycloak, that is described on https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/users/user-registration.html.
Is it possible to have more than one registration page, each with their own associated role?
For example, /registration/artist.html registers a user with an "artist" role and /registration/user.html registers a user with the "user" role.