We are trying to develop a web interface in Plone to manage a corporate identity management solution by interfacing openidm with plone. Please refer the block diagram for the entire setup attached here.(Here the plone-interface.mydomain.in is a user interface for calling the REST APIs of the OpenIDM to manage the roles in the OpenIDM).
There are around 4000 user LDAP directory services with different Organisational Units(OUs), The roles are created and assigned by openidm.
We are developing a plone web interface for all the users to log in and and manage their roles such as delegation of their roles to peers when they were going on leave/vacation. So we are planning to implement a customized workflow into this plone application so that a Team Member(TM) as in the diagram can initiate the role change request to his Team Lead(TL) for review and forward to his Project Manager(PM)to Approve or Reject or forward to Delivery Manager(DM) for further forwarding to other project groups, If the particular member belongs to multiple project groups for further approvals from horizontal project Heads/authority.
We are developing a module in Plone for users to apply for leave and request/delegate his role changed to another user through a workflow based approval process.
Query:
1)How can we implement a workflow such that, if a user(eg. Role --> Team Member) submits a leave application requesting for role change, it should go only to the the immediate hierarchy(eg.Team Lead) within the same group, so that no user with a role "Team Lead/Project Manager/Delivery Manager" in other groups will be able to view the request of a Team Member in another Group.
Note: The workflow in general is going to have overall four roles (Team Member, Team Lead, Project Manager, Delivery Manager)only in each Group.
Please shed some light and your valuable suggestions to achieve such a custom workflow as described in Query 1.
Thank You
Related
I scrolled through the documentation of KeyCloak and also set it on my machine to explore.
I also explored fine-grained permissions however I didn't get much detail in documentation around the n-level of nested hierarchies.
Here https://www.keycloak.org/docs/latest/server_admin/ this talks about limiting an admin user to particular client management, however, I want certain users, within the client, to be able to create accounts but with scopes and attributes limited to what's assigned to themselves.
For an example:
For a client(ERP>Transactions) we want to create an Org(our customer) Admin who in return will create teams and team admins. Team admins shall be able to invite their teammates in there.
Now I just want to know if only Keycloak can be used to make sure a user in one Org shouldn't be able to create a user in some other org, in the same way, a team admin shouldn't be able to onboard/invite a user in some other team.
Because if Keycloak in principle can't handle this, our team will start writing custom logic in our application code base for this.
I am tasked to help automate the workflow related to automating a few tasks related to management of our organization account on GitHub. For example, add and remove users from the org, create new repos, add external collaborators etc. The requests for this actions will come from a system where a user fill in a form and this system will curl to the GitHub API after the request is reviewed and approved.
By reading the GitHub API documentation I can set up the curls for this, but I am unsure about authentication best practices. My first idea would be to create a user account specific for this use case, make it admin for the org, and create an OAuth token with scopes needed to be allowed to make this requests. However, it feels a bit too hacky to create an individual account for something that is not an individual, and then make it admin of the whole organization.
Is there a better way to approach this?
I need to implement user hierarchy using keycloak and I was wondering if someone has done it before or perhaps can give me some pointers on different ways.
In our scenario we have
single application to protect with open-id connect
1 single super-admin ( realm admin)
many team admins ( created by the super admin ) who can only administer users who belong to the same team as themselves
ordenary users who belong to a given team and created by the team admin
Is there a way to achieve this using keycloak's authorization?
Shall I build a Custom REST endpoint in keycloak to implement this?
Shall I create groups / team perhaps ?
I am not sure what is the easiest route. I would like implement the easiest solution.
I'm working with Shopware.
I've added a new attribute "proxy" to the s_core_auth table for each user in order to show the ability to get access to the Customer Module in the backend, so that if a user is not selected as "proxy" he/she won't be able to make changes in that module.
I need help to understand what I need to write in my plugin's code (maybe having only a Subscriber file.)
I'll be very grateful!
Adding a custom column to the s_core_auth table is not a good idea. What you're trying to achieve can be done with user groups and group rights. From the Shopware Documentation:
With User administration you are able to create new users in the backend and control access rights to areas, modules and plugins in accordance with certain group policies that you define per ACL (Access Control List). Within the ACL you have the possibility to control precisely which user is able to perform which activity. Thus, it is possible to assign certain reader rights to an administration group without granting them authorization to edit or delete.
You can find instructions for User administration inside the Documentation.
I have an MVC2 site that now allows access to it via windows authentication and uses ASP.net Role provider to provide authorization. I am trying to come up with a way for the site to allow the user access to the site if his username is a member of certain groups so I won't have to sign up user in sql, but just sign up a group with access. Anybody have any idea how to do this? Is there a quick and dirty way? So far in my internet perusals I haven't found a quick and dirty way to do this? Any help would be great.
Thanks
Looking up Role/Group information for a User
ASP.NET provides a useful “Role Management” capability, which allows developers to map users into logical “Roles” that can then be used to better control end-user capabilities and authorization access. For example, as a developer I could create a role called “managers” for my web application, and then limit access to portions of the site to only those users within the “managers” role (note: I will be posting additional recipes in the future that discuss how to fully use the Role Management authorization and capabilities features more).
When using Windows Authentication, ASP.NET allows developers to create and populate roles from multiple sources. For example, a developer could setup the built-in ASP.NET 2.0 SqlRoleProvider to map Windows users to custom application roles that are store within a database. This approach is very useful for scenarios where there might be application-specific role mappings that don’t make sense to push into a centralized Active Directory tree/store.
ASP.NET also makes it easy to access central Windows and Active Directory group mappings from within an application as well. For example, if there is a Windows group on the Active Directory network called “DOMAIN\managers”, an ASP.NET application could lookup whether the current Windows authenticated user visiting the ASP.NET site belongs to this group by writing code like this:
If User.IsInRole("DOMAIN\managers") Then
Label1.Text = User.Identity.Name & " is a manager"
Else
Label1.Text = User.Identity.Name & " is not a manager"
End If
Note that the role/group look-up is done via the “User.IsInRole(rolename)” method that is a peer of the User.Identity.Name property.
src
http://weblogs.asp.net/scottgu/archive/2006/07/12/Recipe_3A00_-Enabling-Windows-Authentication-within-an-Intranet-ASP.NET-Web-application.aspx