When I try to edit a record within Archer GRC, it says another user has it open, but the user has told me they no longer have the record open in their session. What do I do?
Have the other user log out of Archer. This is happening because the user still has an open session with Archer GRC. Alternatively an administrator can force the user off the system via the access control, but the former is recommended in case the other user is in the middle of doing some work so that they can finish.
User doesn't have to log out from Archer. User need to open same record, click Edit and click View.
This will release the edit lock you have on the record.
If user is no longer available, but his session is active, he can be logged off by the System Administrator (or any other user with user management role).
1.Go to Administartion>Access control>Manage Users
2.Filter for the user responsible for the record lock
3.Under Actions, you can see him/her as Logged In. Just click on the Logged In which expires his/her session.
4.Now you can access the locked record.
Related
I'm making a Flutter application where the user has to register and log in with email and password.
Is there a way to ask the registered user to enter his password every time he wants to log in ?
The output would be like this :
Welcome back UserName#email.com
please type your password to enter the app
I've searched the subject in the FirebaseAuth documentation, but couldn't find any relative information.
You can explicitly sign any current user out when loading the page. See the bottom of the documentation page on email+password authentication for an example.
Realistically and practically speaking, you would use some type of local storage to signal to your app that the user is signed in, or out. If you use page load events only to signout the user, they will be signed out when opening a new tab which would probably be annoying.
You could use an unload event to prompt the user "You will be signed out of this application when you leave this page"
Doing all of that, the onload event could look for that auth state variable in local storage.
We're using keycloak (KC) with custom providers for the registration flow. At the end of the registration flow, before the confirmation email is sent to the user (as a default KC functionality), we disable the user as it fits our use case.
When user clicks on the email confirmation, mail is confirmed and user is automatically logged in, despite the fact he/she is disabled at that point. Logins after that work as expected (if user is disabled, login is forbidden, else it succeeds).
Upon reviewing Keycloak source, it seems as if session id is sent in the confirmation mail and if session already exists in KC, it is automatically reused and user proceeds as if logged in. If session doesn't exist, "email confirmed" page is shown and user is not logged in (as expected).
To confirm my theory of KC not checking user status (enabled/disabled) in the middle of an existing session, I've disabled a user that's currently been active in the application. User was not logged out or anything of the like.
My conclusion is that when user complets the registration, session exists and that session is then automatically "hijacked" upon clicking on the confirmation link. Nowhere in the middle of that, does KC check if user is actually enabled or not. Same as if you disable user while he/she is logged in and is browsing the protected application.
Does anyone have any workaround of the issue? My next step is somehow to programatically invalidate session at the end of the registration, so user won't have any when clicking on the confirmation mail. I am not sure how to track this bug on KC jira either, since they don't seem to have any public bug tracker. Regardless, this is not the point of this question - my question is if anyone else already had this problem and if yes, how was it solved?
I have solved a similar issue writing a custom Required Action. The required action is triggered after email validation, so you can check if user is enabled or not (Secret question required action example).
In my case if user validation is not ok, I redirect to error page:
Response challenge =
context.form().setError(MessagesIDs.NOT_VALIDATED_ID).createErrorPage(Status.UNAUTHORIZED);
context.challenge(challenge);
return;
User Administrator takes his password from "JIRA Internal Directory" (which means from database, as I understand). I know this password, but in some reasons I want to reset it. But in Administrator's profile there is no link "Set password".
All I found on the Internet - how to send password by e-mail (not to change it!) and view/change it's hash right in database by SQL query.
Is there any method that I overlooked?
Yes, go to Admin, System, General Config and change External User Management to off. Then put the internal directory at the top in the list of User Directories. Go to the admin's profile and click on Change Password. Then undo the previous steps
i have quiz open for guests ,given permissions to view , preview an attempt the quiz but still guest use can't able to run the test .then why the permissions are mentioned for the guest at quiz level.
No. The quiz module explicitly checks to make sure the user is logged in.
If you have rights, you can override the permission for the guest role to allow attempts.
Turn on editing,
edit the quiz,
click on the override tab,
choose the guest role
find the properties specifically to override which is probably "Allow".
Save your changes
Login as guest and check the quiz
When you want reports, etc from "guest" users, then the simple solution:
Make a 'test' user (student role) with 'test' password.
Then make a login-block on the FrontPage, with filled out inputs (username:test, password:test) and a little instruction for guest-users to login with this account.
I need to be able to delete a user account from a database on a server when a user deletes our iPhone application. What is the best way to capture the delete process. When the user holds down a finger on the application and the big "X" appears. The user presses it and the user is prompted to confirm the deletion of the application. I want to be able to capture the process and clean up the server database of users before the application is actually deleted.
What method is called when you delete an application? Any thoughts?
Apple does not let you do such a thing. It cannot be done.
I suggest you mark an account for inactivity instead, or use some other solution.