I'm working on dashboards now, e.g. employee form. Some users have permissions to delete employee and some are not. Usually these permissions are changed only if user assigned to new type, e.g. from the simple user to manager, so quite rarely (because you can't just give permission for deleting only an employee, you'll have all pack of permissions to delete in other forms too). What is the best approach here:
Disable "delete" button for all the users who don't have permissions and while hovering on it show "Only managers can delete employees, request the permission" with the link to request permission.
Don't show the "delete" button at all for all the users who don't have permission.
Why I'm confused is just because View, Edit and Delete is kinda basic functionality, so not sure it's a good idea to disable "delete". In all other specific actions (that only managers can do) I don't show the buttons, the question is only about these "basic" ones.
Related
I'm seeking for the solution or suggestion, to find out that did this function is able to work in CRM 2016.
"User A" is opening an (account record form A), in the moment the "User A" is trying to open the another (account record form B) while the previous account record form still haven't close.
Here the requirement from my client.
The (account record form B) is unable to open while there is existing (account record form A) is opened up.
That means the User is only can open the Account record form once at a same time.
I am appreciate if anyone can leave a comment.
Thanks in advance.
This is not possible not only in Dynamics CRM, but also in any Web Application or website out there. This is technically not possible, because user can always open a different browser or browser in private mode and you will not be able to control that (unless you deploy some malware software on all users computer, but this is clearily not a Dynamics CRM customizations thing)
Pawel makes a good point about web apps in general.
Because we have the plugin model and JavaScript in CRM, there is a hypothetical possibility of building something for this - though it pushes the boundaries of abuse of the CRM extension model.
The idea would be something like this:
Create an external table to maintain a list of open Account forms by user.
Register a plugin on the retrieve message of the Account. When the user retrieves an account, populate an entry into the table.
If the user attempts to retrieve another Account, check the table. If they have an open Account form, prevent the retrieve.
Create JavaScript on the Account form to remove the entry in the external table when the user closes the Account form.
If this could even work, it would be a complex, fragile solution that would likely also harm performance.
Unless you want to share the reason why you want only one Account open at a time so we can discuss alternative options, I'd recommend letting this one go.
I am about to define permissions for users in my project. I checked the laracasts videos regarding ACL, Roles and Permissions.
I have a doubt. Do I need Roles for normal users?
I mean, in my project a user should be able to create / update / delete his own posts, he should be able to comment on his own posts and posts by other users and delete his posts and posts left by others on his own posts.
The point is: do I really need to define Roles for this kind of permissions? Shouldn't I just define some policies like can / can't post / update / delete etc. and only define roles for admins?
You don't necessarily need a full featured, powerful Roles/ACL system but if you are storing both admin and basic users in the same table then you do need something to distinguish between them. This could be something as simple as a Role field as a string on your users table e.g. Admin or Basic, or even a boolean is_admin field.
This would give you the ability to implement a Policy or Middleware to prevent basic users accessing the admin panel, and you can have permission checks to ensure a user can't update other users posts etc.
If you don't foresee needing anything more complex in future then this would suffice. However, as your app becomes more mature, you might wish to have a more advanced roles system, for example where a user needs to have multiple roles.
You don't necessarily need to define a role for every user...
It's probably a good idea to, however, you can 'hardcode' and make some assumptions about some of the access...
For example:
If you assume that anyone who is logged in can make a post and can edit their own post, you don't need to make a role for users to say "can_make_post", just have a check saying "if user is logged in, then let them make a post"
then if you say, have an admin area, then you can go "if user a has role
with the 'admin_access' permission, then allow access"
It would be a good idea to have roles for everything, as it allows more customisation, however, your the one designing it, if you don't need the customisation, you can probably just make some assumptions like above.
I'm developing a Joomla 3 website, where registered users can belong to several groups of interests (music, theater, technology, and so on).
I would like to give permission to my client to edit users by placing them in groups he desired. For example: user 1 can be in music and theater group; user 2 just registered (no group) and user 3 in technology group. Unfortunately the only permission that Joomla 3 allows you to edit users is the Administrator, but if I give this permission to my client, he will be able to edit articles, themes and other features that I do not want it to edit.
How can I create an access level that can manage only users list?
Thank you and sorry about my english.
Create a new group, assign that group only permission for managing users and whatever else you want and assign your users to that group but not admin.
As a short answer, if you don't want you client to be administrator, you can assign him to the manager user-group.
Then go into the Users Manager Component and click the Options button to go into its configuration page.
There you can override the Permissions Settings for the Users Manager component, so the Managers users will be allowed to Access Administration Interface of the component.
You will have the change the respective setting from inherit to allowed.
Of course if needed, you can create a complete custom ACL, with special usergroups for your users that will have certain accessibility and permissions.
But be careful, because ACL sometimes can be confusing and you might end up with a total mess.
I have an application which uses Dirsync to monitor the changes in AD. When I add/remove users to a group, AD creates an event for it. But when I delete a user from AD, it only create a changelog for user deletion. I don't get a changelog for "user removed from a group"
Is there some settings I can enable to view these kind of changes too?
When you delete an user, they are not automatically deleted from the group. Their SID is left lingering in the group membership unless you manually remove it. This happens to access controls as well, if you gave permission for a share to that user, you'll see a SID with no user information left on the share after you delete the user.
My organization adopted the policy of disabling users and moving them to a "Terminated Users" OU with a GPO attached that makes their session unusable if someone managed to re-enable the account. This allows us to avoid dangling SIDs and not have to worry about doing a full audit of group membership every time an employee leaves.
If you wish, you could do an audit once a year where you remove all permissions for a user, then delete the user, but I don't really feel it's necessary.
Let us say I have multiple users. They all have items linked to their account. They can CRUD those items.
What is the best way to prevent users from manipulating items from each other.
At first I thought the antiforgerytoken would help. But it does not because when the users look at their control panel they get a valid token. So they could just open firebug and do some post requests to delete items.
While writing this I think I know what I should do. I guess I should just check on the server if the user is deleting his items.
Did I forget anything which would still make it possible to adjust each other's items?
The only way to be sure is to check on the server that the current user has permission to "do action"
You can use the "Roles" mechanizm (this feature ships with asp.net) to check whether a user can delete other accounts.