I have a user which I have applied a policy for using the following format
mc admin policy set myminio getonly user=newuser
Now, I've added newuser into a group, and I want to manage his policies using the group's policies. So adding the user to a group and applying policy on that group is quite straightforward.
Now that he has the group's policy, I want to remove the getonly policy that was applied to him personally - how can I do that?
It seems like there is no direct way to remove policy that have been assigned to a user.
The easiest way that I can think of is deleting the current user and create a new user with the correct policy assigned.
There is another workaround that I have tried.
Assuming I have a user named test, this is what I had done to remove the policy from a user:
mc admin policy set myminio '' user=test
mc policy set none minio/storage
minio is your bucket and storage is the folder.
Related
Im working on an app that lets you create groups (lets keep it simple). Im using Laravel 6 and I already have authentication and authorization.
Now, I want to assign roles of Administration or Member to a user, only to specific groups. Example:
User A is an Admin for group A. (Can assign other user as Admin)
User A is only a member in group B. (Can only see group information)
User A is an Admin for group C. (Can assign other user as Admin)
Ive already tried Spatie, but it is working as general porpouses only.
Is there a way I can tweak this, any idea, article. I was also reading about Spatie - Policies
Any help provided is well received.
Thanks to #delena-malan for the comment and solution. It was possible for me to achieve this goal.
Ok, what I did was:
Install package of course and set it up
You are able to configure roles and permissions in controller or by seeder (As you want - No conflicts for me at all)
Get instance of Model #1 and #2 (My case User and Group)
Define abilities for User in Group
Check if User has one ability on defined Group
Ready to go
Ex:.
Bouncer::allow($user)->to('assign-admin', $group);
$boolean = $user->can('assign-admin', $group);
We’re currently running the Okta Active Directory agent in order to import our users into Okta.
I'd like to replace this with a custom built process that imports users into a new internal database, for other user-management-related activities, whilst also adding those users to Okta.
Creating the user in Okta is easy, but I also need to get the user's "provider" set to ACTIVE_DIRECTORY, so that Okta delegates authentication to Active Directory.
The documentation (http://developer.okta.com/docs/api/resources/users.html#provider-object) says that the User's Provider field is read-only.
How can I set it?
While you cannot directly manipulate the credential object you can leverage other features available to achieve the desired result.
Create a group in Okta and configure it as a directory provisioning group. From the designated group select 'Manage Directories' add the desired Directory and follow the wizard to completion.
Add the created users to the group (using the API)
You unfortunately cannot set this property as we do not allow the creation of Active Directory users through the public API at this point.
If the purpose of the new process is simply to enrich the user's profile, can't you not achieve this by letting the AD agent sync the users and enrich the profile directly through the API?
After starting ObjectGears the first time I created administrator as the first user. I configured everything with this user and then imported other users.
Now I do not know if I can delete this user. I do not want to lose admin access.
You can delete it. The fact that some account is admin is set in the file web.configu in the parameter AdminLogins. So admin can be anybody who has the account included here.
You can also leave this parameter blank and then nobody will be able to change any configuration in the instance, supposing you also delete model owners.
We have a build system on which we need to fetch documents for other user's builds. We don't have their password but only their login and we will use a service account. Is there a way to get the access rights for another principal with the FileNet API so we won't allow them to fetch something they don't have access to?
For performance sake, I would rather ask the CE to do the check instead of getting all permissions and checking them all one by one. Plus nested groups and security priority (direct/template/proxy) might slow things done a lot and make the code complex. Something like getAccessAllowed but given a principal or a User? If there is not, what would be the best way to do that?
I saw that get_MemberOfGroups deals with nested group but we still have to check against all the permissions, taking care of the source priority and deny/allow priority, which means re-implement the CE security strategy.
You can create custom LoginModule to authenticate user without password, then you can work with CE as original user without service account.
But you need to add this users in FN objects ACL's with correct permissions.
If I got what you are saying right, I think the best way to do this is other way around. You don’t look what access right own by user and match with the document, you need to see what that user asking and he have right access levels. Best way is to use an Active directory with user groups and set permission for them document type vie. But let’s say same how you have set access permission on document’s side. When user call the document, get an Instance of it
Document doc = Factory.Document.fetchInstance(os,ID,null);
And get the permission list
AccessPermissionList parmissin = doc.Permissions;
And with loop get what permission is set for that document
foreach (IAccessPermission owner in parmissin)
{
if (owner.GranteeName == "your loginuserpermission" )
{
// you can cont your work
}
}
and keep a local
Set of permission where you validate your user (db/txt) and if they match, use your service account user and show image and information.
I am trying to set roles with parse.com
My aim is to set role to get all the data only for login users.
can you please proved step by step how should it be done with parse.com,
I tryed to play with it and read the tutrial but I am all the time getting accecss to data even if I am not logined.
thnx for helping!
When you create your data object you should be adding an ACL to it, created with the current user and limiting read and write to that user. This is done before you save the data object. You don't need to use a role. A role would be used where you had a group of users who all needed access, then you would add the users to the role and create the ACL for the role instead of a user.