I have added the group in the securities tab of the document class and gave all the necessary permissions. However when trying to create a document within the documentClass I get :
FNRCE0001E: E_ACCESS_DENIED: The requester has insufficient access rights to perform the requested operation.
The user I'm using to add a document to the document class, belongs to the group that has been given permission to.
NOTE that this works in 5.2.1 version. It fails to work only in the 5.5 version of filenet. The user does belong to the group to which permission is granted.
Related
I am using below code to create CRM Client
var conn = new CrmServiceClient($#"AuthType=ClientSecret;url={organizationUri};ClientId={clientId};ClientSecret={clientSecret}");
Above code is throwing me "UserNotLicensed :User does not have license to use with access" error
I have also followed this article for creating application user. which is not possible as user needs to be created using power platform.
https://www.ashishvishwakarma.com/Dynamics-365-Single-Tenant-Server-2-Server-Authentication-Azure-Active-Directory-Access-Token/
Mine looks like
Also, as shown in the article I am not able to navigate to "New User" form. It keeps redirecting to Office Admin page. where I am not sure if I have permission to create. Let's say I make Admin do that, will Admin have option to associate User with application ?
creating application user. which is not possible as user needs to be
created using power platform.
what do you mean by this? You first need application user which should be created via Azure AD as app registration as mentioned in article and then you need to go to admin.powerplatfrom.com, select your env and then you see s2s users. Onye you click here it will give you list of all your s2s users (including the one you created). Add this s2s user in your env and assign particular security role (in most cases systemadmin). This should solve your issue
I want to know the bare minimum permissions required to fetch the data from the following Google APIs:
1.https://www.googleapis.com/userinfo/v2/me 2.https://www.googleapis.com/admin/directory/v1/users/{userID} 3.https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/user_accounts 4.https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/login 5.https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/token 6.https://www.googleapis.com/admin/directory/v1/users/{userID}/tokens 7.https://www.googleapis.com/admin/directory/v1/customer/my_customer/orgunits 8.https://www.googleapis.com/admin/directory/v1/users/{userID}/tokens
I created Custom role following this steps https://support.google.com/a/answer/2406043?product_name=UnuFlow&hl=en&visit_id=637898476053235402-4131039370&rd=1&src=supportwidget0&hl=en and given all the permission that Super Admin role has. But still for the 8th API (https://www.googleapis.com/admin/directory/v1/users/{userID}/tokens), when I try to fetch the data its giving error "User does not have credentials to perform this operation". Do I need to provide some extra permissions/configuration to fetch the data? if Yes, what would be that extra permissions/configuration ?
Note: This API work with Super Admin role.
Im working on an app that lets you create groups (lets keep it simple). Im using Laravel 6 and I already have authentication and authorization.
Now, I want to assign roles of Administration or Member to a user, only to specific groups. Example:
User A is an Admin for group A. (Can assign other user as Admin)
User A is only a member in group B. (Can only see group information)
User A is an Admin for group C. (Can assign other user as Admin)
Ive already tried Spatie, but it is working as general porpouses only.
Is there a way I can tweak this, any idea, article. I was also reading about Spatie - Policies
Any help provided is well received.
Thanks to #delena-malan for the comment and solution. It was possible for me to achieve this goal.
Ok, what I did was:
Install package of course and set it up
You are able to configure roles and permissions in controller or by seeder (As you want - No conflicts for me at all)
Get instance of Model #1 and #2 (My case User and Group)
Define abilities for User in Group
Check if User has one ability on defined Group
Ready to go
Ex:.
Bouncer::allow($user)->to('assign-admin', $group);
$boolean = $user->can('assign-admin', $group);
In magento , I can create a sub-admin giving access to limited resources. But if I allow any sub-admin to create new sub-admin role and user then he is allowed to give all the access to the new sub-admin even which are not available to him..
(I mean all the module are available to him in Role Resources Tree Under add New Role, even which are not assigned to him)
For example: If sub admin is not having access to reports,Order he can not allow the reports,Order access to the other user he is creating from his access.
Any suggestions?
If you are giving User & Role access to sub-admin, then he/she can create new user as well as role. Magento doesn't check it's own access level. According to your requirement, you have to override admin Permission module.
Create custom extension to overcome from this issue or try any ready extension for it.
We have a build system on which we need to fetch documents for other user's builds. We don't have their password but only their login and we will use a service account. Is there a way to get the access rights for another principal with the FileNet API so we won't allow them to fetch something they don't have access to?
For performance sake, I would rather ask the CE to do the check instead of getting all permissions and checking them all one by one. Plus nested groups and security priority (direct/template/proxy) might slow things done a lot and make the code complex. Something like getAccessAllowed but given a principal or a User? If there is not, what would be the best way to do that?
I saw that get_MemberOfGroups deals with nested group but we still have to check against all the permissions, taking care of the source priority and deny/allow priority, which means re-implement the CE security strategy.
You can create custom LoginModule to authenticate user without password, then you can work with CE as original user without service account.
But you need to add this users in FN objects ACL's with correct permissions.
If I got what you are saying right, I think the best way to do this is other way around. You don’t look what access right own by user and match with the document, you need to see what that user asking and he have right access levels. Best way is to use an Active directory with user groups and set permission for them document type vie. But let’s say same how you have set access permission on document’s side. When user call the document, get an Instance of it
Document doc = Factory.Document.fetchInstance(os,ID,null);
And get the permission list
AccessPermissionList parmissin = doc.Permissions;
And with loop get what permission is set for that document
foreach (IAccessPermission owner in parmissin)
{
if (owner.GranteeName == "your loginuserpermission" )
{
// you can cont your work
}
}
and keep a local
Set of permission where you validate your user (db/txt) and if they match, use your service account user and show image and information.