I just started using okta and I'm a bit lost: I just discovered that in okta you can create groups, and that is very handy since in the application I'm trying to develop I have two types of users, so I would want to create a group for each. However, I didn't understand the okta documentation concerning group creation and group rules. so basically what I would like to do is create two groups and add a rule that would say for instance: if user has this attribute than add him to group 1 but I don't really know how to do that
any help would be really appreciated!
Related
Cannot find anywhere on Google Identity Platform docs that clearly describe whether it's possible to assign a single user to multiple tenants. see https://cloud.google.com/identity-platform/docs/multi-tenancy-managing-tenants
My project needs the capability to have a single user be able to login to multiple, separate tenants. Currently, I have to create a new user on every tenant I want to be able to login to. This is not good because each new user I create has a different uid and separate password management. For a single user, I want to be able to maintain the same uid across tenants so the associated user data can be consistent as well.
I was thinking there would be some way to create a user at the project level (not tenant level) and then assign that user to specific tenants?
Some random thoughts: The docs say some things about migrating users between tenants, perhaps that is one way. Also was thinking that creating a tenant user with my existing project-level uid would somehow merge them so the uid and password management is the same?
Edit: I found this conceptual discussion to be helpful: https://softwareengineering.stackexchange.com/questions/403274/multitenancy-with-cross-tenant-users
what I gathered from that link is that SSO is separate from multi-tenancy. So I'm trying to figure out an SSO solution on top of multi-tenancy google idp. Any code solutions/suggestions for how to add SSO on top of multi-tenant google identity platform?
If you need the same user across tenants maybe you should instead rely on the user email, custom claims, federated ID (eg. user.providerData[0].uid). When you get an ID token for the user you have access to this same information regardless of the tenant or user.uid.
I’m new to google classroom api. I want to create a process that will query all classes, students, assignments etc. It will run unattended.
So, my questions are:
will offline scope allow the process to query the api unattended?
can only an admin user see all classes, students, assignments?
or, can a g-suite user be created with limited read-only permissions to certain resources?
Thanks
Since this is an unattended batch process and Google OAuth access tokens expire after 1 hour, you will likely need offline access. You can do this by adding the parameter access_type=offline in the authorization URL.
In terms of actually acquiring all classes, students, assignments, etc., here are a few things to note:
If you're a domain administrator, you can retrieve courses, students, assignments, invitations, etc. in their domain and will not need each teacher to authorize these requests.
If you don't have domain administrator access and want to retrieve all these items, you will have to have each teacher authorize your request(s).
As for your last question, I'm not entirely sure what you mean -- could you clarify? Are you asking is if one workaround would be to create a G Suite user that has read access to all these resources and then use that account to make all the requests?
You can create a service account and use it to query all data on behalf of users-
https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority
I have the following setup - the Spring SAAS REST service, which allows different companies to manage different events. And there is a rest client (a mobile app) also, shipped separately for each company.
I want to use keycloak for security stuff, and I have a question of how to separate one company from another.
I need companyA to not be able to access companyB event, and also need different roles within the company - some can create events, some can only read it.
First I thought each company will have own realm created in keycloak, but I learned that realm actually specified in the spring boot REST service parameters like
keycloak.realm=demo-realm
Which means it is only one realm per REST application. And I don't want to configure REST service instance per client. I only want one REST rule them all.
Am I trying to use something which really doesn't fit my use case?
Will it be right way to have a keycloack Group configured for each company, and make a logic in such a way that users of one group won't have access to what is created by other group. But then it actually feels wrong, since as I understand group are supposed to be used in a different way - to have admin group and user group, etc, segregating users "vertically" by "privileges", and not "horizontally".
Can you please suggest a right approach for this problem?
I would implement a custom protocol mapper which loads extra user permissions for your application and stores them in a token. This way, you use a single realm and if there are more companies in the future it scales well. Here you've got an example of how to implement it.
Basically, the otherClaims field of the access token is a JSON field that allows a map of properties to be set. You could add a field here such as:
userAccessibleCompanyIds: [1,3,4]
How to load the company ids for the concrete user? You can access your application database from the mapper or get them using the REST API.
Then in your application you need to have a control of what the user accesses. What I do is decode the token and see if the user request suits. If not, return a 403 response.
We are trying to integrate our platform with Pipedrive. As far as we have researched, in a pipedrive account, there is one admin and he can add multiple users. And the users later can login in their respective accounts.
What we are trying to make sure is that once a Pipedrive account is integrated with our platform, the same account should not be integrated twice. So, I need a unique identifier, that lets me know whether the account has already been integrated.
My initial approach was to check the api key. But it was not successful, since every users in an account have different API Keys.
After a bit of research, I found out that there is an identifier called company_id which is common for all the users in an account. But I could not find anything regarding it in documentation. So, I am not 100% confident to go ahead and implement it in our code.
Does anyone have an idea about this?
Pipedrive support rep here.
The most sure-fire way to ensure this is to make a GET request against http://api.pipedrive.com/v1/users?api_token=your_token_here.
You are correct in assuming the company_id in the additional_data object in the response is static and won't change across any users on the account.
Note that a Pipedrive account may have more than one admin, and that non-admins (regular users) might have visibility (and editing) restrictions in place, which may cause some of your GET, PUT and DELETE requests to fail.
In case you're not doing this already, I'd thus advise filtering the data array from the abovementioned endpoint for user.is_you to equal true and check whether the is_admin property is set to 1 during "registration" to ensure the user setting up the integration is an admin.
Hope this helps!
I'm not quite sure what you're asking for. Are you looking for a unique identifier for each user?
Each user has an id, you can get all users by calling
https://api.pipedrive.com/v1/users?api_token=____
This will return a JSON Object with data on your users, including their names and associated IDs. Admins are just users with different privilege levels. All admins are users, but not all users are admins. All users are part of a company, the company is identified by the first part of the Pipedrive account url ie.
https://FooCompany.pipedrive.com
Are you trying to see if a certain company has been integrated already?
Looking for the developer documentation as to how to modify a users application assignment. I would like to programatically assign, unassign and change the assignment details (ex: roles). So far I can't find that in the developer docs.
You can directly assign and remove users from applications via the Application User Operations.
Depending on what logic you're trying to implement, it might be better to:
Assign the users to groups. You can even setup rules to do this for you automatically based on conditions.
Add the group to the app
By using groups rather than assigning users to the app directly, you can automate more of the flow (i.e. users can be assigned to apps automatically based on user properties and conditions), as well as setup Sign-On, MFA, and password policies.