I need to filter users with the onPremisesExtensionAttributes [extensionAttribute6] is there a graph API call for it?
As #Tinywa suggested in the comment:
onPremisesExtensionAttributes contains extensionAttributes 1-15 for
the user. Note that the individual extension attributes are neither
selectable nor filterable.
You can get all the results first and use your own code logic to filter them.
Or you can consider using extensionProperty as a workaround. Create the extensionProperty and assign value for the users, and then query users with filtering with this extensionProperty. For detailed steps to create extensionProperty and assign value for users, you can refer to this answer.
It looks like they've updated the BETA Graph API so that extension attributes (onPremisesExtensionAttributes) are now filterable.
Try the below in Graph Explorer. You'll need to change the extensionAttribute1 eq 'Employee' part to a query that will actually work in your active directory environment.
https://graph.microsoft.com/beta/users?$count=true&$filter=onPremisesExtensionAttributes/extensionAttribute1 eq 'Employee'&$orderBy=displayName&$select=displayName,mail,onPremisesExtensionAttributes
Please note that this is the BETA Graph API so I guess that means Microsoft hasn't finalized it, so it might change or never get fully released.
EDIT: I also just learned that if you're using this filter via the Graph API, you must add the following header or you'll an error:
client.DefaultRequestHeaders.Add("ConsistencyLevel", "eventual");
The Graph Explorer has this header by default, I guess.
Here's where I found this answer: Get Extended Properties on User using Microsoft Graph
Here's the error I was getting:
Property 'extensionAttribute1' does not exist as a declared property or extension property.
whats the best or the usual way to remove all roles from a user?
I tried
$roles = $user->getRoleNames(); $user->removeRole($roles);
Return value of App\User::getStoredRole() must implement interface Spatie\Permission\Contracts\Role, instance of Illuminate\Support\Collection returned
Use the plain Laravel detach method like so:
$user->roles()->detach();
I dod it now in this way $user->removeRole($user->roles->first());
You can also remove all roles by syncing to an empty array, like so.
$user->syncRoles([]);
I confirmed it works on version 5.8.
From reading the documentation it clearly says that you can pass a Collection instance to the removeRole so I think you are doing it right.
The assignRole, hasRole, hasAnyRole, hasAllRoles and removeRole functions can accept a string, a \Spatie\Permission\Models\Role object or an \Illuminate\Support\Collection object.
This works fine even on Laravel 7
For Roles:
$user->syncRoles([]);
For Permissions:
$user->syncPermissions([]);
From Spatie documentation you can find ther is a way to remove all previous roles and assign new roles with simple
$user->syncRoles($roles);
For reference you can visit this link
I'm trying to find all users w/ a specific permissions list in Sentry with laravel. The problem is that Sentry::findAllUsersWithAccess() returns an array().
as stated in their github repository i pinpointed their code to be
public function findAllWithAccess($permissions)
{
return array_filter($this->findAll(), function($user) use ($permissions)
{
return $user->hasAccess($permissions);
});
}
right now, it gets all users and filter it out with users with permission list. the big problem would be when I as a developer would get the set of users, it'll show ALL users, i'm developing an app which may hold thousands of users and i only need to get users with sepcific permission lists.
With regards to that would love to use one with a ->paginate() capability.
Any thoughts how to get it without getting all the users.
Why dont you override the findAllWithAccess() method and write your own implementation, which uses mysql where instead of array_filter().
I dont know your project structure and the underlying db schema, so all i can give you atm is the link to the eloquent documentation Querying Relations (whereHas).
In case you dont know where to start: its always a good idea to look at the ServiceProvider (SentryServiceProvider, where the UserProvider, which holds the findAllWidthAccess() method, is registered). Override the registerUserProvider method and return your own implementation of the UserProvider (with the edited findAllWithAccess() method).
Hope that will point you in the right direction.
In Laravel you can do pagination manually on arrays:
$paginator = Paginator::make($items, $totalItems, $perPage);
Check the docs: http://laravel.com/docs/pagination
I have a question on how to revoke access to all objects (documents, emails etc) from all users leaving READ access only, in Documentum. Having being searched around the internet, no answers were found. Thanks for your help.
As part of the test, I was trying to do this on one user ONLY. My attempts involved changing Security Permissions in DA (Documentum Administration) and change owner_name in DQL. But none of these attempts seems to work.
Any suggestions? Much appreciated
The short of it is that you need to remove or change access on the objects themselves (folders, documents, etc.).
You can create a new permission set (ACL) that contains the permissions you want (in this case, READ permission) under the Security section in Documentum Administrator. You can either create a group and assign them the READ permission, or just use the dm_world group and assign it READ. Remove the other access permissions you don't want.
If you use a group other than dm_world you will need to assign all the users to this group under User Management.
Then, use DQL to apply your new permission set to all of your folders and documents.
You can create an ACL with READ permission using API as below:
create,c,dm_acl
set,c,l,object_name
sample_acl_name
set,c,l,owner_name
dm_dbo
set,c,l,description
Sample ACL
grant,c,l,your_group_name_1,3,execute_proc
revoke,c,l,your_group_name_1,ExtendedPermit,,change_location
grant,c,l,your_group_name_2,3,execute_proc
revoke,c,l,your_group_name_2,ExtendedPermit,,change_location
.
.
.
grant,c,l,your_last_group_name,3,execute_proc
revoke,c,l,your_last_group_name,ExtendedPermit,,change_location
save,c,l
or
you can modify the existing ACL using API as below:
retrieve,c,dm_acl where object_name = 'existing_acl_name'
grant,c,l,your_group_name_1,3,execute_proc
revoke,c,l,your_group_name_1,ExtendedPermit,,change_location
grant,c,l,your_group_name_2,3,execute_proc
revoke,c,l,your_group_name_2,ExtendedPermit,,change_location
.
.
.
grant,c,l,your_last_group_name,3,execute_proc
revoke,c,l,your_last_group_name,ExtendedPermit,,change_location
save,c,l
I have faced a similar situation and I found to ways to approach it . One way which is an easy way would be to create a new acl with all the permissions and group you wish to have access which can be done as follow :
String aclName = "your_acl_name";
String aclDescription = "your_acl_description";
//create your acl object :
IDfACL acl = (IDfACL)_session.newObject("dm_acl"); acl.setObjectName(newAcl.toString());
acl.setDescription(newAcl.toString());
acl.save();
IDfPermit permit = new DfPermit();
permit.setAccessorName(your_groups);
permit.setPermitType(IDfPermit.DF_ACCESS_PERMIT);
//you may need to change the value of the next line based on your objectve
permit.setPermitValue(IDfACL.DF_XPERMIT_CHANGE_FOLDER_LINKS_STR);
//Finally grant the permit you've created above :
acl.grantPermit(permit);
acl.save();
then update the acl name of your previous object to the one you've just created as follow (DQL) :
Update dm_folder set acl_name = 'your_acl_name' where object_name = 'your_object_name'
or use the more straight forward way which is by using DFCsas below :
//First you must fetch the acl you're going to edit ==>
IDfACL acl = session.getObjectByQualification("dm_acl where object_name='" + "your_acl_name" + "'");
//This will produce a dql for fetching your acl based on it's name from dm_acl object table
acl.revoke("The_group_you_want_to_limitate_to_only_view","execute_proc");
acl.save();
I hope that this would help you as it worked for me :)
I need to retrieve a list of Active Directory users and their attributes using Delphi 2010.
I've seen a few similar questions on SO (e.g. Delphi - Find primary email address for an Active Directory user), but they all seem to require the user name before any additional information can be retrieved.
I had written an article for [The Delphi Magazine] way back when..... if you have access to a backlog of those magazines, it's in issue no. 62 (October 2000) - unfortunately, it seems those back issues aren't available for purchase anymore :-(
It's too long of an article and a code sample to post here.... basically it's about wrapping the IDirectorySearch interface in a nicer Delphi-like shell. You pass in a base container where to search, you define an LDAP filter, and you define a set of attributes you're interested in - then you search and get back basically an enumerator for the results, which you can get one by one.
In the end, I discovered TJvObjectPickerDialog, part of JVCL. It wraps the Windows Select Object dialog and does everything I need with very little coding. Just set the required properties and call execute. The selected user objects are returned along with the attributes that you set in the 'Attributes' property.