I'm using SonarQube-6.7.1.
We have several teams (6) who share the one production instance.
They are asking me to find a way to limit the scope of the users.
They want to see only their own projects.
What is the best way to do that
Limit the projects' Browse permissions to only the relevant people.
Start by removing the ability of "Anyone" (a special group in SonarQube that includes anonymous) to see the projects, then grant Browse as needed.
This will be easiest in the long term if you first create groups, and grant permissions to the groups rather than to the individual users.
Related
I would need to restrict the deletion of a record for system administrator without using any custom code (like javascript, plugin). Can someone please suggest me the possible approaches for this.
I assume you just want to restrict deleting with no condition to check. There seems no logic in this scenario, why would anybody need this to be implemented that too for System Administrator.
Well if it is your ultimate goal then this could be done with below steps,
Create Workflow on delete trigger.
Create step as "Stop Workflow"
Set Status as "Canceled"
Save and Activate the workflow
You can set the custom Message in step parameter "Status Message". This will be visible while deleting a record.
You can't change the system administrator role out of the box. I would suggest the following approach:
Copy the System Administrator role (e.g. System Manager), but remove delete permissions.
Give users your copied System Manager role.
Remove System Administrator role from all but 1 user.
I'm pretty sure there has to be at least 1 account with system administrator role, but at least this way you can restrict delete permissions.
Seriously the problem is not the delete privilege in System Admin role. It’s the problem with system implementation, and power users who don’t know the real power they possess. First of all, System Admin/Customizer should not be given to end users.
Solution is design another Tool admin role(like James said), Assign it & educate the users. Taking out data governance from tool users & keeping it with Dev team is not a good move. If you have Prod support team, then fine.
Learn what different user base needs in day-to-day work, design well like considering user level privileges (they can delete what they create, etc), make use of Dynamics 365 CRM powerful security concepts, approval or layered process with Tool admins or Prod support, even dashboards for junior users, senior users, Audit reports, identifying tool champions for user training & revisiting the security gaps are key steps here.
Also only Read, Append, AppendTo should be given for Master entities (country, state for example), sometimes user will edit/delete the actual data instead of lookup value.
Essentially what the subject is saying. The problem I'm trying to solve is this:
We have a website running in IIS ver8.5 and it needs to access a network share with rigid-ish permissions schemes. Our website's app-pool employs ApplicationPoolIdentity and it thus employs the Computer$ account of the host machine when it attempts to access network file-shares.
The problem we are encountering is that said network shares allow access only to members of the admins + users group. The computer$ account is part of neither of the aforementioned groups, resulting in access-denied error messages when our website attempts to access any file-share paths. We were wondering whether we could make the Computer$ part-take in the users group somehow (we tried the UI but it didn't provide the option to select any Computer$ accounts).
There are other solutions to this problem but we are interested to know if the above solution has any chance of being implementable before giving plan B a shot.
In the UI where you set permissions, you need to tell it to look for Computer objects. Do that by clicking the 'Object Types' button:
Then check 'Computers'.
Click 'OK', then you can find and add computers on your domain.
We have a custom Active Directory integrated web app that helps users perform some self-service on their accounts (e.g. update photo, change phone number, reset password etc.) Our app runs on domain-joined servers, as Local System, and is thus able to authenticate to the AD using the server account(s).
We use a service connection point, that the app's clients use to locate an instance of our app. (Our app clients are hard-coded to look for certain keywords which are published on the servie connection point's keywords attribute.)
We recently had a situation wherein someone (we believe accidentally) changed the keywords on one of the service connection points resulting in an outage, since the clients could no longer find our SCP when querying the AD for our keyword(s).
The customer is a bit upset about this and wishes for us to provide them the ability to determine who can change the keywords on our SCPs. This feedback was passed on from our sales guys to us, and now we need to provide some way of helping them figure out who can change the keywords on our SCPs.
So, we're looking for an API to help us to determine Effective Permissions on our Active Directory service connection point objects, so we can alleviate this situation for the customer. We couldn't quite find an Effective Permissions / Access API that could help us list all the users who have effective write access to the keyword and other attributes on our SCPs.
Is there an API/other way that one can use to determine Effective Permissions on an Active Directory object?
It needs to be able to list all the users who have a specified access on a specified set of attributes of an Active Directory object.
This stack overflow post may be able to help you. LINQ to LDAP should also allow you to access the information pretty easily as well.
My team will develop an internal (known users) application that has an architecture based on Java as front-end and PL/SQL as back-end. So, currently we are thinking in a better solution to manage the user/permissions, and we have two options:
Each user has their own database account, granted with the permissions. Currently the legacy system use this approach and I don't like it because it manages permissions based on database objects' granularity. So, I believe it is a bad choice to have a database connection per user. Can you see more cons here?
Build some tables at database to store the users and theirs permissions/profiles and build a PL/SQL procedure to do the login, generating a token and include a parameter to all others PL/SQL to verify this token and then authorize (or not) the execution.
So, you can ask me: why not just manage your permissions in your web-application? Answer: Those PL/SQL are already done and are used by all legacy systems, and this web-application should behave according it (ie. User permissions should be managed by the PL/SQL and its granularity based in please.)
How do you proceed in this case?
I think using the database's built-in mechanism is always to be preferred over rolling our own. And that applies to logging in users as much as anything else.
The biggest single advantage of dedicated user accounts is that we can link a given session with a named user. Well, yes, duh. But the point is, doing thinks like auditing user activity or tracing a performance issue in some process is way more difficult in web applications with generic accounts.
To address your main objection, we don't have to manage database privileges at the user level. That's why we have roles. For normal users, a role will provide sufficient privileges.
So:
define a set of roles which match the various business jobs your application serves.
grant system and object permissions to those roles; remember that roles can be additive (i.e. we can grant privileges on a role to another role).
grant roles to the users.
Find out more.
Let me state first: I know that any user that wants to run a program (or even log in), has to have access to (probably at least) the Windows system directories and the shared libraries in %ProgramFiles%, but I'd like to be able to access Skype, for example, by running it with an unprivileged user and make sure that it can't access any unnecessary files.
I fear that the only way to do this would be to identify all of the gazillion directories where I store files that I don't want this user to access and then create a new user group that can access these directories, or run Skype and Azureus in a VM.
Is there a better way?
Normally, accounts are members of the Users group at least, which does have access to many things. You could make the account a member of no groups, or the Guests group which is very restrictive.
The real issue is that the program's token (an internal security object that keeps track of what security identities a running process has) will contain the Everyone and Authenticated Users groups, which also have read access to lots of stuff. There is no way to create an account without those groups. You could remove the access that Everyone and Authenticated Users groups have to most everything, but it would be a lot of work to track all those down.
I would say that creating a standard user or guest access account for untrusted programs would be plenty secure enough. To support self-updates and to keep related files in the same place, I suggest you install those programs directly in the profile of the user account they will be running as, e.g. C:\Documents and Settings\skype\Program Files\Skype
If you want to get really fancy, you can use a restricted token to either make the Everyone, Authenticated Users, etc. groups deny only (so they can't grant any access) or create a Restricted SID list. This will be difficult to implement because there are global objects that programs will expect to access that the Everyone group has access to, which is normally a safe choice.
See CreateRestrictedToken Function.
There is also an open-source command line program I created a program for creating restricted tokens and job objects on the fly for that purpose: UlimitNT
Maybe sudown is a solution. It's a sudo-similar (as known from Linux) approach to running as unprivileged user, but having the possibility to promote to an administrative account (with password) when needed.
I suppose you could lock down the machine so the user can solely log on, not even start skype with his rights, but start skype by "run as" with sudown.
Besides using a VM you could look into using a Sandbox. Look at Sandboxie fox an example.
simply use acl apis (samples in msdn)