Say, I want to retrieve some users and I have provided both user_filter & group_filter to filter out the specific users that I need.
user_filter = (&(cn=ab*)(sn=cd*))
group_filter = (|(cn=gh*)(cn=kl*))
I know how to write individual queries for user & group. How can I combine the above filters to write a single query such that I get the users whose common name starts with 'ab' and surname starts with 'cd' and they either belong to groups which start with 'gh' or 'kl'?
It depends how you have membership defined. If you have membership on the groups, eg. group1 has member attribute for user1, this combined query is not possible. If you have groups defined on the user, eg. user1 has memberOf attribute for group1, then you may do something like
(&(objectclass=user)(cn=ab*)(sn=cd*)(|(memberof=cn=gh*)(memberof=cn=kl*)))
Related
Is there a Microsoft graph API query that will list all our users with NO group membership.
I can get all the users with
https://graph.microsoft.com/beta/users
loop over them and evaluate the groups they are members of
https://graph.microsoft.com/beta/users/{}/memberOf
and return the ones with zero group memberships. We have a large number of users so this takes time. Quicker to ask the API to return the list I want the first time.
Can I, in one query, filter on just the users that are in no groups?
Yes, you can do that. Just try the query below:
https://graph.microsoft.com/v1.0/users?$select = userPrincipalName,displayname&$expand=memberof
With this query, you will be able to get a list that contains user data you selected with group membership data just as below:
So that you could filter users you want locally instead of calling APIs 1 by 1.
I want to return the list of chosen groups for a particular user. We can get all groups, we can get all user permissions by group, but not the group names themselves.
e.g.
> Group.objects.all() //list of ALL group names
> Group.objects.all().values_list('id', flat=True) //list of ALL groups' IDs
> request.resource_owner.get_group_permissions() //all group based permissions
just posting answer. fyi!
request.resource_owner.groups.all()
Out of the box Laravel authorizes users by matching email (default - can be overridden) and password.
Is it possible to authorize user using 3 fields, e.g:
email
password
group
... where 'group' is some additional field from 'users' database.
In other words, user can belong to group:1 and can login to group:1 resources only, but not to group:2 using his group:1 credentials.
If user belongs to group:1 and group:2, then he needs different credentials to login to either group.
Additionally, user can use same email for both groups. In such case it is group number that would act as additional identifier. And of course passwords would be different.
I am thinking setting a database multiple column index on fields 'id' and 'group' would be a good start, but I fail to grasp (yet), what would be required to make Laravel authorization process sensitive to 3 fields, instead of 2.
I would appreciate some pointers.
This sounds like you're trying to achieve a form of tenancy on data belonging to certain groups only. Have a look at this package:
https://github.com/HipsterJazzbo/Landlord
In essence, you would add a group_id field to the tables where you wish to restrict access and then using middleware, apply an additional where('group_id', Auth::user()->group_id) clause to any database queries. This works very well for retrieving subsets of data belonging to specific users by their role, for example.
I have an index with many documents. In my app, a login happens under a username. For a user only a group of data should be visible, that is I want to restrict each user to a set of documents. Can somebody offer a solution of how to implement this using elasticsearch?.
Suppose my index contain the follwing documents
record1
record2
record3
record4
And I have say 2 users, user1 and user2
When the user1 is logged in, he should have access to "record1","record2" and "record3". Where for user2 , the access should only be to "record4".
Probably you can add one more column to the index where in you can persist the intended user for the record and while querying the index you can check if the logged in user in among the users specified in the column.
I would advise you to use a index aliases.
Index aliases has the capability to add filter to them.
So create 2 aliases , one for each user.
Now for each alias , create a filter which restricts the user to his own set of documents. ( Just use a document ID search )
Restrict these users to use only these aliases using a proxy.
That should do the trick
I may be thinking about this wrong, but shouldn't it be a very common thing to need to check if a user belongs to a certain group? For example, if you want to show a certain menu item only to "Administrators", shouldn't there be a way within my view file to easily check if the user belongs to that group?
I see that there is a inGroup() function on the user, but this requires that you first fetch the group object, and pass it into the function, rather than simply passing the group name, for example, $user->inGroup('Administrators');. I also realize I could write my own method to accept the group name, look it up, and then use that in the exiting inGroup() method.
However, the fact that this is not much more obvious in the docs makes me believe I am thinking about it in the wrong way.
Would the preferred way be to give the "Administrators" group an "admin: 1" permission, and therefore just check if the user has that permission rather than checking if they are in the group?
If so, I am struggling to see the value of a group at all since you aren't able to easily use them to determine access; instead, you need to use the individual permissions that the group contains.
You can check to see if a user belongs to a group easily:
$user = Sentry::findUserById(1);
$adminGroup = Sentry::findGroupByName('Admin');
$isAdmin = $user->inGroup($adminGroup);
However the best approach is to use permissions. You can setup an 'Admin' group with permissions to 'manage user accounts'. You then simply check to see if the user has permission to 'manage user accounts' as opposed to checking whether they belong to the Admin group.
In my 'group' table i have a row like this:
id | name | permissions
1 | Admin | {"manageUserAccounts":1}
I can now check whether a user has permission to 'manageUserAccounts' with the following:
$user = Sentry::findUserById($userId);
if ($user->hasPermission('manageUserAccounts') {
print 'You can manage user accounts';
}
else {
print 'Oops, you cant manage user accounts';
}
Note that the 'user' table is connected to the 'group' table via the user_groups table.
See the Sentry documentation for more info on how to fine grain permissions. It's quite powerful.