I would like to use Microsoft Active Directory to control user access rights in Objectgears. Where can I set this? If I select a person I can assign him a role but I would rather want the application checks his membership in the MS AD group which I have filled in the role.
These are two things actually. The domain authentication is set in the web.config file in parameter authentication mode. The two options are:
authentication mode="Forms"
authentication mode="Windows"
The latter one will ensure users do not need to enter user name and password but their identity will be taken over from their Windows.
Parameter AssignRoleToUser, if set to True, makes assignment of users to roles in ObjectGears. If you want to take over membership from MS AD groups, setit False and make sure that for each role that you have defined in Objectgears you also fill in name of the MS AD group in the field Name in the system.
Here is description of the Role definition: http://doc.objectgears.cz/Help.aspx?H=roledetail
Here is overview of access control in ObjectGears: http://doc.objectgears.cz/Help.aspx?H=a_access_control
Related
I wanted to know on which entities does an user have by default a read access initially when no security role is assigned to the user?
I wanted to know because any user who do not have any security role can still access case & accounts entity through advanced find! Is this expected behavior? If yes then is this documented any where?
All users must be assigned to at least one security role in order to have access to Dynamics 365. The security roles can be assigned to the user directly or to the access team he belongs to.
Can you double-check the security roles assigned to the user and verify team's security roles ?
The user has to have a security role assigned to get into CRM. Check existing teams to see if the user is a member of and also he/she will have access to the records shared to him/her. Which entities user can access to are based on the roles/team he/she has been assigned. Check role/team setting for details.
I just signed up for a dev test account with Okta to test OIDC using Okta's auth service and user management.
Using their management portal, I created a second group called Test Group along with the default group of Everyone and added my single user to both groups.
I then added an application called My SPA and assigned the Test Group access to this application.
Using the classic UI, I then edited the OpenID Connect ID Token section and set Group claims type to Expression and added groups as the claim name and getFilteredGroups(app.profile.groupwhitelist, "group.name", 40) as the expression.
I then went and edited the authorization server. I added a claim called 'groups' with a RegEx of *. to be used with any scope, access tokens and always include.
I then use the Token Preview selecting my user and using implicit grant flow but no groups show up.
How do you get a user's groups to show up as claims in the ID or Access Token from an Okta auth server?
Edit
Screen shots of what I have:
I’ve only ever used the Developer Console to configure things. Here’s how I did it:
Navigate to API > Authorization Servers, click the Authorization Servers tab and edit the default one. Click the Claims tab and Add Claim. Name it "groups" or "roles", and include it in the ID Token. Set the value type to "Groups" and set the filter to be a Regex of .*.
You need to add the "groups" scope. In the scope, add "groups" in addition to profile and openid
I think the Groups here are created in order to park users in respective buckets (e.g. Admins / Users etc) so that by knowing the Group of User, the role can be derived for Authorizations.
However, I will recommend to use Okta's Custom Attribute in Users' Profile so that the User Info can have required attribute.
The Custom Attribute can be set as Dropdown styled Enumeration to choose from and can also be marked as Mandatory while adding User in system.
https://support.okta.com/help/s/article/How-to-create-dropdown-enumerated-custom-attributes-in-Okta?language=en_US
Adding Custom Attribute - https://help.okta.com/en/prod/Content/Topics/users-groups-profiles/usgp-add-custom-user-attributes.htm
And Mapping Attributes to Okta Profile -
https://help.okta.com/en/prod/Content/Topics/users-groups-profiles/usgp-about-attribute-mappings.htm
Hope this also helps.
CRM 2015: I want to be able to create a role for local IT to be able to add user accounts and assign roles.
Regarding the 'adding roles' portion, is it simple enough just to create a role for local IT to 'write' to 'security' roles in the'business management' tab of 'security roles' at the user level?
No, this is not that simple. User cannot give another user privilege higher than he has (it would be a serious security hole). So for example you have role to edit Security roles and you have Read access for Accounts in your Business Units. If somebody in your Business unit has no Read access and only User access, you can add him Read access for Business Unit (the same you have), but you will not be able to give him Organizational access (so higher than yours). You could imagine that if this would be possible, you will be able to basically give yourself Admin privilege and do whatever you want in CRM.
Knowing that, it should be possible for you to create a role that for example have full access to Accounts, Contacts, Custom entities etc. and Security Roles. This role would be able to modify other users access levels to Accounts, Contacts etc. but no other entities that they don't have privilege to.
Exactly the same logic applies to assigning the Security Roles. So user A cannot assign a Security Role to user B, if it gives user B privileges higher than has User A.
In the end, it is very hard to properly implement the scenario that you described, because there are so many privileges and user needs to have a lot of them to even use the CRM. I've tried this once but could not satisfy the business requirement - it always ended up with using System Admin role, because there was always some scenario that could have not been handled by a user only with this "specific" security modification role.
Assigning 'System Administrator' security role and changing Access Mode in user record to 'Administrative' helped me to achieve this. User still cannot access any transaction data. So, I think you can go for this approach.
Getting current (logged) user security roles from the context is trivial:
Xrm.Page.context.getUserRoles()
But I can't find an answer how to get the roles for another user by Id or Name? (Different from the user who is logged on currently)
You can use odata to get roles assigned to user:
http://<server>/<org>/xrmservices/2011/OrganizationData.svc/SystemUserRolesSet?$filter=SystemUserId eq guid'<user guid>'
in similar way you possibly want to check for roles assigned to teams that user belongs to
We are trying to implement Custom Role membership provider for our web app. For authorization we want to check for one more field like Facilityid for the logged on user along with role he has. eg. my User1 having Role1 with Facility1 can access some option and same user role for Facility2 have different option. So is there a way we can extend the existing role/profile provider to authorize user with this additional field along with role assigned.
Depending on how complicated you expect this to be you might want to just have Facility1 and Facility2 be roles, even though they may share a lot of the same aspects. In this manner, you should not need to extend the membership provider.
There can be n facilities so having those many roles does not look fesiable. If we can find a way by which we can pass the Facilityid from the application to this security module roleprovider and fetch appropriate role for user only for that facility.