TeamCity has %system.teamcity.auth.userId% account to perform special tasks, it is actually a variable that contains a username that changes for every run.
I need to grant this account additional permissions, how do I do this? under what username this account resides?
There is no way to grant additional permissions to system.teamcity.auth.userId account.
system.teamcity.auth.userId represents a virtual entity, something like "buildUser". This buildUser has very limited set of permissions to let it get build-, buildConfiguration- and project-related data. You might refer to the TeamCity issue for additional details.
To workaround this behavior you might explicitly specify the credentials for a real user via Configuration Parameters. password display='hidden' parameter spec hides it from "Run Custom Build" dialog (also password parameters are redacted from the build log).
Related
Is there any way to login other users account for admin user ?
Currently authentication based on Meteor Accounts
I saw this post but didn't working at all now.
The feature is important for us because when user have problem in system then admin need to see it this by simulating user account.
Thanks in advance.
It seems you want to impersonate a user. This means that you want to have Meteor.userId (or this.userId depending on context) reflect the _id of a specific user both on the client and the server.
afaict the only way to do this is to login as the user. Presumably you don't want to ask the user for their password so you have a couple of choices:
Save their existing password, replace it (temporarily) with a password of your choosing, then after you're done impersonating their account, restore their existing password.
You probably don't want to ask the user for their password and you don't need to. All you need to do is set aside Meteor.user.findOne(userId).services.password.bcrypt, then reset the password to your temporary value, then restore the original bcrypt value later.
The downside is that the original user would not be able to login while you are logged-in. Plus it's really hacky.
Extend Meteor's Accounts package to provide impersonation capability in a more elegant manner.
You might also look at validateLoginAttempt. The docs are unclear as to whether a failed login attempt could be overridden with a successful one but if it could then that would provide another pathway to solve your problem.
Instead of logging in as the users, which requires their password and which is a total no-no, you may use rather alanning:roles and allow the admin to assign the role of any user in order to draw views based the user's role.
This requires a well designed role system.
As a plus you could then at least load the documents associated with the user who you want to support.
This requires a well designed document and data model.
But generally spoken you should rather focus on writing good tests (test driven development) for components as unit tests, integration tests and UI tests.
This will reduce the need to manually view the app as an end user a lot.
The most common end user problems can be reduced by creating a good knowledge base like a wiki or video tutorials.
Even if then an error occurs in the end user side, I would rather try to implement a well designed error log that allows users automatically create tickets on error which also include the error stack.
All the above methods are to be favored before logging in AS THE USER.
As #Jankpunkt has already mentioned alanning-roles I can add something you can use without installing any external package.
Just keep a type key in the profile object of the users collection. Then define some types like 1 for super-admin, 2 for admin, 3 for general etc. Then check the authorisation of particular action by checking the value of user.profile.type key.
Caveats: Make sure you are checking the type in server side. By default profile field is writable from the client end, so if you are putting type field in the profile object make sure that you are not allowing users to modify users collection in the client end.
Here is how to restrict client end update in users collection:
Meteor.users.deny({
update() { return true; }
});
Read more on roles and permissions here:
https://guide.meteor.com/accounts.html#roles-and-permissions
I am using Microsoft Dynamics 365 and I am attempting to change the Owner of an Opportunity. I have System Administrator privileges, but I still get this error message:
<Message>Principal user ... is missing prvReadps_application privilege (Id=75b45303-d5b2-494f-9300-04ffa37d2fee)</Message>
The prvReadps_application privilege is missing from the Dynamics documentation so I'm having a hard time tracking down what privilege is missing from my role. How can I use the privilege name or Id to add the privilege to my role?
It is not you that are missing the privilege - it's the user whom you are trying to give ownership of the Opportunity to. Let's say you have an account owned by User A. If you want to assign this account to user B, user B MUST have at least User-level Read privilege for the account entity. That is how Dynamics CRM/365 works. The user that you are trying to assign the Opportunity to is probably missing proper the security role.
As other pointed out, ps_application is a custom entity - You should go to your System Customizations area and check its display name (I bet it's something like Application). Now you should check what the security roles of the user are to whom you are trying to change ownership to - you should grant this role Read privilege for this entity (it will be on the last tab of Security Role configuration page).
So, why are you getting this error when assigning Opportunity? I bet that this ps_application entity is related to the Opportunity and the relationship is configured to propagate owner, so by changing owner on Opportunity, you are changing owner of related ps_applications -> and thus you are getting the error, as the user cannot be the owner for such records (does not have read privilege).
ps_application is your custom entity. That's why its missing in MS documentation.
prvReadps_application - says Read privilege missing, so look for Custom entity tab in Security role.
But System Administrator is a dynamic role, the privilege should be added when a new custom entity is added to the system. Make sure you didn't remove any privileges explicitly.
Also Verify the Security roles of the owner you are trying to assign, for Read privilege of this custom entity.
Arun V.'s answer made me realize that I missed the part about you being a System Administrator. Thanks Arun V., and my apologies.
Now I would say that you'll want to focus on the privs of the user to whom are you assigning the record. Their lack of permissions is likely what is preventing the assignment.
As Arun V. pointed out, ps_application could be a custom entity.
CRM 2015: I want to be able to create a role for local IT to be able to add user accounts and assign roles.
Regarding the 'adding roles' portion, is it simple enough just to create a role for local IT to 'write' to 'security' roles in the'business management' tab of 'security roles' at the user level?
No, this is not that simple. User cannot give another user privilege higher than he has (it would be a serious security hole). So for example you have role to edit Security roles and you have Read access for Accounts in your Business Units. If somebody in your Business unit has no Read access and only User access, you can add him Read access for Business Unit (the same you have), but you will not be able to give him Organizational access (so higher than yours). You could imagine that if this would be possible, you will be able to basically give yourself Admin privilege and do whatever you want in CRM.
Knowing that, it should be possible for you to create a role that for example have full access to Accounts, Contacts, Custom entities etc. and Security Roles. This role would be able to modify other users access levels to Accounts, Contacts etc. but no other entities that they don't have privilege to.
Exactly the same logic applies to assigning the Security Roles. So user A cannot assign a Security Role to user B, if it gives user B privileges higher than has User A.
In the end, it is very hard to properly implement the scenario that you described, because there are so many privileges and user needs to have a lot of them to even use the CRM. I've tried this once but could not satisfy the business requirement - it always ended up with using System Admin role, because there was always some scenario that could have not been handled by a user only with this "specific" security modification role.
Assigning 'System Administrator' security role and changing Access Mode in user record to 'Administrative' helped me to achieve this. User still cannot access any transaction data. So, I think you can go for this approach.
After starting ObjectGears the first time I created administrator as the first user. I configured everything with this user and then imported other users.
Now I do not know if I can delete this user. I do not want to lose admin access.
You can delete it. The fact that some account is admin is set in the file web.configu in the parameter AdminLogins. So admin can be anybody who has the account included here.
You can also leave this parameter blank and then nobody will be able to change any configuration in the instance, supposing you also delete model owners.
Is it possible to manage multiple calendars from a single program? The task is to add events for different users in a domain, but do it from single program without knowing all users domain passwords. What type of authentication should be used to connect EWS? Is there any admin account exists? How to specify which calendar to update on each operation?
sure is this possible. You will have to create an ExchangeService-instance for each user and set the ImpersonatedUserId property to the mailbox of the user you want to the appointment or whatever you want to add.
have a look at http://msdn.microsoft.com/en-us/library/exchange/dd633680(v=exchg.80).aspx there you can find how to work with impersonation and also have a look at http://msdn.microsoft.com/en-us/library/bb204095.aspx where you can see how to set the rights your user needs to impersonate.
hope that answers your questions...