I Was wondering how I can run Get-Acl so it only outputs only groups, e.g. "Accounts Dept" and not individual users such as "Bobby Joe", "John Doe", etc.
I want to get a list of shared folder mapped to the required groups only and don't want the output to have hundreds of end user names in the list.
Can that be done?
Related
I want to return the list of chosen groups for a particular user. We can get all groups, we can get all user permissions by group, but not the group names themselves.
e.g.
> Group.objects.all() //list of ALL group names
> Group.objects.all().values_list('id', flat=True) //list of ALL groups' IDs
> request.resource_owner.get_group_permissions() //all group based permissions
just posting answer. fyi!
request.resource_owner.groups.all()
Say, I want to retrieve some users and I have provided both user_filter & group_filter to filter out the specific users that I need.
user_filter = (&(cn=ab*)(sn=cd*))
group_filter = (|(cn=gh*)(cn=kl*))
I know how to write individual queries for user & group. How can I combine the above filters to write a single query such that I get the users whose common name starts with 'ab' and surname starts with 'cd' and they either belong to groups which start with 'gh' or 'kl'?
It depends how you have membership defined. If you have membership on the groups, eg. group1 has member attribute for user1, this combined query is not possible. If you have groups defined on the user, eg. user1 has memberOf attribute for group1, then you may do something like
(&(objectclass=user)(cn=ab*)(sn=cd*)(|(memberof=cn=gh*)(memberof=cn=kl*)))
I have an index with many documents. In my app, a login happens under a username. For a user only a group of data should be visible, that is I want to restrict each user to a set of documents. Can somebody offer a solution of how to implement this using elasticsearch?.
Suppose my index contain the follwing documents
record1
record2
record3
record4
And I have say 2 users, user1 and user2
When the user1 is logged in, he should have access to "record1","record2" and "record3". Where for user2 , the access should only be to "record4".
Probably you can add one more column to the index where in you can persist the intended user for the record and while querying the index you can check if the logged in user in among the users specified in the column.
I would advise you to use a index aliases.
Index aliases has the capability to add filter to them.
So create 2 aliases , one for each user.
Now for each alias , create a filter which restricts the user to his own set of documents. ( Just use a document ID search )
Restrict these users to use only these aliases using a proxy.
That should do the trick
does anybody know a way how to find full members (users and groups) of domain.
Similar as to 'net localgroup Administrators' reports both - users and groups that are members of group Administrators, however similar command in relation to domain 'net group /domain ' lists only members (not groups). Is there a simple way (w/o Powershell to accomplish this task)?
Thanks in advance.
Jurz
dsget and dsquery are the likely candidates here (depending on OS you are trying for)
You can try this (I'm not at a DC to test it at the moment)
Groups are
dsquery group DC=Contoso,DC=Com
User's should be
dsquery user dc=ms,dc=tld
Also note you can pipe from one command to another - ie get groups then users
dsquery group DC=contoso,DC=com -name yourgroup | dsget group -members
You can try without -name and see if it works.
I may be thinking about this wrong, but shouldn't it be a very common thing to need to check if a user belongs to a certain group? For example, if you want to show a certain menu item only to "Administrators", shouldn't there be a way within my view file to easily check if the user belongs to that group?
I see that there is a inGroup() function on the user, but this requires that you first fetch the group object, and pass it into the function, rather than simply passing the group name, for example, $user->inGroup('Administrators');. I also realize I could write my own method to accept the group name, look it up, and then use that in the exiting inGroup() method.
However, the fact that this is not much more obvious in the docs makes me believe I am thinking about it in the wrong way.
Would the preferred way be to give the "Administrators" group an "admin: 1" permission, and therefore just check if the user has that permission rather than checking if they are in the group?
If so, I am struggling to see the value of a group at all since you aren't able to easily use them to determine access; instead, you need to use the individual permissions that the group contains.
You can check to see if a user belongs to a group easily:
$user = Sentry::findUserById(1);
$adminGroup = Sentry::findGroupByName('Admin');
$isAdmin = $user->inGroup($adminGroup);
However the best approach is to use permissions. You can setup an 'Admin' group with permissions to 'manage user accounts'. You then simply check to see if the user has permission to 'manage user accounts' as opposed to checking whether they belong to the Admin group.
In my 'group' table i have a row like this:
id | name | permissions
1 | Admin | {"manageUserAccounts":1}
I can now check whether a user has permission to 'manageUserAccounts' with the following:
$user = Sentry::findUserById($userId);
if ($user->hasPermission('manageUserAccounts') {
print 'You can manage user accounts';
}
else {
print 'Oops, you cant manage user accounts';
}
Note that the 'user' table is connected to the 'group' table via the user_groups table.
See the Sentry documentation for more info on how to fine grain permissions. It's quite powerful.