IBM Knowledge Center states that
Server disables security access checks during subscription execution
but does not mention the user credentials the code uses to execute which you need to know in order to map user RunAs roles on the application server.
What user credentials does FileNet use to execute event action code?
As I understand, when you create async subscription it will be executed under p8boostrap user.
And it will keep user context when you execute syncronious subscription.
But you can check it for sure.
It is using the user who triggered the action. E.g. if a user changes a property of a document (let's say DocumentTitle because it is always there) and clicks save, then an update event will be triggered which launches the subscription (if subscribed to the update event) which launches the action. Use synchronous for short running tasks, you can immediately show the update to the user. With asynchronous the user will have to click "Refresh".
Security can be a pain if not planned carefully at the beginning, for the action to be executed, the user has to have rights for the subscription, action event, document class etc. basically for everything involved or the user will get a cryptic error message when trying to modify the DocumentTitle.
Source: personal experience, sorry no official reference, if in doubt verify first.
Related
I an developing a chrome extension which doesn't has any sign up or sign in flow, instead depends on authentication of a separate web app. I started integrating mixpanel and tracking user events anonymously, Now i want to identify those anonymous users using "alias" and "identify" api. I have a user_id for identifying users from the web app exposed REST api. Now if i apply a boolean check and make sure i call mixpanel "alias(user_id)" once and call "identify(user_id)" every time user visits a page, I can see a user entry in explore tab of mixpanel but live events tab has a anonymous user with same user_id and its tracked data, I wish to link such anonymous users with appropriate user profiles.
Please help me with this if you have some understanding of mixpanel. I am new at this.
Since I didn't had a sign in or sign up flow, I cannot use
mixpanel.alias
Hence i am now calling
mixpanel.identify
As soon as user installs the plugin, Since "identify" api can be called any number of times for an user, We are able to track all future events as soon as plugin gets installed.
This way by not letting the user generate anonymous events we can handle such situation.
As far as I could understand, when the user presses the Submit button eventually, the GetSerialization method will be called to get login details.
I am programming a Credential Provider that waits for some external signal to log in, and I do not want the user to press the Submit button.
Is it possible to trigger the submit event from the Credential Provider?
I found a way to do it. The trick is not to call the submit button, but use the ICredentialProviderEvents::CredentialsChanged method. I have a thread running, that will eventually trigger the CredentialsChanged. This will then enable a new Credential that logs the user in.
This is shown in the Microsoft Sample SampleHardwareEventCredentialProvider.
It is worth notice that the Windows LogonUI automatically selects this new Credential. I do not know if this is in the documentation, but it is the behaviour I experienced.
The more appropriate way would be to implement the IConnectableCredentialProviderCredential interface, which is designed specifically for this purpose.
I'm working on a custom plug-in (non-sandboxed) in a CRM2016 on-prem to interface with an internal webAPI.
When I run this piece of code, it is returning the CRM App Pool user and not my user name:
(System.Security.Principal.WindowsIdentity)HttpContext.Current.User.Identity;
Is this expected and normal? If it is, how do you impersonate the calling user for external calls.
Thanks.
Yes that is normal, synchronous plugins run on the web server, so getting the IIS App Pool user is expected. If the plugin is running asynchronously its runs on the back end asynchronous service so you would probably get a different service account.
You could examine the plugin execution context (IPluginExecutionContext) to get eitherInitiatingUserId or UserId, which is the CRM GUID of the system user account under which the plugin is executing - depending how on the plugin is executed and registered this can give you the CRM identity of the user who started the plugin.
Jeff describes this within; How to get current user record in CRM plugin?
The information is available in the PluginExecutionContext. The code
below is from the Execute method your plugin must implement.
public void Execute(IServiceProvider serviceProvider)
{
IPluginExecutionContext context = (IPluginExecutionContext)serviceProvider.GetService(typeof(IPluginExecutionContext));
IOrganizationServiceFactory serviceFactory = (IOrganizationServiceFactory)serviceProvider.GetService(typeof(IOrganizationServiceFactory));
Guid userId = context.InitiatingUserId;
}
FYI, the context also has a "UserId" property that may or may not be
the same as the InitiatingUserId. If your plugin step registration
"Run in Users's Context" field has the value "Calling User", then they
will be the same. If you have specified a user in the "Run in User's
Context" field, then the UserId field will contain the user ID of the
person you specify and the InitiatingUserId will be the actual CRM
user whose action triggered the plugin. Sounds like you're looking for
the InitiatingUserId.
Or perhaps you could use another indicator, such as whoever last modified some record. You could then lookup their details in CRM, e.g. to get their domain name.
Depending on how you authenticate with the external service this might help to impersonate the user. Otherwise there as far as I know there is no easy way to get the users security token for example, CRM doesn't really expose that information.
I’m having an issue with Mixpanel identification. I want to be able to track events logged before the user logs in and identify them as such.
Here’s an exemple. Louie opens the webpage and visits the “About” page. Using mixpanel.track('Visit About'), I’m able to log Louie’s anonymous visit. All is fine and dandy.
Louie decides to log in, and a mixpanel.identify(user.id) call identifies him — and subsequent events can be tracked back to Louie. However, the first event (“Visit About”) still shows up with a random, Mixpanel-set distinct ID and hasn’t been associated with Louie.
Is this behaviour expected? What can I do? Cheers
You want alias.
From their Javascript API reference:
Use alias() when a unique ID is first assigned (registration), and use identify() to identify the user with that unique ID on an ongoing basis (e.g., each time a user logs in after registering). Do not call identify() at the same time as alias().
From your description, it sounds like, rather than viewing the "About" page anonymously and then logging in, Louie is viewing the "About" page anonymously and then signing up.
In that case, call alias when Louie signs up, and call identify when he logs in after that. That should associate the random, anonymous Mixpanel ID with Louie's new registered user ID.
Note: using this method will mean that, because Louie triggered an event anonymously and then logged in, Louie's anonymous id for that event will not be linked to his distinct id from logging in. If he had signed up after triggering the anonymous event, you would call alias, and they would be linked. This is a known limitation of Mixpanel, unfortunately. From their documentation:
This is the first time he's accessed your site from this device, so we assign a brand new distinct_id to him. He clicks around and then logs in. You should not call mixpanel.alias() in this situation - we haven't seen him on this device, but he is not a new user. ... Instead of calling mixpanel.alias() you should just call mixpanel.identify(). This will remap his phone activity to the original ID he used when signing up for your service, which is the most desirable outcome. This does mean that regrettably the events he fired before logging in will not be associated with him.
More about aliasing in Mixpanel here.
It took them a while, but here it is...
It's called Mixpanel Identity merge and it should fix the whole problem of connecting the actions an anonymous user did before signing up /logging in
The new system improves the behavior of identify(), alias(), and adds a new event called $merge.
All pre-authentication activity can now be mapped back to a user
The ID merge system makes it possible to link pre and post authenticated event streams under a single identifier. This eliminates “false-uniques”, ensuring the most accurate conversion and drop-off rates in funnels and flows.
Previously, Mixpanel could only map pre-sign up activity back to a user who was later identified. Any activity a user did anonymously before signing in again could not be attributed to that user.
Here is the whole blog post
Alias doesn't work for the scenario when existing user logs in, but I found work around for this.
When a user first logs in, check to see if the distinct_id of the request cookie matches the user id.
If they don't match, create a backend task to backfill the anonymous distinct_Id to the user's distinct_id.
Load the events with JQL, then fire them again using the mixpanel import endpoint.
The downside is that you will have duplicate events in the system since there are no way to delete events from the anonymous distinct_id.
For the imported events, you can add a property to them indicating that they are imported so they can be filtered out if need be.
I need to fetch some extra information after current user have been logged in.
I'm a bit lost in the "automatic" login flow, once user have already been logged in and app restart, loading user session from disk and refreshing.
I would like to get notified (one way or another) when it happen.
Any idea? track?
This is one of the main problems I encountered when using automatic user log in, and I have not figured out a solution yet. I asked about it here on the parse gh repo. I could not use the init method of the subclass, because I had to modify the object on automatic user creation (which the library asserts on), but in your case, you could use this technique to be notified of the user creation. (create user subclass, register it, and override init method)