I have a question on how to revoke access to all objects (documents, emails etc) from all users leaving READ access only, in Documentum. Having being searched around the internet, no answers were found. Thanks for your help.
As part of the test, I was trying to do this on one user ONLY. My attempts involved changing Security Permissions in DA (Documentum Administration) and change owner_name in DQL. But none of these attempts seems to work.
Any suggestions? Much appreciated
The short of it is that you need to remove or change access on the objects themselves (folders, documents, etc.).
You can create a new permission set (ACL) that contains the permissions you want (in this case, READ permission) under the Security section in Documentum Administrator. You can either create a group and assign them the READ permission, or just use the dm_world group and assign it READ. Remove the other access permissions you don't want.
If you use a group other than dm_world you will need to assign all the users to this group under User Management.
Then, use DQL to apply your new permission set to all of your folders and documents.
You can create an ACL with READ permission using API as below:
create,c,dm_acl
set,c,l,object_name
sample_acl_name
set,c,l,owner_name
dm_dbo
set,c,l,description
Sample ACL
grant,c,l,your_group_name_1,3,execute_proc
revoke,c,l,your_group_name_1,ExtendedPermit,,change_location
grant,c,l,your_group_name_2,3,execute_proc
revoke,c,l,your_group_name_2,ExtendedPermit,,change_location
.
.
.
grant,c,l,your_last_group_name,3,execute_proc
revoke,c,l,your_last_group_name,ExtendedPermit,,change_location
save,c,l
or
you can modify the existing ACL using API as below:
retrieve,c,dm_acl where object_name = 'existing_acl_name'
grant,c,l,your_group_name_1,3,execute_proc
revoke,c,l,your_group_name_1,ExtendedPermit,,change_location
grant,c,l,your_group_name_2,3,execute_proc
revoke,c,l,your_group_name_2,ExtendedPermit,,change_location
.
.
.
grant,c,l,your_last_group_name,3,execute_proc
revoke,c,l,your_last_group_name,ExtendedPermit,,change_location
save,c,l
I have faced a similar situation and I found to ways to approach it . One way which is an easy way would be to create a new acl with all the permissions and group you wish to have access which can be done as follow :
String aclName = "your_acl_name";
String aclDescription = "your_acl_description";
//create your acl object :
IDfACL acl = (IDfACL)_session.newObject("dm_acl"); acl.setObjectName(newAcl.toString());
acl.setDescription(newAcl.toString());
acl.save();
IDfPermit permit = new DfPermit();
permit.setAccessorName(your_groups);
permit.setPermitType(IDfPermit.DF_ACCESS_PERMIT);
//you may need to change the value of the next line based on your objectve
permit.setPermitValue(IDfACL.DF_XPERMIT_CHANGE_FOLDER_LINKS_STR);
//Finally grant the permit you've created above :
acl.grantPermit(permit);
acl.save();
then update the acl name of your previous object to the one you've just created as follow (DQL) :
Update dm_folder set acl_name = 'your_acl_name' where object_name = 'your_object_name'
or use the more straight forward way which is by using DFCsas below :
//First you must fetch the acl you're going to edit ==>
IDfACL acl = session.getObjectByQualification("dm_acl where object_name='" + "your_acl_name" + "'");
//This will produce a dql for fetching your acl based on it's name from dm_acl object table
acl.revoke("The_group_you_want_to_limitate_to_only_view","execute_proc");
acl.save();
I hope that this would help you as it worked for me :)
Related
I'm using spatie/laravel-permission as ACL system in my project. it's good.
I'm adding payment/accounting/invoice to my project and in this level there is another ACL needed on users works.
for example user A have a feature F1 as our service. until 1 month he/she can use all sections in F1. after that some features in F1 limited until new invoice payed with user.
so in my controller an Edit method I use authorizeForUser just in user ACL level. now I should add another ACL in F model like authorizeForF(F1->id)?!
and another problem is that this is very complicated and if I forgot to add this, I missed some money!!
I have a solution:
seed in a table save all Uri,methods (with foreach on Route::getRoutes()) as a unic row and assign a score for each of them (default 0). in a route middllware, analyze every request uri and compare it with score.(for example uri is /profile/advaence and administrator assign score 2 for that)
if the uri have more than zero score, user's accountant will checked to continue or redirect to payment if needed.
this give the administrator of website abbility to assign each uri score and developer has no Responsibility about that.
just I'm worry about uri. because administrors usually don't undrestand them easyly. so, I need another seed for some uri to explain as title.
is it good?
I want to restrict users from creating account such that they cannot create accounts starting with some character. For example if I say R, then user should not be able to create accounts like Rtest1 or Rrest123, but can create accounts like testR1. Where can I apply this check? I checked the invalid character constraints in design forms for account form, but that does not allow me to specify that character anywhere in the username for example if I give R then it won't allow testR1 too. I need something like String.StartsWith() in ITIM using some policy or custom javascript. Note:- I cannot use workflows for this.
So I found a solution for this using provisioning policy, I am posting the solution as a reference for others. Create a entitlement in PP for the service/s you want to apply this check on. Once done select that entitlement and click parameters to create a parameter enforcement for this entitlement. Select the attribute you want to enforce this check on (for me it was eruid) select enforcement type as mandatory and select javascript option. Enter the following script:-
var accountId = parameters.eruid[0]; //gets the eruid
//check if account start with Q
if (accountId != null && accountId.length > 0 && (accountId.toLowerCase().substr(0, 1)=='q')) {
return accountId.substr(1,accountId.length-1) //remove the q from beginning and return the new id as a suggestion to user
}
return accountId; //or else return the same id
This blocks user requests starting with q and does not allow you to submit add account requests. See the caption below:-
How can I "pair" multiple users, and have them access the same data - perhaps some of the users in a group having read only rights? As a use case, think of a family sharing calendars, each using their own login, but being able to see each other's calendar.
You should have a look at Roles and Security in the Parse docs.
I'm no expert, but I would assume that you would create a role for a family and then restrict the access to either classes or objects (depending on your approach) with Access Control Lists. In that way you can have a group/role that has the same permissions for same objects and classes.
Adapted from the docs:
Creating a role
// By specifying no write privileges for the ACL, we can ensure the role cannot be altered.
var roleACL = new Parse.ACL();
roleACL.setPublicReadAccess(true);
var familyRole = new Parse.Role("MyFamilyRole", roleACL);
familyRole.save();
Then
var calEvent = new Parse.Object("CalendarEvent");
var familyACL = new Parse.ACL();
familyACL.setPublicReadAccess(false)
familyACL.setPublicWriteAccess(false)
familyACL.setRoleReadAccess("MyFamilyRole", true);
calEvent.setACL(familyACL);
calEvent.save();
This can of course be done more efficiently by using defaultACLs and other functionality. But these are the basics.
Btw, I reference the JS api, since you didn't specify a platform.
I have to implement access controls in my application and I am using spring ACLs for it. My model has User, groups, permissions.
The problem I am trying to solve is to get permissions on a domain object for a user. I was able to get all the access control entries for that user (principal sid, and group sids), and using that I was able to get a final set of permissions by taking a union over all the permissions. Lets say the combined mask is 111, which would be Read, Write, and Create permissions going by the permissions defined in BasePermissions.
The problem I am facing now is I cant find any way to get a list of all defined base permissions so that I can compare the mask to individual permissions. The base permission class does not seem to provide any such method. I do not want to hardcode cases in an if-then clause, since the number of permissions might increase in future.
Any pointers would be appreciated. Thanks.
You can check for the permission by using the AclPermissionEvaluator by passing an array of Permission instances to hasPermission method as a parameter. Check the source in the given link for implementation.
#Autowired
private PermissionEvaluator permissionEvaluator ;
........
Object permission = new Permission[]{permissionFactory.buildFromName("READ"),permissionFactory.buildFromName("WRITE"), permissionFactory.buildFromName("CREATE")};
permissionEvaluator.hasPermission(authentication, oid, permission);
And as mentioned in this answer do not forget to register the AclPermissionEvaluator in your spring context.
UPDATE: To get all the permission that a user has on a domain object --
private SidRetrievalStrategy sidRetrievalStrategy = new SidRetrievalStrategyImpl();
.......
List<Sid> sids = sidRetrievalStrategy.getSids(authentication);
// Lookup only ACLs for SIDs we're interested in
Acl acl = aclService.readAclById(oid, sids);
List<AccessControlEntry> aces = acl.getEntries();
List<String> permissionsList = new ArrayList<String>();
for (AccessControlEntry ace : aces ) {
permissionsList.add(ace.getPermission().getPattern());
}
As #Ravi said: use the method readAclById from the class JdbcAclService will not work if you use the BasicLookupStrategy.class. Becasuse the LookupStrategy.readAclsById (ignored the second paramter sids). I suggest you write your custom lookupstragey.
What you are trying to do is check if a CumulativePermission has a specific permission. You can do it using this method:
public static boolean containsPermission(Permission cumulativePermission, Permission singlePermission) {
return (cumulativePermission.getMask() & singlePermission.getMask()) == singlePermission.getMask();
}
One of the new requirements for our database application is to synchronize the contents of the user table with the users in Active Directory. So basically I need to connect to the Active Directory server and retrieve a list of user names, from within a plsql procedure.
What I have achieved so far is connect to the active directory server, using my own credentials, and query some attributes.
Example:
ldap_password := '****';
ldap_user := 'cn=me,OU=Users,OU=mygroup,DC=mytown,DC=mycompany,DC=com';
ldap_base := 'OU=Users,OU=mygroup,DC=mytown,DC=mycompany,DC=com';
search_filter := '(&(objectClass=Person)!((sn=him)(cn=me)))';
res_attrs(1) := 'displayName';
res_attrs(2) := 'cn';
res_attrs(3) := 'telephoneNumber';
It seems I can only query my own attributes or somebody else's if I already know who that someone else is.
How do I get a list of usernames?
Is this possible using any account or does this require an account with the proper privileges?
I got my script working. The scope setting prevented me from seeing all data.
DBMS_LDAP.SCOPE_SUBTREE
Rene,
You can do all searched in Active directory via Oracle's LDAP components that it seems you have already touched upon. While I am no expert on LDAP/AD, I believe that you may need rights to perform these actions or better yet get an ID/Password created that has the rights (this way you can keep your id/psw out of the system and allow either an unexpiring pswrd or pswrd that is supported by the AD administrators. I know that I have always had full query access to AD, not sure if that is how I am set up or out-of-the-box functionality.
But look # this site
http://www.oracle-base.com/articles/9i/LDAPFromPLSQL9i.php
as the article demonstrates, I would recommend paring back your searchFilter (get more then whittle it down until it suits your needs)
l_attrs(1) := '*'; -- retrieve all attributes
l_retval :=
DBMS_LDAP.search_s(ld => l_session,
base => l_ldap_base,
scope => DBMS_LDAP.SCOPE_SUBTREE,
filter => 'objectclass=*',
attrs => l_attrs,
attronly => 0,
res => l_message);
Active Directory has about 4 naming attributes.
sAMAccountName (aka Pre-Windows2000 name) is a 20 or so character short name that must be unique within each domain.
userPrinicipalName, usually sAMAccountName#domain.name, but it turns out AD will honour almost any string. (I know this experimentally as we once accidentally reset 2000 out of 6000 such values in a running AD domain.
displayName, that which shows up in ADUC (dsa.msc, Active Directory Users and Computers)
The CN= part of the DN. Using ADUC, the CN is usually the Display Name. However it too can be anything legal in an LDAP name.
So which 'name' are you looking for? Basically query for any of those attributes in the list and see what you get.
As for seeing other objects, yes, you would need an account with sufficient rights to see those attributes for users.