How would one configure trac to allow anonymous submission of tickets?
In your trac config you need to give the anonymous user the TICKET_CREATE permission.
Go to Admin > Permissions, then give "anonymous" the TICKET_CREATE and TICKET_MODIFY privileges (actions).
See: http://trac.edgewall.org/wiki/TracPermissions
Setup a trac site to allow anonymous (no actual login) login. Grant the anonymous user permission to only create tickets, and maybe view existing tickets if you wish. But deny all other permissions.
The trac admin plugin makes this pretty easy.
Related
So I have great bot with lots of functionality that I'm planning to launch. The thing is, I need to have permissions like administrator on before it join, without the server owner having to create a bot role with administrator permissions. I need something like carl-bot or mee6 when they are invited to your server, they ask you for administrator permissions befoer joining.
I want something like this to appear. How do I do this?
First, go to the OAuth tab of the developer portal:
Next, make the scope "bot":
Thirdly, switch on all the permissions you need:
Finally, copy the invite link from the scopes section:
We are trying to create a separate Admin role to assign to users to be able to call the Google Classroom API (domain). If we set them to be 'super admin' it works but we do not want to give these users super admin permissions. Anyone knows any guide or the settings to set on this?
Answer:
There is no role apart from Super Admin that will let a user make all these actions. You can check that by assigning custom admin roles to the user. Even if all possible privileges are checked, if the user is not a Super Admin, the user cannot act as a domain administrator in Classroom API.
What non-Super Admins can do:
Non-super admin users can only access courses they are part of (as teachers, or students), not all courses in the domain.
They can remove students and other teachers from courses they own directly via courses.teachers.delete and courses.students.delete, but they cannot directly add new students and teachers to their courses via courses.teachers.create and courses.students.create. Only domain administrators (Super Admins) can do that. Non-admins must first send an invitation via invitations.create(), and obtain the user's consent.
Update: Service Accounts:
You can also make your application use a Service Account in order to impersonate a Super Admin, so that this account can act on behalf of this admin, and do what the admin can do. To do this, you would have to create the Service Account and delegate domain-wide authority to it, by visiting the Admin console and following the steps specified here.
Beware, granting domain-wide delegation is a very powerful tool, since it gives the Service Account the ability to act on behalf of any user in the domain, so it could be easily abused if not managed carefully (without domain-wide delegation, a Service Account is similar to a regular account, and it can only access resources that have been created by it, shared with it, etc., like a regular account).
Anyway, once the domain-wide delegation is created, using the Service Account in your application is very similar to using a regular account. In the application, you have to build the credentials and then specify which user should be impersonated by the account by writing the user's email address. I don't know which language are you using, but you can find code snippets to do this in Java and Python here, or with Node here.
Reference:
Create custom administrator roles
Manage Teachers and Students
CRM 2015: I want to be able to create a role for local IT to be able to add user accounts and assign roles.
Regarding the 'adding roles' portion, is it simple enough just to create a role for local IT to 'write' to 'security' roles in the'business management' tab of 'security roles' at the user level?
No, this is not that simple. User cannot give another user privilege higher than he has (it would be a serious security hole). So for example you have role to edit Security roles and you have Read access for Accounts in your Business Units. If somebody in your Business unit has no Read access and only User access, you can add him Read access for Business Unit (the same you have), but you will not be able to give him Organizational access (so higher than yours). You could imagine that if this would be possible, you will be able to basically give yourself Admin privilege and do whatever you want in CRM.
Knowing that, it should be possible for you to create a role that for example have full access to Accounts, Contacts, Custom entities etc. and Security Roles. This role would be able to modify other users access levels to Accounts, Contacts etc. but no other entities that they don't have privilege to.
Exactly the same logic applies to assigning the Security Roles. So user A cannot assign a Security Role to user B, if it gives user B privileges higher than has User A.
In the end, it is very hard to properly implement the scenario that you described, because there are so many privileges and user needs to have a lot of them to even use the CRM. I've tried this once but could not satisfy the business requirement - it always ended up with using System Admin role, because there was always some scenario that could have not been handled by a user only with this "specific" security modification role.
Assigning 'System Administrator' security role and changing Access Mode in user record to 'Administrative' helped me to achieve this. User still cannot access any transaction data. So, I think you can go for this approach.
See screenshot of what I see as a user in Gmail:
Is there a way to get programatic access to this list w/o needing super admin access? I already saw the API https://developers.google.com/admin-sdk/directory/v1/reference/users/list but it requires super admin level access to access it. If I query it as a user I get "403: Not Authorized to access this resource/api".
Is there a scope I can ask for so a user can get access to the company directory?
For non admin, you have to use the parameter "viewType=domain_public" so the users can access to this information.
Keep in mind that for this parameter to work, the contact sharing options should be enabled.
To check for this options, in Admin Console go to "Apps > Google Apps > Contacts > Sharing Settings"
Check if this works for you.
I am making a very simple marketplace app using the new SDK (Oauth 2.0). One of the steps would be to automatically invite team members for a closed group so I would need access to team members (users in same domain) from the user that is starting the process going through the default "navigator icon in google navigation menu".
This is working fine, however it is only working for administrators (tried with both Directory API and Profiles data API).Is there a way to simply "read" the email from users without needing to have administrator rights? It seems quite an overkill to ask a user to be administrator just for the purpose of being able to invite his team members.
These email addresses are in the user contact list for example, when writing an email they are automatically there so it shoulnt be much of permission problem I guess. can anyone help a bit on how I can accomplish this? Maybe a different API that I have not found?
Very much appreciated,
Best regards,
Joao Garin
You can use "Service Accounts" to access the Directory API on behalf of the Administrator when any user accesses the App.
The Drive API has a really good set of samples here - https://developers.google.com/drive/delegation
This same technique will work with Admin SDK. The end result is the auth is not made on behalf of the user at the keyboard but as an authorized Service Account. This Service Account is authorized by the admin at the time of install.