We would like to create calendar permissions on all users calendar in organization which allow a service (user mailbox) to read/write on users calendars.
There is no problem to do that by using Microsoft Graph endpoint : Create calendarPermission
But we would like this permission was not removable by end users. That's why we tried to use isRemovable property set to true. For example :
POST https://graph.microsoft.com/v1.0/users/UPN_OF_USER/calendar/calendarPermissions
Request Body
{
"emailAddress": {
"name": "VALID_USER_NAME",
"address": "VALID_USER_EMAIL_IN_TENANT#TENANT_DOMAIN"
},
"isInsideOrganization": true,
"isRemovable": false,
"role": "read"
}
But each time we add this permission, isRemovable property is set to true.
It doesn't seems isRemovable property is readonly in documentation
I tested the API in my environment and it came up with the same result. I tested couple of Scenarios and found that isInsideOrganization is decided by the My Organization user and isRemovable is default set to true for all users as they can be removed/deleted from the Sharee and Delegate list except for My Organization User as its the deciding authority of which permissions are assigned to what user.
It is also mentioned in calendar permission resource type Microsoft Documentation as shown below :
Scenarios:
Create a Permission for User inside the Organization by providing the two parameters and not providing the parameters as well:
With Parameters:
Without Parameters:
Create a Permission for User present outside the Organization by providing the two parameters and not providing the parameters as
well:
With Parameters:
Without Parameters:
Note : IsRemovable is set to false only for My Organization User as can be seen below:
Related
I've setup an editing profile user flow in AzureAD B2C with standard attributes (GivenName, Surname, DisplayName and Country) and also with custom attributes (e.g. VAT and FavoriteProduct).
After I run the user flow and modified the attributes values, I see the resulting audit log with the value changes, but only for the standard attributesv (GivenName, Surname, DisplayName and Country).
Is there a way to see also the changed values of custom attributes (in my case VAT and FavoriteProduct) in the audit logs? I need to collect them.
Also tried with a custom policy user journey, same result
I have a web application using Rails as backend and AngularJS as frontend and it has a rather complicated permission system that must hide/show buttons in the frontend accordingly.
For example, imagine something like ebay, if I created a product, I can edit, delete, etc.. but somebody can share a product with me and I can also edit, but not delete. So the permission is calculated by resource, and not using roles.
I thought adding a "permissions" attribute to each json object, something like:
[{
id: 1,
name: "product 1",
permissions: {
canEdit: true,
canDelete: false
}
},
{
id: 2,
name: "product 2",
permissions: {
canEdit: true,
canDelete: true
}
}]
Is there any best practice to send each resource permissions to the frontend?
Just to be clear, this permissions are only used to show/hide buttons, the backend still blocks this resources even if the person changes the values in the frontend
As the logic to figure out what a user can do with each item is determined on the server side, I reckon it's redundant to pass on the permissions associated with these items to client-side, unless additional processing is done on client-side based on user's interaction.
In your case, maybe you can just return different collections of objects, say an editable list and a read-only list to the client-side, based on permissions associated and then render actions based on which collection the item belongs to?
I am getting stuck creating my own app to use within Zapier. It is for an unsupported CRM
https://www.brightpearl.com/developer/latest/
I have been able to authenticate and create a test trigger - a simple call to retrive information about one product ID where the ID is provided in the request URL manually.
Example Use Case
Using an Email sent to a GMail account, search for a customerand add the body of the email as a note to the customer.
I can search using Zapier->Searches to retrieve a result.
The Brightpearl API search returns an ID for any matched contacts.
https://www.brightpearl.com/support/documentation/resource-search
The ID can be accessed in the json response
{
response: {
results: [
[
4,
"admin#email.com",
"Primary",
"Admin"
]
]
},
reference: {}
}
The ID is required to add the note later
How do I store the ID to use in the Action later?
How do I chain the events together so that the Action is called after the ID is captured?
I have gone through the Zapier documentation and cannot find example code which does this.
The trigger that exposes the ID in the API response (in this case, the Brightpearl search result) can be mapped to a subsequent action. You don't store data in Zapier - you just pass it between actions.
Zapier's multi-step interface lets you append actions which can accept any data returned from the previous step.
I think the title pretty much says it all... Brand new to Deployd, so any pointers about how best to go about this are appreciated.
To get the objects in a collection created by the user (I assume you're using the javascript library dpd.js):
// Get the current user:
var currentUser;
dpd.users.me(function(result, error) {
currentUser = result;
});
// query your collection with your currentUser id as parameter
dpd.yourcollection.get({creator:currentUser.id}, function(result) {
// Do something with the result
console.log(result);
});
Your collection should have a property "creator" that contains the id of the user who created the object (*).
Then, to secure your backend, go to the dashboard, in the ON_GET tab of your collection and secure it with this code:
cancelUnless(isMe(this.creator), "You have to be the creator to view this item", 401);
More info about cancellUnless() and isMe() here:
http://docs.deployd.com/docs/collections/reference/event-api.md#s-cancelIf%28%29,%20cancelUnless%28%29-764
The good practice to secure your collections is to allow queries only if user is logged:
cancelUnless(me,"You have to be connected to view this item", 401);
Users collections should be particularly well secured (allow ON_PUT only by admin or something like that).
*: to automatically store the currentUserId in the creator property, you could also add this in the ON_POST event in the dashboard:
this.creator = me.id;
More info here: http://docs.deployd.com/docs/collections/reference/event-api.md#s-me-764
As of version 0.8.9, event ONBEFOREREQUEST exists and you could just put this code in there:
cancelUnless(me);
query.creator = me.id;
This means that for every request sent to that endpoint, creator key would be queried to have the currently logged in user's id. If there's not currently logged in user, the request is canceled.
I have two questions both relating the the User data sets.
1.
Is UniqueName in WhoAmI the same value as UserName in UserData
User.WhoAmIUser
{
"Identifier": "<string:D2LID>",
"FirstName": "<string>",
"LastName": "<string>",
"UniqueName": "<string>",
"ProfileIdentifier": "<string:D2LID>"
}
User.UserData
{
"OrgId": "<number:D2LID>",
"UserId": "<number:D2LID>",
"FirstName": "<string>",
"MiddleName": "<string>",
"LastName": "<string>",
"UserName": "<string>",
"ExternalEmail": "<string>",
"OrgDefinedId": "<string>",
"UniqueIdentifier": "<string>",
"Activation": "{composite:User.UserActivationData}"
}
2.
How can I retrieve the current authenticated users email address? I've tried to connect to various Users API's but all return "Not Authorized". Even the "/d2l/api/lp/(D2LVERSION: version)/users/(D2LID: userId)" with my userId authorized as myself throws Not Authorized.
I have tried both with Student and Instructor Roles. I can retrieve the WhoAmI service, just not any other User services.
Thanks.
1) The UniqueName property in the User.WhoAmIUser structure will (should) present the same value as the UserName property in User.UserData: this is the user's "log in name" within the LMS. In the back-end service, these two properties might be maintained separately, but for all intents and purposes, to the calling client, they should contain the same value (in that if you change the UserName value in a user record through the web UI, and then make a WhoAmI call, you'll see that change show up in the UniqueName property in the WhoAmI results).
2) Retrieving a user's email address may not be a simple feat: the ExternalEmail property in the UserData record should contain the same value that appears in the Email field in the user record in the Web UI. This is the email address that the LMS will use if it needs to send password-reset messages to a user.
This property is subject to User Information Privacy role-permissions, and some organizations may choose to tightly restrict who can see that value.
Additionally, the /d2l/api/lp/{ver}/users/ route itself is often subject to restrictive role permissions with some organizations. In general, if you're making a call with a user role that would have access to the functionality of the Users tool in the LMS' web UI, that role should also be able to have access to this API route.
If you do not have permission to use that API call (and you may not), then you can't use it to look for user details.
The User.User and Enrollment.ClasslistUser structures also contain a property to house that Email value from the user record, and if you can make a call to retrieve those structures (enrollment API calls, for example, or the classlist API call), then you might have access to the email value there, contingent on the User Information Privacy permissions the calling user has in place.
The upshot of all this is that many users at many organizations won't have the permission to retrieve their own external email address from their own user record, as they may not have permission to make the calls that would retrieve it, and it's not contained in the WhoAmIUser structure.