Currently I'm working on system, that uses ZendFramework2 Acl implementation for managing user roles and permissions for various parts of it. Till this moment it works as is supposed to do - giving or rejecting users based on their role. Recently we got a new feature request - implement functionality that allows permission management per user, regardless the role he or she has. Here comes the tricky part - Zend implementation of Acl doesn't met the requirements out of the box (if it supposed to do so at al). Just to note - system is already tightly integrated with the current model, so it will be pain of heart to use another kind permission management model.
So far the best solution I could think of was to represent individual users as roles in Acl and grant them appropriate privileges, so it is possible to dynamically create or delete resources and privileges for users, without impacting overall role permissions (which still apply).
Could I get some suggestions please? Is this the "right way" or there better approach to the problem? Thanks in advance :)
If an user by the fact to be himself has some privilegies, then you have to create a new role for that user.
I have just developed an ACL module that allows you to manage access to each route only creating a new key in each route called 'roles'. You do not have to configure the ACL creating allow rules manually, this module creates the rules automatically for you reading the routes.
You can have a look: https://github.com/itrascastro/TrascastroACL
Related
I am trying to build a MVC Core app for an organisation. There is some vague requirements which I am not able to comprehend. I hope the community helps me out here.
There will be two types of users. One will be the admin and the other will be the normal users. The admin can access the admin module and the rest of the modules while each of these normal users will have access to different modules (except the admin one) and the sub-menus inside those modules. Let me explain that.
Let us suppose we have two modules : Disaster Recovery and Asset Tracking. The admin will be able to access each of these modules. But some of the normal users may or may not be able to access each of these two modules. Some of the users may have the authorization to access both modules while some of them will have access to only one.
Now here comes the tricky part. Inside each modules are sub-menus. For example if we have a module named Asset Tracking, the sub-menus inside this module can be ASST0001, ASST0002 and so on. These sub-menus are my MVC views. Again if a user has access to a module does not mean he/she will have access to the whole sub-menus of that said module. This app will be scalable and the no of users may increase as the time progresses.
How do I approach this problem? What would be the most efficient way and scalable way to approach this problem ?
I am sorry if I may seem naive but this is my first real job at designing something like this. I search the internet and most of them were talking about Roles, Users and Permissions which honestly just breezed over my head. Please guide me.
You need to use custom requirements for this Creating a custom requirement is a blog post for this.
You can even inject Dbcontext or repositories in requirement handle
I recently started working with Wolkenkit and I was wondering if there is a possibility of implementing some sort of role concept yet?
I already found Wolkenkit: ACLs for authorization and user roles which is already quite interesting, and gives me a first idea on how to solve that, but at the same time it is not exactly what I need.
In my Use-Case I need a dynamic role concept which can be changed at any time in order to grant and revoke access to certain parts of my application.
Ideally it would be a mechanism that allows me to associate commands and events with multiple roles at run-time. Are there any new approaches on this topic or any examples where this is already done?
Thanks for the help in advance.
The authorization concept of wolkenkit is based on tokens.
Hence, the simplest thing to do is to have the identity provider add claims for roles, as described in ACLs for authorization and user roles (which is the article you already linked to). This works out of the box, and you do not have to provide and special logic to your wolkenkit applications except to read the token and evaluate its claims. However, this is only suited for static role models, as you'd need to change the identity provider's configuration every time a role assignment changes.
If you require a more dynamic approach, right now unfortunately you are left to your own devices. What you could do is to add a property to your aggregate that contains an array of roles (or user IDs) that you want to be able to access the aggregate. Then, in each command, you would need to check the current user against this array. But still, this means that you have predefined roles, you just could allow or restrict access to aggregate at runtime for specific roles.
If you require an even more dynamic approach, such as making up roles ad-hoc, e.g. to share data with a group that you just want to create at hand, you end up with what we call group-based authorization. Right now, there is no support for this, and AFAIK nobody has yet implemented something like that. Support for this is on the wolkenkit roadmap, but right now unfortunately there is no ETA available (maybe this is something you could contribute to wolkenkit?).
Either way, you need to make sure that your identity provider is configured correctly and wolkenkit is setup accordingly, as described in wolkenkit redirects to Auth0 even when user is logged in.
Disclaimer: I'm one of the core developers of wolkenkit, working at the native web (the company behind wolkenkit), so please take my answer with a grain of salt.
I'm building an API management apps where every user able to find their own token for making an API request. Every end user will have to manage their own API access, they should also have access to many other custom endpoint.
At the moment, the Rails Admin is being used for the internal administration. Such as CRUD of "AdminUser", "Payment", and other internal system management.
The question is: Should I use Rails Admin's feature for this functionality (as in exposing admin control to every regular user)? Or should I just create a separate admin section for the general user with a standard form?
I'm not very experienced in Rails Admin implementation. So, I wonder if I should use it too for the end user.
Thanks for your time & help!
Update
Some of my basic concern about using Rails Admin to me is that: Rails Admin is for developer or internal adminstration. There will be some risk of giving a wrong permission to the end user
Rails Admin is a quick and easy way to access all the data in your app. It can be customised to restrict access to certain models or fields, however you will have to use the Rails Admin DSL for that, and it kind of defeats the purpose of using Rails Admin if you need to do lots of customising.
A danger is also that if you did not set it up properly, the default is to expose all data to the users.
Since the functions you want to expose to the user doesn't sound too complex, it wouldn't be too much effort to write your own.
Apologies if this is a fairly simple question, yet upon googling around I can't seem to find a simple answer.
I as administrator can do everything, create chunks, snippets, pages etc. Which is fine. What I want to be able to do is define a user that can only update the existing pages and thats all. This should prevent them from destroying the site with illogical pages as has been the case in the past.
Is it possible to create a user who has just this ability?
Thanks in advance.
John
You've got two options, either create a custom access policy that does not grant 'create' or 'new_document' permissions (you might want to look at restricting all permissions starting 'new_', or put all existing resources in a restricted resource group, and only give them access to that resource group. The latter method is probably more flexible in the long run.
I was wondering how other people implemented this scenario. I have an internal rails app ( inventory management, label printing, shipping,etc). I'm rewriting security on the system, cause the old way got to cumbersome to maintain ( users table, passwords, roles) - I used restful_authentication and roles. It was implemented about 3 years ago. I already implemented AuthLogic with ruby-ldap-net to authenticate users ( actually that was surprisingly easy, compared to how I struggled with other frameworks/languages before). Next step is roles. I already have groups defined in Active Directory - so I don't want to run a separate roles system in my rails app, I just want to reuse Active Directory groups - since that part of the system is already maintained for other purposes ( shared drives, backups, pc access, etc)
So I was wondering if others had experience implementing permissions/roles in a rails app based on groups in Active Directory or LDAP. Also the roles requirements are pretty complex.
Here is an example:
For instance I have users that belong to the supervisors group in AD and to inventory dept, so I was that user to be able to run "advanced" tasks in invetory - adjust qty, run reports, however other "supervisors" from other departmanets, shouldn't be able to do this, also Top Management - should be able to use those reports (regardless weather they belong to the invetory or not), but not Middle Management, unless they are in inventory group. Admins of the system (Domain Admins) should have unrestricted access to the system , except for HR & Finances part unless they are in HR ( like you don't want all system admins (except for one authorized one) to see personal info of other employees).
I looked at acl9, cancan, aegis. I was wondering if there are any advantaged/cons to using one versus the other for this particular use of system access based on AD. Suggest other systems if you had good experience.
Thank you!!!
ActiveLDAP (Documentation, Github) has some of the features you're looking for, specifically:
You can map LDAP objects (Object Class instances) to objects in a Rails application. The API doesn't mirror ActiveRecord exactly, but it's pretty easy to understand and learn.
It's obviously not possible to join, etc. across LDAP and Relational Databases, but you could write some mildly clever code to make composite data easily accessible from either the ActiveLDAP object or the ActiveRecord object.
ActiveLDAP also provides methods to write to LDAP which allows you to manage your users and roles in LDAP from rails, eliminating the requirement to manage a user table in the database, however, a user database table would likely still be necessary to store application specific data about a user.
Additionally, you could integrate AuthLogic with ActiveLDAP. Here's one attempt I found of just that: LDAP Pass-through Authentication with Authlogic and ActiveLdap
You could then use Declarative Authorization (Pundit) to handle your roles and authorization.