Anyone know how to remove users in PlasticSCM when the server is configured to use Active Directory security?
The cm au/du commands are meant to activate or deactivate users.
But users are not 'added' to Plastic as such.
When a user does an operation in Plastic, it will be automatically added provided you have enough licences and the user has permissions to access the system (you've set the correct ACLs).
Suppose you just have a 20 users license:
You simply install the license (copy the plasticd.lic file)
Then the first user access the system, it will be 'activated'
Second user accesss, second 'activation', it happens automatically
Then suppose you already have 20 developers using Plastic and one of them leaves and a new one enters, then you have to deactivate the old one and activate the new one, but only then.
Hope it helps.
Related
We have Jenkins installed and I'm wondering how to add an existing user to a Jenkins group.
I find how-to's for the case where in Configure Global Security the Security Realm is set to Jenkins' own user database. We have set this to Active Directory - but maybe this doesn't make a real difference to the problem.
In section Authorization we have set Matrix-based security and there are already four groups defined from a previous user, those groups have some custom rights set, and a bunch of AD users were added to those group somehow.
My problem: if I try to add a new user, I can add it to the matrix and give him the rights, but I don't see how to simply add the user to the group. I don't want a huge list of users who all have the same rights - I just want them bundled each into one of the four groups. But how can I add a user to a group? It was possible somehow before, as there are obviously users added to those groups.
Maybe a plugin was uninstalled by accident and is missing for this purpose? But I guess that in that case the Matrix-based security wouldn't even be displayed anymore!?
Any help? Thanks.
In this specific case the groups are AD groups and the users are added to those groups in the AD, not in Jenkins. So, if you have set the Security Realm to Active Directory you must add users to groups on the active directory level - not within Jenkins.
We are running TFS 2012. Our organization is currently creating new accounts for everyone as part of a migration.
What I know is that everyone will have two accounts listed in AD for a while:
OldDomain\DoeJ
NewDomain\DoeJ
This brings me to believe that SID will be different, among other things.
My question is, how would this affect our TFS environment? Will we lose any history associated with particular users? Will I have to go through each work item and reassign it to the new Windows account? Is there any way I can preserve this data?
Thanks
You could use Identities Command which lists or changes the security identifier (SID) of users and groups in your deployment of TFS. You might need to change or update the SID for users and groups in one of the following scenarios:
changing the domain of your deployment
changing from a workgroup to a domain or from a domain to a workgroup
migrating accounts across domains in Active Directory
Even though it's a powerful tool, but it has certain limitations. To help ensure a successful move, make sure that you understand the following requirements:
Once a user account is present in TFS, it cannot be removed or have another account mapped to it. For example, if you are moving
DomainA/UserA to DomainB/UserB, the Identities command would only
work to migrate the user if DomainB/UserB is not already present in
TFS.
Because the members of the local Administrators group are automatically added to TFS, make sure to remove any accounts that you
want migrated from that group before you change the domain or
environment.
Suggest you read up about this tutorial as part of planning your move. You could also take a look at this blog : Migrating TFS Server or Collection to another domain. Be careful do not add the user such as NewDomain\DoeJ to TFS first, after upgrade SID, the history will keep without any problem.
Moreover, TFS use a background synchronization job, scheduled every hour, to look for changes in Active Directory (or the local machine workgroup if the server is not domain joined). You can force the job to run using any of these techniques.
Using the Google Provisioning API, under Managing Organization Units, it states that the creation of a user within an organization unit is a two step process. First I must create the user and then I must move them into an OU.
This creates a problem if I am migrating somebody from a legacy system. Creating their account causes our routing to immediately start sending emails to that account, overriding their legacy account. However, we will often create these accounts in advance and so have a specific OU for which routing is ignored.
Currently, we have to create the account with a different email address (e.g. append "-renamed" to the username), move the account in the non-routing OU, rename the account back again and finally remove the extraneous "-renamed" alias that is created during the rename. This seems pretty messy for what should be a simple operation.
Is there a simpler/better way of doing this?
Sadly you cannot create a user in a specific suborg right away. I take that you have some kind of callback after a new user is created wired up to the routing, you can either tell that service to ignore the next callback for that specific username before creating the user or have your default organization as the non-routed one.
I can also just recommend using SAML SSO, especially if the user is going to need any other account, syncing accounts correctly and handling exceptions in this context can be a pain.
Having googled, the general advice is to create a standard, non-administrator account.
I just tried that. I only had one account, my own, which is an administrator and then created a second (not the Guest account). I logged out of my own account and into the new one and tried to change the time. Windows 7 popped up a box asking if my main account would allow this (and prompting for its password).
I have been told "it shall not be possible to change system date/time". I intended to deliver a PC with only a standard account and my s/w, but can't (I think) prevent the user from creating an administrative account and changing date/time.
Can I prevent this programatially from Delphi, or do I just have to say that if the user wants to be destructive I can't prevent it?
Generally this kind of restrictions are set using the Windows Group Policy
From delphi you can use the Group Policy API or the RSoP WMI Classes.
In your application, you can actually detect user changing system time while your application is running.
You will receive WM_TIMECHANGE when system time change.
When startup, you can saved the gettickcount (As StartTickCount) and now (As StartTime). When checking, you can check if the different between tickcount and the different between time match (allow a small discrepancy) and know the different. However, if the user change system time away from your application, this trick do not work. Maybe you can have a service which is auto start checking for this.
If you need to change back to original time, here is some resources :
CHANGE the system TIME
btw, in OS level, a normal user cannot create an admin user.
I am using symfony 1.31 with propel ORM and sfGuardPlugin
I am about to setup groups and permissions. AFAIK, permissions map unto Credentials, and permissions can be assigned to groups.
I have two questions
Suppose a user belongs to group A, and group A has credentials 'foobar'. When a user that belongs to group A logs in, does he 'automagically' get assigned credential 'foobar', or do I have to manually, add the credential to the user (by say looking up its group->permissions in the db) ?
Assuming the SF framework 'automagically' takes care of user credential depending on group membership, is the effect real time, or does a user have to logout/login before the changes are applied/in effect?
[Edit]
Regarding question 1, I would be grateful for a link to (preferrably the SF official documentation - failing that, any other doc), that states that this is indeed the case.
Regarding question 2, the sfSecurityUser has addCredentials method that stores credentials in the user session. Consequently, I suspect that any group membership changes are NOT real time, so I will either have to force use to logout/login or maybe use an event listener or something.. am I right (or wrong)?
EDIT:
sfGuard Plugin Page with HTML version of Readme
sfGuard Readme (txt) (should be included in your plugins installation dir)
If you set up sfGuard right then the crednetials will be automagic. In particular this requires you apps/$appname/lib/$userClass.class.php (typically MyUser.class.php) to extend sfGuardSecurityUser. Setting this up should be in the plugin readme.
As far as 2 goes, since the credentials have to be queried each request then it would happen immediately from the users perspective (unless of course youre using ajax to add a perm/crednetial).