You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@usergrid.apache.org by Paul Summers <50...@gmail.com> on 2014/12/17 23:36:41 UTC
Administrator Permissions?
Is there a way to limit Administrator permissions, similarly to an Application User?
I'd like to have multiple admins for an Organization, but delegate only certain abilities to each of them.
In particularly, I'd like to have regional administrators that manage the users in their geographical area. This would also require a hierarchical structure to Users, similar to what Groups have. Example:
The US admin can manage the users in the US region, but not users in the EU. I'd like to be able to assign permissions to the admins for the different areas:
For the US admin: GET,PUT,POST,DELETE:/org/app/Users/US/**
For the EU admin: GET,PUT,POST,DELETE:/org/App/Users/EU/**
The US admin can't do anything with users under EU, and the EU admin can't do anything with users under US.
Re: Number of Orgs/Apps
Posted by Rod Simpson <ro...@rodsimpson.com>.
For the Stack side of things, there is no maximum number, apart from maximums that hardware resources will impose. I know of many different installations where there are maybe as many as 50 -100K different orgs, each owned by different users.
On the other hand, if one Admin user account has access to all of these orgs, then the Admin portal may not function very well. The Stack will function just fine, but the drop-downs in the UI may not work super well. Also, on login, the system returns a list of all the orgs owned by that user. I think it caps out at some maximum, so the call will still succeed, it just won’t have all the orgs listed.
Rod
--
Rod Simpson
T @rockerston
W rodsimpson.com
On December 18, 2014 at 2:41:52 PM, Paul Summers (50mmplossl@gmail.com) wrote:
Is there a reasonable/recommended maximum number of Organizations or Applications? I'm thinking in terms of at least hundreds, and perhaps into the low thousands.
Paul
Number of Orgs/Apps
Posted by Paul Summers <50...@gmail.com>.
Is there a reasonable/recommended maximum number of Organizations or Applications? I'm thinking in terms of at least hundreds, and perhaps into the low thousands.
Paul
User attributes
Posted by Paul Summers <50...@gmail.com>.
I'm looking for a best way to add collections of attributes to Application Users. Is it possible to add arbitrary attributes directly to a User entity? For example, could I add a list of email aliases and a map of external credentials as follows?
{
"uuid" : "5bf1047a-84b0-11e4-9e6d-db5a12633089",
"type" : "user",
"created" : 1418685371959,
"modified" : 1418685371959,
"username" : "First.User",
"email" : "Joe.User@example.com <ma...@example.com>",
"activated" : true,
"picture" : "http://www.gravatar.com/avatar/b1d53d35ca78936063277655c1eafe47 <http://www.gravatar.com/avatar/b1d53d35ca78936063277655c1eafe47>",
"emailAliases" : [ "j_user@example.com <ma...@example.com>", "joe_u@example.com <ma...@example.com>" ],
"externalCredentials" : {
"username" : "joeuser",
"password" : "$2a$10$zh0zBoA0rqm5OPcSbGPYP.gJ20K.d9W128hkmQBD4VfFlO5cNECdO",
"encrption" : "BCRYPT"
},
"metadata" : {
"path" : "/users/5bf1047a-84b0-11e4-9e6d-db5a12633089",
"sets" : {
"rolenames" : "/users/5bf1047a-84b0-11e4-9e6d-db5a12633089/roles",
"permissions" : "/users/5bf1047a-84b0-11e4-9e6d-db5a12633089/permissions"
},
"collections" : {
"activities" : "/users/5bf1047a-84b0-11e4-9e6d-db5a12633089/activities",
"devices" : "/users/5bf1047a-84b0-11e4-9e6d-db5a12633089/devices",
"feed" : "/users/5bf1047a-84b0-11e4-9e6d-db5a12633089/feed",
"groups" : "/users/5bf1047a-84b0-11e4-9e6d-db5a12633089/groups",
"roles" : "/users/5bf1047a-84b0-11e4-9e6d-db5a12633089/roles",
"following" : "/users/5bf1047a-84b0-11e4-9e6d-db5a12633089/following",
"followers" : "/users/5bf1047a-84b0-11e4-9e6d-db5a12633089/followers"
}
}
}
Would it then be possible to access the list of aliases directly for retrieval/update without having to retrieve/update/replace the entire user entity?
Would these new attributes be indexed, so I could search for a user with an email alias matching "juser*"?
Of course, this all falls apart if I can't add the attributes directly to a User. I'd then consider creating a new collection of "UserFacets" that would be linked to the owning User by some combination of user ID and facet type name, as follows:
/org/app/Facets
{
"name" : "5bf1047a-84b0-11e4-9e6d-db5a12633089:emailAliases",
"aliases" : [ "j_user@example.com <ma...@example.com>", "joe_u@example.com <ma...@example.com>" ]
}
{
"name" : "5bf1047a-84b0-11e4-9e6d-db5a12633089:externalCredentials"",
"credentials" : {
"username" : "joeuser",
"password" : "$2a$10$zh0zBoA0rqm5OPcSbGPYP.gJ20K.d9W128hkmQBD4VfFlO5cNECdO",
"encrption" : "BCRYPT"
}
}
Would this actually be the preferred way of doing it?
Paul
Re: Administrator Permissions?
Posted by Rod Simpson <ro...@rodsimpson.com>.
Regulating Org admin privileges isn’t something that is currently supported. However, you can probably achieve this with app-level users. You just won’t be able to have these admins logging into different apps with the same login.
Rod
--
Rod Simpson
T @rockerston
W rodsimpson.com
On December 17, 2014 at 3:39:20 PM, Paul Summers (50mmplossl@gmail.com) wrote:
Is there a way to limit Administrator permissions, similarly to an Application User?
I'd like to have multiple admins for an Organization, but delegate only certain abilities to each of them.
In particularly, I'd like to have regional administrators that manage the users in their geographical area. This would also require a hierarchical structure to Users, similar to what Groups have. Example:
The US admin can manage the users in the US region, but not users in the EU. I'd like to be able to assign permissions to the admins for the different areas:
For the US admin: GET,PUT,POST,DELETE:/org/app/Users/US/**
For the EU admin: GET,PUT,POST,DELETE:/org/App/Users/EU/**
The US admin can't do anything with users under EU, and the EU admin can't do anything with users under US.