Open jacobsen9026 opened 1 month ago
barroei1981
commented
1 month ago I will try to download the source code and validate it on my Visual studio , it seems that I just don't have permissions, but I checked the User and it is able to search the AD.
So my assumption is either I have a DN misconfigured or a bug with regards to the user being user is the Admin logged in and not using the user I gave for the query on AD.
jacobsen9026
commented
1 month ago @barroei1981 Wow, thanks for being willing to attempt some debug yourself, that's awesome.
It is not related to any connection issues with your AD. The local admin is always a super admin and exists for that very reason, when there are issues.
Each directory search result loads in the current user state, which should be the admin account here. When interacted by web users, permission checks are made to verify the requested action. The fact this error is occurring means that search results are being found, so your AD connection is working.
For some reason, either the CurrentUserStateService did not get loaded, or failed to read the authentication cookie from the browser. Or the per-web-user Active Directory connection was created too early.
Does the user button work and show the username admin?
If so, then the CurrentUserStateService is working as expected.
Also, was a restart of the web application performed? I can see a fringe situation where something may get hung up in that process immediately after the first launch wizard.
I was unable to reproduce the error, but I have not tried a fresh install yet.
barroei1981
commented
1 month ago Hi,
No I don't see the username.
And yes the web application was restarted as part of changing the details for auto update user since the is user had no permissions on the AD.
By the way another issue I found in installation, I installed MySQL and was unable to get it to use it , it just kept on saying it fails on test connection so since it's a POC I changed it to the SQLite for now.
On Fri, Aug 2, 2024, 19:47 Chris Jacobsen @.***> wrote:
@barroei1981 https://github.com/barroei1981 Wow, thanks for being willing to attempt some debug yourself, that's awesome.
It is not related to any connection issues with your AD. The local admin is always a super admin and exists for that very reason, when there are issues.
Each directory search result loads in the current user state, which should be the admin account here. When interacted by web users, permission checks are made to verify the requested action. The fact this error is occurring means that search results are being found, so your AD connection is working.
For some reason, either the CurrentUserStateService did not get loaded, or failed to read the authentication cookie from the browser. Or the per-web-user Active Directory connection was created too early.
Does the user button work and show the username admin? image.png (view on web) https://github.com/user-attachments/assets/ef1a59a9-c09b-4ec0-af75-64d490594654
If so, then the CurrentUserStateService is working as expected.
Also, was a restart of the web application performed? I can see a fringe situation where something may get hung up in that process immediately after the first launch wizard.
I was unable to reproduce the error, but I have not tried a fresh install yet.
— Reply to this email directly, view it on GitHub https://github.com/Blazam-App/BLAZAM/issues/464#issuecomment-2265782119, or unsubscribe https://github.com/notifications/unsubscribe-auth/BKIM6Y5J2NPFUKRKQWCBX6DZPOZ35AVCNFSM6AAAAABL3QBSVGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRVG44DEMJRHE . You are receiving this because you were mentioned.Message ID: @.***>
jacobsen9026
commented
1 month ago Hi @barroei1981,
Thanks for the quick responses.
I believe the issue may be triggered by line 122 in ADSearch.cs
SearchRoot ??= ActiveDirectoryContext.Instance.GetDirectoryEntry(DatabaseCache.ActiveDirectorySettings?.ApplicationBaseDN);
This pulls a statically (application wide) assigned AD connection which, now that I'm looking at it, could result in a race condition between the application's internal AD connection and the user assigned one, since both connections set this variable (oops). Using the internal connection while checking for, in this case read, permissions will throw this error. This also reveals a possible privilege bypass which is a moderate security risk with concurrent web users. Fixing this will remove that security risk and greatly improve the app.
Root cause:
I must be getting incredibly lucky to not have run into this, or you're incredibly unlucky, either way, it's a legitimate bug.
I will work on a hotfix for the above under v0.9.5 and should be release by Sunday. Once released, you can run the installer again to update.
I use SQL server at work for this app in production (SQLite for dev) so I have less vetting on MySQL but last I tested it was able to connect. I'll take another look. What version of MySQL are you attempting to connect to?
jacobsen9026
commented
1 month ago Hi @barroei1981,
Thanks for the quick responses.
I believe the issue may be triggered by line 122 in ADSearch.cs
SearchRoot ??= ActiveDirectoryContext.Instance.GetDirectoryEntry(DatabaseCache.ActiveDirectorySettings?.ApplicationBaseDN);This pulls a statically (application wide) assigned AD connection which, now that I'm looking at it, could result in a race condition between the application's internal AD connection and the user assigned one, since both connections set this variable (oops). Using the internal connection while checking for, in this case read, permissions will throw this error. This also reveals a possible privilege bypass which is a moderate security risk with concurrent web users. Fixing this will remove that security risk and greatly improve the app.
Root cause:
I must be getting incredibly lucky to not have run into this, or you're incredibly unlucky, either way, it's a legitimate bug.
I will work on a hotfix for the above under v0.9.5 and should be release by Sunday. Once released, you can run the installer again to update.
I use SQL server at work for this app in production (SQLite for dev) so I have less vetting on MySQL but last I tested it was able to connect. I'll take another look. What version of MySQL are you attempting to connect to?
Hmmm, while the previous is a bug, it doesn't explain the missing username in the user menu.... that's concerning, and likely won't fix this issue....
I'm gonna try a slight modification to the CurrentUserService and some additional logging/exception throwing to hopefully get more insight should the modifications have no effect.
barroei1981
commented
1 month ago Thanks for the update Chris
As to your question on the MySQL version , I just downloaded latest one.
But I did try also to Mssql before and installed it , but post install received an issue connecting to DB Server.
Since this is still in POC stage I didn't investigate it yet. But I do need to move this solution to a more robust SQL.
A question I didn't see on the App and I had in my previous company, is the ability to allow users to assign delegates to groups, and to ask for ownership change those allowed me to give the users a hugebapan of control and reduce efforts since the users managed it by themself.
Also I really like your Template model , and would love to understand if I could use it through API , as a part of not having an IDM in place.
A bit about what I am trying to achieve:
An API managed solution for self service to our users either through Jira approved flow to be added to groups managed by IT or in some cases through Twilio for cases like unlock users and password reset.
Provision new user to trigger a template assignment to groups by user type.
Self service allowing owners to manage their own groups or assign delegates , or non owners to ask to be added , or be assigned as delegates.
Roei
On Sat, Aug 3, 2024, 02:10 Chris Jacobsen @.***> wrote:
Hi @barroei1981 https://github.com/barroei1981,
Thanks for the quick responses.
I believe the issue may be triggered by line 122 in ADSearch.cs SearchRoot ??= ActiveDirectoryContext.Instance.GetDirectoryEntry(DatabaseCache.ActiveDirectorySettings?.ApplicationBaseDN);
This pulls a statically (application wide) assigned AD connection which, now that I'm looking at it, could result in a race condition between the application's internal AD connection and the user assigned one, since both connections set this variable (oops). Using the internal connection while checking for, in this case read, permissions will throw this error. This also reveals a possible privilege bypass which is a moderate security risk with concurrent web users. Fixing this will remove that security risk and greatly improve the app.
I must be getting incredibly lucky to not have run into this, or you're incredibly unlucky, either way, it's a legitimate bug.
I will work on a hotfix for the above under v0.9.5 and should be release by Sunday. Once released, you can run the installer again to update.
I use SQL server at work for this app in production (SQLite for dev) so I have less vetting on MySQL but last I tested it was able to connect. I'll take another look. What version of MySQL are you attempting to connect to?
Hmmm, while the previous is a bug, it doesn't explain the missing username in the user menu.... that's concerning, and likely won't fix this issue....
I'm gonna try a slight modification to the CurrentUserService and some additional logging/exception throwing to hopefully get more insight should the modifications have no effect.
— Reply to this email directly, view it on GitHub https://github.com/Blazam-App/BLAZAM/issues/464#issuecomment-2266245062, or unsubscribe https://github.com/notifications/unsubscribe-auth/BKIM6Y6DTXYXLN66IRXIK4LZPQGVVAVCNFSM6AAAAABL3QBSVGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRWGI2DKMBWGI . You are receiving this because you were mentioned.Message ID: @.***>
jacobsen9026
commented
1 month ago Thank Roei,
I found a number of issues with some newly activated features that are interfering with the first run wizard. And I have reproduced your issue, though only just 15 minutes ago, still investigating.
There is no external API built for Blazam yet. It has always been an option in the design and the foundation of API tokens and proven authentication and authorization via those tokens was created at the very beginning, existing in the code to this day.
Unfortunately as it stands Blazam is unable to integrate with any external applications/systems... it will have to be done in app.
I don't think you were asking, but to be clear, API's (99% of them) use the same authorization for all users of the external app, therefore, Jira or Twilio would have to control whether an action is allowed for a user of that external app.
A question I didn't see on the App and I had in my previous company, is the ability to allow users to assign delegates to groups, and to ask for ownership change those allowed me to give the users a hugebapan of control and reduce efforts since the users managed it by themself.
- Self service allowing owners to manage their own groups or assign delegates , or non owners to ask to be added , or be assigned as delegates.
I'm sorry I got a little lost in reading this, by allowing users to assign delegates to groups, are you saying, to provide permission to a Blazam non-superadmin user to be able to assign delegation of a group to another non-admin Blazam user? If a group is provided permission to manage the other group, and also can manage the group provided permission, anyone in that first group can add or remove users as desired, can even remove themselves. But I'm not sure that's what you are describing.
Regarding group owners, I'm assuming you mean the Manager attribute for groups in Active Directory? I can already imagine the code needed to let that automatically allow certain permissions. They would still need to be defined as a "Delegate" in Blazam either directly or by a containing group, to allow them to log in.
Asking for permission to change is a little less clear in my head how best to accomplish. An all or nothing approach seems the cleanest for both developing and end user experience, but maybe people would want yet another fine grained per-OU/AccessLevel setting to play with...
- An API managed solution for self service to our users either through Jira approved flow to be added to groups managed by IT or in some cases through Twilio for cases like unlock users and password reset.
If an API existed, the above would be easily implemented.
Obviously I'm going to focus on the original issue, and then towards a stable 1.0 release. API work would have to wait until after. Just to be completely transparent about what your expectations should be.
barroei1981
commented
1 month ago I will try to explain the workflow.
In normal process IT would create a group and manage users in it.
In my previous company what we did is :
Another flow was that is IT didn't have an Owner at first Phase than
And in some cases they could ask for delegation meaning.
On Sat, Aug 3, 2024, 15:12 Chris Jacobsen @.***> wrote:
Thank Roei,
I found a number of issues with some newly activated features that are interfering with the first run wizard. And I have reproduced your issue, though only just 15 minutes ago, still investigating.
There is no external API built for Blazam yet. It has always been an option in the design and the foundation of API tokens and proven authentication and authorization via those tokens was created at the very beginning, existing in the code to this day.
Unfortunately as it stands Blazam is unable to integrate with any external applications/systems... it will have to be done in app.
I don't think you were asking, but to be clear, API's (99% of them) use the same authorization for all users of the external app, therefore, Jira or Twilio would have to control whether an action is allowed for a user of that external app.
A question I didn't see on the App and I had in my previous company, is the ability to allow users to assign delegates to groups, and to ask for ownership change those allowed me to give the users a hugebapan of control and reduce efforts since the users managed it by themself.
- Self service allowing owners to manage their own groups or assign delegates , or non owners to ask to be added , or be assigned as delegates.
I'm sorry I got a little lost in reading this, by allowing users to assign delegates to groups, are you saying, to provide permission to a Blazam non-superadmin user to be able to assign delegation of a group to another non-admin Blazam user? If a group is provided permission to manage the other group, and also can manage the group provided permission, anyone in that first group can add or remove users as desired, can even remove themselves. But I'm not sure that's what you are describing.
Regarding group owners, I'm assuming you mean the Manager attribute for groups in Active Directory? I can already imagine the code needed to let that automatically allow certain permissions. They would still need to be defined as a "Delegate" in Blazam either directly or by a containing group, to allow them to log in.
Asking for permission to change is a little less clear in my head how best to accomplish. An all or nothing approach seems the cleanest for both developing and end user experience, but maybe people would want yet another fine grained per-OU/AccessLevel setting to play with...
An API managed solution for self service to our users either through Jira approved flow to be added to groups managed by IT or in some cases through Twilio for cases like unlock users and password reset.
Provision new user to trigger a template assignment to groups by user type.
If an API existed, the above would be easily implemented.
Obviously I'm going to focus on the original issue, and then towards a stable 1.0 release. API work would have to wait until after. Just to be completely transparent about what your expectations should be.
— Reply to this email directly, view it on GitHub https://github.com/Blazam-App/BLAZAM/issues/464#issuecomment-2266693088, or unsubscribe https://github.com/notifications/unsubscribe-auth/BKIM6Y7JJWHJRIDKTKPBMRDZPTCJNAVCNFSM6AAAAABL3QBSVGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRWGY4TGMBYHA . You are receiving this because you were mentioned.Message ID: @.***>
jacobsen9026
commented
1 month ago I believe I have identified the root cause of your original issue. I missed a dependency in the installer and instructions. Apparently all the machines I test with IIS all already had this dependency installed, possibly by an older .NET installer.
WebSockets must be installed on the IIS host for many core components of the app to work.... I'm fairly confident you will find this to be missing. If not, do let me know....
I will have to update the installer to check for this, and update my manual installation instructions.
Regarding you workflow...
In my previous company what we did is :
- IT Create Group
- IT set group ownership by the main user of that need.
- That user was then able to manage it solely.
Blazam is designed entirely around that concept, here's an exaple...
Another flow was that is IT didn't have an Owner at first Phase than
- User could ask to change ownership to him , IT would be notified and swap
- User to user change ownership - in case of user leaving or swapping role.
I don't see a way to do this with Blazam's current design. As disclaimed above, you can not target permissions to a specific group only OU's.... It could be possible if I extend permission application down to each object (which honestly may be very easy to achieve with minimal code change), or as I mentioned in a previous post, Blazam could utilize the Manager attribute of the group and allow for permissions by setting that in Active Directory (safer from bugs, but more code)
I will see how best to try and satisfy your use case.
barroei1981
commented
1 month ago Hi Chris,
short update, post installing the Websocket feature everything started to work, but now that i see that the view is on OU level i understand that i need the permissions on the Tree to Allow me to manage access permissions on the Acrual Security Group. since we manage under 1 OU all Security Groups that are focused under specific domain and i need the granularity of security group permissions to be on the level of the Group and not on the level of the OU.
unless i am missing something.
Regards, Roei
On Sat, Aug 3, 2024 at 4:18 PM Chris Jacobsen @.***> wrote:
I believe I have identified the root cause of your original issue. I missed a dependency in the installer and instructions. Apparently all the machines I test with IIS all already had this dependency installed, possibly by an older .NET installer.
WebSockets must be installed on the IIS host for many core components of the app to work.... I'm fairly confident you will find this to be missing. If not, do let me know....
- In the Server Manager, go to the Add Role and Features wizard and select Server Roles.
- In the Roles pane, under Web Server > Application Development, select WebSocket Protocol.
I will have to update the installer to check for this, and update my manual installation instructions.
Regarding you workflow...
In my previous company what we did is :
- IT Create Group
- IT set group ownership by the main user of that need.
- That user was then able to manage it solely.
Blazam is designed entirely around that concept, here's an exaple...
- IT creates "Delegate" in Blazam Permissions pointing to group "owner"
- IT creates "Access Level" in Blazam Permissions to allow whatever you consider an "owner" should be able to do (assign/unassign members, rename, move, or delete)
- IT assigns said "Access Level" to said "Delegate" in the Permission mappings in Blazam. (I suppose this is where it deviates slightly in that you can not target a specific group, unless that group is the only one in that OU)
- User can manage group.
Another flow was that is IT didn't have an Owner at first Phase than
- User could ask to change ownership to him , IT would be notified and swap
- User to user change ownership - in case of user leaving or swapping role.
I don't see a way to do this with Blazam's current design. As disclaimed above, you can not target permissions to a specific group only OU's.... It could be possible if I extend permission application down to each object (which honestly may be very easy to achieve with minimal code change), or as I mentioned in a previous post, Blazam could utilize the Manager attribute of the group and allow for permissions by setting that in Active Directory (safer from bugs, but more code)
I will see how best to try and satisfy your use case.
— Reply to this email directly, view it on GitHub https://github.com/Blazam-App/BLAZAM/issues/464#issuecomment-2266710170, or unsubscribe https://github.com/notifications/unsubscribe-auth/BKIM6Y535NCLTTM3ZYYBYU3ZPTKBBAVCNFSM6AAAAABL3QBSVGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRWG4YTAMJXGA . You are receiving this because you were mentioned.Message ID: @.***>
-- [image: photo] Roei Bar Architect Advisor, Change Healthcare P +972-3-679-7359 <+972-3-679-7359> M +972-54-970-0121 <+972-54-970-0121> E @. @.> W www.mckesson.com
[image: facebook] https://facebook.com/bar.roei.work
[image: linkedin] https://us.linkedin.com/in/roei-bar-75880a17
IMPORTANT: The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email by mistake, please notify the sender immediately and do not disclose the contents to anyone or make copies thereof. Create your WiseStamp email signature https://www.wisestamp.com/lp/promo/professional-email-signature?utm_source=promotion&utm_medium=signature&utm_campaign=create_your_own&srcid=
[image: tpx]
jacobsen9026
commented
1 month ago Hi Chris, short update, post installing the Websocket feature everything started to work, but now that i see that the view is on OU level i understand that i need the permissions on the Tree to Allow me to manage access permissions on the Acrual Security Group. since we manage under 1 OU all Security Groups that are focused under specific domain and i need the granularity of security group permissions to be on the level of the Group and not on the level of the OU. unless i am missing something. Regards, Roei
Hello Roei, Without being able to assign permissions to specific groups in Blazam, then you are correct, if all groups are under the 1 OU, it won't be able to currently satisfy your needs.
Please note the disclaimer at docs.blazam.org which applies to groups as much as users....
However, I plan to attempt to implement per-AD-entry permission application, which in theory would satisfy your needs. Albeit, extremely granular.
I would expect to be able to have that included by mid to late August. (I try to do a 1-2 week feature testing in my environments before releasing officially)
I apologize if this disappoints or in any way affects your satisfaction with Blazam. Every attempt will be made to provide you with the confidence that Blazam can satisfy your requirements. I appreciate the motivation to work at it.
barroei1981
commented
1 month ago Thank you so much for the quick response Chris.
I will be awaiting for this feature as it is key for my workflows.
Awaiting an update.
Regards, Roei
On Sat, Aug 3, 2024, 23:24 Chris Jacobsen @.***> wrote:
Hi Chris, short update, post installing the Websocket feature everything started to work, but now that i see that the view is on OU level i understand that i need the permissions on the Tree to Allow me to manage access permissions on the Acrual Security Group. since we manage under 1 OU all Security Groups that are focused under specific domain and i need the granularity of security group permissions to be on the level of the Group and not on the level of the OU. unless i am missing something. Regards, Roei
Hello Roei, Without being able to assign permissions to specific groups in Blazam, then you are correct, if all groups are under the 1 OU, it won't be able to currently satisfy your needs.
Please note the disclaimer at docs.blazam.org which applies to groups as much as users.... image.png (view on web) https://github.com/user-attachments/assets/a2e46c43-a2cd-4555-b8ff-ccb67f13c609
However, I plan to attempt to implement per-AD-entry permission application, which in theory would satisfy your needs. Albeit, extremely granular.
I would expect to be able to have that included by mid to late August. (I try to do a 1-2 week feature testing in my environments before releasing officially)
I apologize if this disappoints or in any way affects your satisfaction with Blazam. Every attempt will be made to provide you with the confidence that Blazam can satisfy your requirements. I appreciate the motivation to work at it.
— Reply to this email directly, view it on GitHub https://github.com/Blazam-App/BLAZAM/issues/464#issuecomment-2267131928, or unsubscribe https://github.com/notifications/unsubscribe-auth/BKIM6Y4D7SXY6YYC6O3KHMTZPU37VAVCNFSM6AAAAABL3QBSVGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRXGEZTCOJSHA . You are receiving this because you were mentioned.Message ID: @.***>
jacobsen9026
commented
1 month ago Hi Roei @barroei1981,
I wanted to let you know that with only minor modifications to the GUI, and practically no backend code changes, I was able to achieve permissions applied to a single group within Blazam. Completely fulfilling one of your use cases. Nice to see the foundational code can be so flexible.
Because the code changes are so minimal, I will include it in the v1.0 release. ETA 10 or so days.
Note: v1.0 will require .NET 8
barroei1981
commented
1 month ago Thx for the update Chris. If you have it on client side only, is it possible to add the delegate option as another icon on the top of the group view.
The reasoning I ask is I found it fairly easy to search and than click on it , while process in Blazem right now is more connected to the permission flow, but functionality wise once you built an ACL you don't really need to go through this flow any more.
And once that is done, the next feature request would be , for non admin : Add a delegate button that will send a notification ( I saw it on the main Manu near the name icon) and than on admin side add on permissions screen a pending requests view to allow / decline those.
And one last thing , as a thought to have some view showing ACL'S Per user of per all groups / OU . Since today as Admin you must login to the ACL mapping and you don't have a clear view of who has what permissions. I could also thing of adding this type of info on the user and group level where on group you will see who has permissions to the group and what delegation rights.
And on user you could see all delegations he has, which could be very useful in cases of user leaving a company.
Regards, Roei
On Wed, Aug 7, 2024, 01:28 Chris Jacobsen @.***> wrote:
Hi Roei @barroei1981 https://github.com/barroei1981,
I wanted to let you know that with only minor modifications to the GUI, and practically no backend code changes, I was able to achieve permissions applied to a single group within Blazam. Completely fulfilling one of your use cases. Nice to see the foundational code can be so flexible.
Because the code changes are so minimal, I will include it in the v1.0 release. ETA 10 or so days.
Note: v1.0 will require .NET 8
— Reply to this email directly, view it on GitHub https://github.com/Blazam-App/BLAZAM/issues/464#issuecomment-2272255923, or unsubscribe https://github.com/notifications/unsubscribe-auth/BKIM6Y5IJA7EKB4RQ7GHXCDZQFE2VAVCNFSM6AAAAABL3QBSVGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZSGI2TKOJSGM . You are receiving this because you were mentioned.Message ID: @.***>
jacobsen9026
commented
1 month ago Good day Roei,
If you have it on client side only, is it possible to add the delegate option as another icon on the top of the group view.
Yes, I can see a use for this. On more than just groups, all types could benefit from this. It would only be able to allow super-admins to use it, but that lines up with what you're asking.
The reasoning I ask is I found it fairly easy to search and than click on it , while process in Blazem right now is more connected to the permission flow, but functionality wise once you built an ACL you don't really need to go through this flow any more.
I plan to add a way to show all users in each Blazam "Delegate" group so you can better understand who is getting permissions. But you are correct that including the previous suggestion, this would be less important.
And once that is done, the next feature request would be , for non admin : Add a delegate button that will send a notification ( I saw it on the main Manu near the name icon) and than on admin side add on permissions screen a pending requests view to allow / decline those.
I will be honest, this is a very specific use case request. I will have to think about how best implement this feature. The community is small enough right now to accommodate specific use cases like this, but I hope you can imagine 100's of theses over the years would cause a ton of lightly used features that require maintenance as the app is developed and updated. I am currently the only developer (lost one helper), so I have to bite off only what I can chew.
Having said that, I'm leaning towards including this request.
And one last thing , as a thought to have some view showing ACL'S Per user of per all groups / OU . Since today as Admin you must login to the ACL mapping and you don't have a clear view of who has what permissions. I could also thing of adding this type of info on the user and group level where on group you will see who has permissions to the group and what delegation rights.
Plans are to include an effective permission tool, to quickly show admins what permissions are applied to each OU/AD Object without having to impersonate. Ideally this would be placed in multiple places including each search result page to show who can do what to that result.
jacobsen9026
commented
1 month ago Hi Roei @barroei1981,
I wanted to let you know that with only minor modifications to the GUI, and practically no backend code changes, I was able to achieve permissions applied to a single group within Blazam. Completely fulfilling one of your use cases. Nice to see the foundational code can be so flexible.
Because the code changes are so minimal, I will include it in the v1.0 release. ETA 10 or so days.
Note: v1.0 will require .NET 8
And here's a sneak peek at mapping directly to groups...
barroei1981
commented
1 month ago Thanks for the update Chris,
Don't take any of my suggestions as ones that are immediate request , I am just looking at features we built in my previous company and how much they were used, and what were the key capabilities.
In our solution we did almost everything you are doing but, we also had features to allow a user "delegated" as owner to "delegate" permission to other team members.
Our focus was to reduce the need to talk to IT, and the whole design was built by it, that is why even other solutions that required group management abilities worked with our API's, and we even built a queue for mass changes such as Massive Release of workforce causing a lot of org changes since the IDM couldn't handle those easily .
Provision new users as template you have here directly from our ERP.
Twilio as multi channel for user access management in cases of forgot password, JIT delegate which is limited to x min for cases you are not available, or predefined time boxed delegation for leave which was connected to our HR system notifying you to set it if you had groups you own etc.
If you want idea's I have a lot of them. I can also try to help in some of the code changes as I am not in a dev state for a while but I already reviewed some area's data flow.
Roei
On Fri, Aug 9, 2024, 01:04 Chris Jacobsen @.***> wrote:
Good day Roei,
If you have it on client side only, is it possible to add the delegate option as another icon on the top of the group view.
Yes, I can see a use for this. On more than just groups, all types could benefit from this. It would only be able to allow super-admins to use it, but that lines up with what you're asking.
The reasoning I ask is I found it fairly easy to search and than click on it , while process in Blazem right now is more connected to the permission flow, but functionality wise once you built an ACL you don't really need to go through this flow any more.
I plan to add a way to show all users in each Blazam "Delegate" group so you can better understand who is getting permissions. But you are correct that including the previous suggestion, this would be less important.
And once that is done, the next feature request would be , for non admin : Add a delegate button that will send a notification ( I saw it on the main Manu near the name icon) and than on admin side add on permissions screen a pending requests view to allow / decline those.
I will be honest, this is a very specific use case request. I will have to think about how best implement this feature. The community is small enough right now to accommodate specific use cases like this, but I hope you can imagine 100's of theses over the years would cause a ton of lightly used features that require maintenance as the app is developed and updated. I am currently the only developer (lost one helper), so I have to bite off only what I can chew.
Having said that, I'm leaning towards including this request.
And one last thing , as a thought to have some view showing ACL'S Per user of per all groups / OU . Since today as Admin you must login to the ACL mapping and you don't have a clear view of who has what permissions. I could also thing of adding this type of info on the user and group level where on group you will see who has permissions to the group and what delegation rights.
Plans are to include an effective permission tool, to quickly show admins what permissions are applied to each OU/AD Object without having to impersonate. Ideally this would be placed in multiple places including each search result page to show who can do what to that result.
— Reply to this email directly, view it on GitHub https://github.com/Blazam-App/BLAZAM/issues/464#issuecomment-2276744135, or unsubscribe https://github.com/notifications/unsubscribe-auth/BKIM6YZE6FX2IYB2DIBLG2LZQPTP7AVCNFSM6AAAAABL3QBSVGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZWG42DIMJTGU . You are receiving this because you were mentioned.Message ID: @.***>
jacobsen9026
commented
3 weeks ago I appreciate everything you provide Roei,
I think we can slow the pace of features for now, but yes I would love more suggestions and would be completely humbled by a code contribution.
I do enjoy your ideas, I just need to keep things general enough for widespread usage. Some ideas may be rejected, and left up to the IT admin to code on their end.
Anyway, version 1.0 has dropped with the ability to assign to specific groups/users/computers along with OU's.
Thank you, Chris
jacobsen9026
commented
2 weeks ago Small update:
There will be a few stabilization/bugfix updates for v1.0 before work on your feature suggestions begins.
I'm going to place this in the mid-September milestone.
barroei1981
commented
2 weeks ago Thx for the update
On Fri, Aug 23, 2024, 01:19 Chris Jacobsen @.***> wrote:
Small update:
There will be a few stabilization/bugfix updates for v1.0 before work on your feature suggestions begins.
I'm going to place this in the mid-September milestone.
— Reply to this email directly, view it on GitHub https://github.com/Blazam-App/BLAZAM/issues/464#issuecomment-2305844590, or unsubscribe https://github.com/notifications/unsubscribe-auth/BKIM6YYKXX62RBU6F5V7TNLZSZPWHAVCNFSM6AAAAABL3QBSVGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMBVHA2DINJZGA . You are receiving this because you were mentioned.Message ID: @.***>
Discussed in https://github.com/Blazam-App/BLAZAM/discussions/463