Feature suggestions #464
Comments
|
I will try to download the source code and validate it on my Visual studio , it seems that I just don't have permissions, but I checked the User and it is able to search the AD. So my assumption is either I have a DN misconfigured or a bug with regards to the user being user is the Admin logged in and not using the user I gave for the query on AD. |
|
@barroei1981 Wow, thanks for being willing to attempt some debug yourself, that's awesome. It is not related to any connection issues with your AD. The local admin is always a super admin and exists for that very reason, when there are issues. Each directory search result loads in the current user state, which should be the admin account here. When interacted by web users, permission checks are made to verify the requested action. The fact this error is occurring means that search results are being found, so your AD connection is working. For some reason, either the CurrentUserStateService did not get loaded, or failed to read the authentication cookie from the browser. Or the per-web-user Active Directory connection was created too early. Does the user button work and show the username admin? If so, then the CurrentUserStateService is working as expected. Also, was a restart of the web application performed? I can see a fringe situation where something may get hung up in that process immediately after the first launch wizard. I was unable to reproduce the error, but I have not tried a fresh install yet. |
|
Hi,
No I don't see the username.
And yes the web application was restarted as part of changing the details
for auto update user since the is user had no permissions on the AD.
By the way another issue I found in installation, I installed MySQL and was
unable to get it to use it , it just kept on saying it fails on test
connection so since it's a POC I changed it to the SQLite for now.
…On Fri, Aug 2, 2024, 19:47 Chris Jacobsen ***@***.***> wrote:
@barroei1981 <https://github.com/barroei1981> Wow, thanks for being
willing to attempt some debug yourself, that's awesome.
It is not related to any connection issues with your AD. The local admin
is always a super admin and exists for that very reason, when there are
issues.
Each directory search result loads in the current user state, which should
be the admin account here. When interacted by web users, permission checks
are made to verify the requested action. The fact this error is occurring
means that search results are being found, so your AD connection is working.
For some reason, either the CurrentUserStateService did not get loaded, or
failed to read the authentication cookie from the browser. Or the
per-web-user Active Directory connection was created too early.
Does the user button work and show the username admin?
image.png (view on web)
<https://github.com/user-attachments/assets/ef1a59a9-c09b-4ec0-af75-64d490594654>
If so, then the CurrentUserStateService is working as expected.
Also, was a restart of the web application performed? I can see a fringe
situation where something may get hung up in that process immediately after
the first launch wizard.
I was unable to reproduce the error, but I have not tried a fresh install
yet.
—
Reply to this email directly, view it on GitHub
<#464 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BKIM6Y5J2NPFUKRKQWCBX6DZPOZ35AVCNFSM6AAAAABL3QBSVGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRVG44DEMJRHE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Hi @barroei1981, Thanks for the quick responses. I believe the issue may be triggered by line 122 in ADSearch.cs This pulls a statically (application wide) assigned AD connection which, now that I'm looking at it, could result in a race condition between the application's internal AD connection and the user assigned one, since both connections set this variable (oops). Using the internal connection while checking for, in this case read, permissions will throw this error. This also reveals a possible privilege bypass which is a moderate security risk with concurrent web users. Fixing this will remove that security risk and greatly improve the app. Root cause: I must be getting incredibly lucky to not have run into this, or you're incredibly unlucky, either way, it's a legitimate bug. I will work on a hotfix for the above under v0.9.5 and should be release by Sunday. Once released, you can run the installer again to update. I use SQL server at work for this app in production (SQLite for dev) so I have less vetting on MySQL but last I tested it was able to connect. I'll take another look. What version of MySQL are you attempting to connect to? |
Hmmm, while the previous is a bug, it doesn't explain the missing username in the user menu.... that's concerning, and likely won't fix this issue.... I'm gonna try a slight modification to the CurrentUserService and some additional logging/exception throwing to hopefully get more insight should the modifications have no effect. |
|
Thanks for the update Chris
As to your question on the MySQL version , I just downloaded latest one.
But I did try also to Mssql before and installed it , but post install
received an issue connecting to DB Server.
Since this is still in POC stage I didn't investigate it yet. But I do need
to move this solution to a more robust SQL.
A question I didn't see on the App and I had in my previous company, is the
ability to allow users to assign delegates to groups, and to ask for
ownership change those allowed me to give the users a hugebapan of control
and reduce efforts since the users managed it by themself.
Also I really like your Template model , and would love to understand if I
could use it through API , as a part of not having an IDM in place.
A bit about what I am trying to achieve:
1. An API managed solution for self service to our users either through
Jira approved flow to be added to groups managed by IT or in some cases
through Twilio for cases like unlock users and password reset.
2. Provision new user to trigger a template assignment to groups by user
type.
3. Self service allowing owners to manage their own groups or assign
delegates , or non owners to ask to be added , or be assigned as delegates.
Roei
…On Sat, Aug 3, 2024, 02:10 Chris Jacobsen ***@***.***> wrote:
Hi @barroei1981 <https://github.com/barroei1981>,
Thanks for the quick responses.
I believe the issue may be triggered by line 122 in ADSearch.cs SearchRoot
??=
ActiveDirectoryContext.Instance.GetDirectoryEntry(DatabaseCache.ActiveDirectorySettings?.ApplicationBaseDN);
This pulls a statically (application wide) assigned AD connection which,
now that I'm looking at it, could result in a race condition between the
application's internal AD connection and the user assigned one, since both
connections set this variable (oops). Using the internal connection while
checking for, in this case read, permissions will throw this error. This
also reveals a possible privilege bypass which is a moderate security risk
with concurrent web users. Fixing this will remove that security risk and
greatly improve the app.
Root cause: [image: image]
<https://private-user-images.githubusercontent.com/28368220/354741605-29e0da19-811e-4a96-93d0-8e8954e51e22.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjI2MzgzNTUsIm5iZiI6MTcyMjYzODA1NSwicGF0aCI6Ii8yODM2ODIyMC8zNTQ3NDE2MDUtMjllMGRhMTktODExZS00YTk2LTkzZDAtOGU4OTU0ZTUxZTIyLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA4MDIlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwODAyVDIyMzQxNVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWZkNTdmNGYzM2U2MmIzZTQxZTZmNjliNzhiNWJkMThjY2JjZDA5NWRkMWFiMjZhMTgzMjRjOGJiZWM3MjAwMmYmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.1paXJwNdP1rYlSSWbZJY1cCedY6RGIegLf4uFoQXA-U>
I must be getting incredibly lucky to not have run into this, or you're
incredibly unlucky, either way, it's a legitimate bug.
I will work on a hotfix for the above under v0.9.5 and should be release
by Sunday. Once released, you can run the installer again to update.
I use SQL server at work for this app in production (SQLite for dev) so I
have less vetting on MySQL but last I tested it was able to connect. I'll
take another look. What version of MySQL are you attempting to connect to?
Hmmm, while the previous is a bug, it doesn't explain the missing username
in the user menu.... that's concerning, and likely won't fix this issue....
I'm gonna try a slight modification to the CurrentUserService and some
additional logging/exception throwing to hopefully get more insight should
the modifications have no effect.
—
Reply to this email directly, view it on GitHub
<#464 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BKIM6Y6DTXYXLN66IRXIK4LZPQGVVAVCNFSM6AAAAABL3QBSVGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRWGI2DKMBWGI>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Thank Roei, I found a number of issues with some newly activated features that are interfering with the first run wizard. And I have reproduced your issue, though only just 15 minutes ago, still investigating. There is no external API built for Blazam yet. It has always been an option in the design and the foundation of API tokens and proven authentication and authorization via those tokens was created at the very beginning, existing in the code to this day. Unfortunately as it stands Blazam is unable to integrate with any external applications/systems... it will have to be done in app. I don't think you were asking, but to be clear, API's (99% of them) use the same authorization for all users of the external app, therefore, Jira or Twilio would have to control whether an action is allowed for a user of that external app.
I'm sorry I got a little lost in reading this, by allowing users to assign delegates to groups, are you saying, to provide permission to a Blazam non-superadmin user to be able to assign delegation of a group to another non-admin Blazam user? If a group is provided permission to manage the other group, and also can manage the group provided permission, anyone in that first group can add or remove users as desired, can even remove themselves. But I'm not sure that's what you are describing. Regarding group owners, I'm assuming you mean the Manager attribute for groups in Active Directory? I can already imagine the code needed to let that automatically allow certain permissions. They would still need to be defined as a "Delegate" in Blazam either directly or by a containing group, to allow them to log in. Asking for permission to change is a little less clear in my head how best to accomplish. An all or nothing approach seems the cleanest for both developing and end user experience, but maybe people would want yet another fine grained per-OU/AccessLevel setting to play with...
If an API existed, the above would be easily implemented. Obviously I'm going to focus on the original issue, and then towards a stable 1.0 release. API work would have to wait until after. Just to be completely transparent about what your expectations should be. |
|
I will try to explain the workflow.
In normal process IT would create a group and manage users in it.
In my previous company what we did is :
1. IT Create Group
2. IT set group ownership by the main user of that need.
3. That user was then able to manage it solely.
Another flow was that is IT didn't have an Owner at first Phase than
1. User could ask to change ownership to him , IT would be notified and
swap
2. User to user change ownership - in case of user leaving or swapping role.
And in some cases they could ask for delegation meaning.
1. User could be a delegate permission to manage group ( not allowed to
remove the owner).
…On Sat, Aug 3, 2024, 15:12 Chris Jacobsen ***@***.***> wrote:
Thank Roei,
I found a number of issues with some newly activated features that are
interfering with the first run wizard. And I have reproduced your issue,
though only just 15 minutes ago, still investigating.
There is no external API built for Blazam yet. It has always been an
option in the design and the foundation of API tokens and proven
authentication and authorization via those tokens was created at the very
beginning, existing in the code to this day.
Unfortunately as it stands Blazam is unable to integrate with any external
applications/systems... it will have to be done in app.
I don't think you were asking, but to be clear, API's (99% of them) use
the same authorization for all users of the external app, therefore, Jira
or Twilio would have to control whether an action is allowed for a user of
that external app.
A question I didn't see on the App and I had in my previous company, is the
ability to allow users to assign delegates to groups, and to ask for
ownership change those allowed me to give the users a hugebapan of control
and reduce efforts since the users managed it by themself.
3. Self service allowing owners to manage their own groups or assign
delegates , or non owners to ask to be added , or be assigned as
delegates.
I'm sorry I got a little lost in reading this, by allowing users to assign
delegates to groups, are you saying, to provide permission to a Blazam
non-superadmin user to be able to assign delegation of a group to another
non-admin Blazam user? If a group is provided permission to manage the
other group, and also can manage the group provided permission, anyone in
that first group can add or remove users as desired, can even remove
themselves. But I'm not sure that's what you are describing.
Regarding group owners, I'm assuming you mean the Manager attribute for
groups in Active Directory? I can already imagine the code needed to let
that automatically allow certain permissions. They would still need to be
defined as a "Delegate" in Blazam either directly or by a containing group,
to allow them to log in.
Asking for permission to change is a little less clear in my head how best
to accomplish. An all or nothing approach seems the cleanest for both
developing and end user experience, but maybe people would want yet another
fine grained per-OU/AccessLevel setting to play with...
1. An API managed solution for self service to our users either through
Jira approved flow to be added to groups managed by IT or in some cases
through Twilio for cases like unlock users and password reset.
2. Provision new user to trigger a template assignment to groups by
user
type.
If an API existed, the above would be easily implemented.
Obviously I'm going to focus on the original issue, and then towards a
stable 1.0 release. API work would have to wait until after. Just to be
completely transparent about what your expectations should be.
—
Reply to this email directly, view it on GitHub
<#464 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BKIM6Y7JJWHJRIDKTKPBMRDZPTCJNAVCNFSM6AAAAABL3QBSVGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRWGY4TGMBYHA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
I believe I have identified the root cause of your original issue. I missed a dependency in the installer and instructions. Apparently all the machines I test with IIS all already had this dependency installed, possibly by an older .NET installer. WebSockets must be installed on the IIS host for many core components of the app to work.... I'm fairly confident you will find this to be missing. If not, do let me know....
I will have to update the installer to check for this, and update my manual installation instructions. Regarding you workflow...
Blazam is designed entirely around that concept, here's an exaple...
I don't see a way to do this with Blazam's current design. As disclaimed above, you can not target permissions to a specific group only OU's.... It could be possible if I extend permission application down to each object (which honestly may be very easy to achieve with minimal code change), or as I mentioned in a previous post, Blazam could utilize the Manager attribute of the group and allow for permissions by setting that in Active Directory (safer from bugs, but more code) I will see how best to try and satisfy your use case. |
|
Hi Chris,
short update, post installing the Websocket feature everything started to
work, but now that i see that the view is on OU level i understand that i
need the permissions on the Tree to Allow me to manage access permissions
on the Acrual Security Group. since we manage under 1 OU all Security
Groups that are focused under specific domain and i need the granularity of
security group permissions to be on the level of the Group and not on the
level of the OU.
unless i am missing something.
Regards,
Roei
…On Sat, Aug 3, 2024 at 4:18 PM Chris Jacobsen ***@***.***> wrote:
I believe I have identified the root cause of your original issue. I
missed a dependency in the installer and instructions. Apparently all the
machines I test with IIS all already had this dependency installed,
possibly by an older .NET installer.
WebSockets must be installed on the IIS host for many core components of
the app to work.... I'm fairly confident you will find this to be missing.
If not, do let me know....
1. In the Server Manager, go to the Add Role and Features wizard and
select Server Roles.
2. In the Roles pane, under Web Server > Application Development,
select WebSocket Protocol.
I will have to update the installer to check for this, and update my
manual installation instructions.
Regarding you workflow...
In my previous company what we did is :
1. IT Create Group
2. IT set group ownership by the main user of that need.
3. That user was then able to manage it solely.
Blazam is designed entirely around that concept, here's an exaple...
1. IT creates "Delegate" in Blazam Permissions pointing to group
"owner"
2. IT creates "Access Level" in Blazam Permissions to allow whatever
you consider an "owner" should be able to do (assign/unassign members,
rename, move, or delete)
3. IT assigns said "Access Level" to said "Delegate" in the Permission
mappings in Blazam. (I suppose this is where it deviates slightly in that
you can not target a specific group, unless that group is the only one in
that OU)
4. User can manage group.
Another flow was that is IT didn't have an Owner at first Phase than
1. User could ask to change ownership to him , IT would be notified and
swap
2. User to user change ownership - in case of user leaving or swapping
role.
I don't see a way to do this with Blazam's current design. As disclaimed
above, you can not target permissions to a specific group only OU's.... It
could be possible if I extend permission application down to each object
(which honestly may be very easy to achieve with minimal code change), or
as I mentioned in a previous post, Blazam could utilize the Manager
attribute of the group and allow for permissions by setting that in Active
Directory (safer from bugs, but more code)
I will see how best to try and satisfy your use case.
—
Reply to this email directly, view it on GitHub
<#464 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BKIM6Y535NCLTTM3ZYYBYU3ZPTKBBAVCNFSM6AAAAABL3QBSVGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRWG4YTAMJXGA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
--
[image: photo]
Roei Bar
Architect Advisor, Change Healthcare
P +972-3-679-7359 <+972-3-679-7359> M +972-54-970-0121
<+972-54-970-0121>
E ***@***.*** ***@***.***> W www.mckesson.com
[image: facebook] <https://facebook.com/bar.roei.work>
[image: linkedin] <https://us.linkedin.com/in/roei-bar-75880a17>
IMPORTANT: The contents of this email and any attachments are confidential.
They are intended for the named recipient(s) only. If you have received
this email by mistake, please notify the sender immediately and do not
disclose the contents to anyone or make copies thereof.
Create your WiseStamp email signature
<https://www.wisestamp.com/lp/promo/professional-email-signature?utm_source=promotion&utm_medium=signature&utm_campaign=create_your_own&srcid=>
[image: __tpx__]
|
Hello Roei, Please note the disclaimer at docs.blazam.org which applies to groups as much as users.... However, I plan to attempt to implement per-AD-entry permission application, which in theory would satisfy your needs. Albeit, extremely granular. I would expect to be able to have that included by mid to late August. (I try to do a 1-2 week feature testing in my environments before releasing officially) I apologize if this disappoints or in any way affects your satisfaction with Blazam. Every attempt will be made to provide you with the confidence that Blazam can satisfy your requirements. I appreciate the motivation to work at it. |
|
Thank you so much for the quick response Chris.
I will be awaiting for this feature as it is key for my workflows.
Awaiting an update.
Regards,
Roei
…On Sat, Aug 3, 2024, 23:24 Chris Jacobsen ***@***.***> wrote:
Hi Chris, short update, post installing the Websocket feature everything
started to work, but now that i see that the view is on OU level i
understand that i need the permissions on the Tree to Allow me to manage
access permissions on the Acrual Security Group. since we manage under 1 OU
all Security Groups that are focused under specific domain and i need the
granularity of security group permissions to be on the level of the Group
and not on the level of the OU. unless i am missing something. Regards, Roei
Hello Roei,
Without being able to assign permissions to specific groups in Blazam,
then you are correct, if all groups are under the 1 OU, it won't be able to
currently satisfy your needs.
Please note the disclaimer at docs.blazam.org which applies to groups as
much as users....
image.png (view on web)
<https://github.com/user-attachments/assets/a2e46c43-a2cd-4555-b8ff-ccb67f13c609>
However, I plan to attempt to implement per-AD-entry permission
application, which in theory would satisfy your needs. Albeit, extremely
granular.
I would expect to be able to have that included by mid to late August. (I
try to do a 1-2 week feature testing in my environments before releasing
officially)
I apologize if this disappoints or in any way affects your satisfaction
with Blazam. Every attempt will be made to provide you with the confidence
that Blazam can satisfy your requirements. I appreciate the motivation to
work at it.
—
Reply to this email directly, view it on GitHub
<#464 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BKIM6Y4D7SXY6YYC6O3KHMTZPU37VAVCNFSM6AAAAABL3QBSVGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRXGEZTCOJSHA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Hi Roei @barroei1981, I wanted to let you know that with only minor modifications to the GUI, and practically no backend code changes, I was able to achieve permissions applied to a single group within Blazam. Completely fulfilling one of your use cases. Nice to see the foundational code can be so flexible. Because the code changes are so minimal, I will include it in the v1.0 release. ETA 10 or so days. Note: v1.0 will require .NET 8 |
|
Thx for the update Chris.
If you have it on client side only, is it possible to add the delegate
option as another icon on the top of the group view.
The reasoning I ask is I found it fairly easy to search and than click on
it , while process in Blazem right now is more connected to the permission
flow, but functionality wise once you built an ACL you don't really need to
go through this flow any more.
And once that is done, the next feature request would be , for non admin :
Add a delegate button that will send a notification ( I saw it on the main
Manu near the name icon) and than on admin side add on permissions screen
a pending requests view to allow / decline those.
And one last thing , as a thought to have some view showing ACL'S Per user
of per all groups / OU . Since today as Admin you must login to the ACL
mapping and you don't have a clear view of who has what permissions.
I could also thing of adding this type of info on the user and group level
where on group you will see who has permissions to the group and what
delegation rights.
And on user you could see all delegations he has, which could be very
useful in cases of user leaving a company.
Regards,
Roei
…On Wed, Aug 7, 2024, 01:28 Chris Jacobsen ***@***.***> wrote:
Hi Roei @barroei1981 <https://github.com/barroei1981>,
I wanted to let you know that with only minor modifications to the GUI,
and practically no backend code changes, I was able to achieve permissions
applied to a single group within Blazam. Completely fulfilling one of your
use cases. Nice to see the foundational code can be so flexible.
Because the code changes are so minimal, I will include it in the v1.0
release. ETA 10 or so days.
Note: v1.0 will require .NET 8
—
Reply to this email directly, view it on GitHub
<#464 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BKIM6Y5IJA7EKB4RQ7GHXCDZQFE2VAVCNFSM6AAAAABL3QBSVGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZSGI2TKOJSGM>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Good day Roei,
Yes, I can see a use for this. On more than just groups, all types could benefit from this. It would only be able to allow super-admins to use it, but that lines up with what you're asking.
I plan to add a way to show all users in each Blazam "Delegate" group so you can better understand who is getting permissions. But you are correct that including the previous suggestion, this would be less important.
I will be honest, this is a very specific use case request. I will have to think about how best implement this feature. The community is small enough right now to accommodate specific use cases like this, but I hope you can imagine 100's of theses over the years would cause a ton of lightly used features that require maintenance as the app is developed and updated. I am currently the only developer (lost one helper), so I have to bite off only what I can chew. Having said that, I'm leaning towards including this request.
Plans are to include an effective permission tool, to quickly show admins what permissions are applied to each OU/AD Object without having to impersonate. Ideally this would be placed in multiple places including each search result page to show who can do what to that result. |
And here's a sneak peek at mapping directly to groups... |
|
Thanks for the update Chris,
Don't take any of my suggestions as ones that are immediate request , I am
just looking at features we built in my previous company and how much they
were used, and what were the key capabilities.
In our solution we did almost everything you are doing but, we also had
features to allow a user "delegated" as owner to "delegate" permission to
other team members.
Our focus was to reduce the need to talk to IT, and the whole design was
built by it, that is why even other solutions that required group
management abilities worked with our API's, and we even built a queue for
mass changes such as Massive Release of workforce causing a lot of org
changes since the IDM couldn't handle those easily .
Provision new users as template you have here directly from our ERP.
Twilio as multi channel for user access management in cases of forgot
password, JIT delegate which is limited to x min for cases you are not
available, or predefined time boxed delegation for leave which was
connected to our HR system notifying you to set it if you had groups you
own etc.
If you want idea's I have a lot of them. I can also try to help in some of
the code changes as I am not in a dev state for a while but I already
reviewed some area's data flow.
Roei
…On Fri, Aug 9, 2024, 01:04 Chris Jacobsen ***@***.***> wrote:
Good day Roei,
If you have it on client side only, is it possible to add the delegate
option as another icon on the top of the group view.
Yes, I can see a use for this. On more than just groups, all types could
benefit from this. It would only be able to allow super-admins to use it,
but that lines up with what you're asking.
The reasoning I ask is I found it fairly easy to search and than click on
it , while process in Blazem right now is more connected to the permission
flow, but functionality wise once you built an ACL you don't really need to
go through this flow any more.
I plan to add a way to show all users in each Blazam "Delegate" group so
you can better understand who is getting permissions. But you are correct
that including the previous suggestion, this would be less important.
And once that is done, the next feature request would be , for non admin :
Add a delegate button that will send a notification ( I saw it on the main
Manu near the name icon) and than on admin side add on permissions screen
a pending requests view to allow / decline those.
I will be honest, this is a very specific use case request. I will have to
think about how best implement this feature. The community is small enough
right now to accommodate specific use cases like this, but I hope you can
imagine 100's of theses over the years would cause a ton of lightly used
features that require maintenance as the app is developed and updated. I am
currently the only developer (lost one helper), so I have to bite off only
what I can chew.
Having said that, I'm leaning towards including this request.
And one last thing , as a thought to have some view showing ACL'S Per user
of per all groups / OU . Since today as Admin you must login to the ACL
mapping and you don't have a clear view of who has what permissions.
I could also thing of adding this type of info on the user and group level
where on group you will see who has permissions to the group and what
delegation rights.
Plans are to include an effective permission tool, to quickly show admins
what permissions are applied to each OU/AD Object without having to
impersonate. Ideally this would be placed in multiple places including each
search result page to show who can do what to that result.
—
Reply to this email directly, view it on GitHub
<#464 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BKIM6YZE6FX2IYB2DIBLG2LZQPTP7AVCNFSM6AAAAABL3QBSVGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZWG42DIMJTGU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
I appreciate everything you provide Roei, I think we can slow the pace of features for now, but yes I would love more suggestions and would be completely humbled by a code contribution. I do enjoy your ideas, I just need to keep things general enough for widespread usage. Some ideas may be rejected, and left up to the IT admin to code on their end. Anyway, version 1.0 has dropped with the ability to assign to specific groups/users/computers along with OU's. Thank you, |
|
Small update: There will be a few stabilization/bugfix updates for v1.0 before work on your feature suggestions begins. I'm going to place this in the mid-September milestone. |
|
Thx for the update
…On Fri, Aug 23, 2024, 01:19 Chris Jacobsen ***@***.***> wrote:
Small update:
There will be a few stabilization/bugfix updates for v1.0 before work on
your feature suggestions begins.
I'm going to place this in the mid-September milestone.
—
Reply to this email directly, view it on GitHub
<#464 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BKIM6YYKXX62RBU6F5V7TNLZSZPWHAVCNFSM6AAAAABL3QBSVGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMBVHA2DINJZGA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
jacobsen9026
added
enhancement
jacobsen9026
changed the title
|
Hi Chris
I am trying to install the latest version and I get an error on AD connect :
2024-09-12 21:19:16.997 +03:00 [Error] Directory Entry failed to connect DirectoryServicesCOMException
I have no idea why its failing.
I also checked again the use of MySQL – few issues – although I said to use 1 user, on install it always tried to use blazam user which didn’t exist, and it didn’t work until I actually had to create it.
Can you assist.
Roei
From: Chris Jacobsen ***@***.***>
Date: Saturday, 24 August 2024 at 6:54
To: Blazam-App/BLAZAM ***@***.***>
Cc: barroei1981 ***@***.***>, Mention ***@***.***>
Subject: Re: [Blazam-App/BLAZAM] Error post install trying to get directory information (Issue #464)
I would also check the wwwroot directory and open the js subdirectory and
ensure blazam.js is matches
https://github.com/Blazam-App/BLAZAM/blob/Release-v1.0.1.2024.08.23.2247/BLAZAM/wwwroot/js/blazam.js
which I fully expect it will.
If a bug does exist (bad DN tests have been stable on my end) I would add
some breakpoints in the authentication functions within
https://github.com/Blazam-App/BLAZAM/blob/Release-v1.0.1.2024.08.23.2247/BLAZAMServices/AppAuthenticationStateProvider.cs
Debugging on your end would be greatly appreciated. My investigation has
led me to believe the error is confined to JS but its possible the C# base
code is to blame.
Cheers, Chris.
On Fri, Aug 23, 2024, 8:14 AM barroei1981 ***@***.***> wrote:
Thx for the update
On Fri, Aug 23, 2024, 01:19 Chris Jacobsen ***@***.***> wrote:
> Small update:
>
> There will be a few stabilization/bugfix updates for v1.0 before work on
> your feature suggestions begins.
>
> I'm going to place this in the mid-September milestone.
>
> —
> Reply to this email directly, view it on GitHub
> <#464 (comment)>,
> or unsubscribe
> <
https://github.com/notifications/unsubscribe-auth/BKIM6YYKXX62RBU6F5V7TNLZSZPWHAVCNFSM6AAAAABL3QBSVGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMBVHA2DINJZGA>
> .
> You are receiving this because you were mentioned.Message ID:
> ***@***.***>
>
—
Reply to this email directly, view it on GitHub
<#464 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AGYN2XAVPCJ4PMZ5XPFUGTTZS4RR3AVCNFSM6AAAAABL3QBSVGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMBWHE3DONZQGI>
.
You are receiving this because you were assigned.Message ID:
***@***.***>
—
Reply to this email directly, view it on GitHub<#464 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BKIM6Y6KMLYO3WZYOJJZLFLZS77XJAVCNFSM6AAAAABL3QBSVGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMBYGAZTQNRWGA>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
This issue is stale because it has been open for 14 days with no activity. |
|
Hi Roei, Opening a new issue for separate problems is advised, to bring my attention to the situation. Having said that, I apologize for missing your updated issues. FYI, the comment...
Was intended for another user's issue.
This makes a lot of sense as to a possible issue, I always use blazam as my MySQL user, could explain how I missed a bug. Will investigate...
This is a feature that has not been tested in a while. For traffic reduction purposes, the icon is cached by Blazam for a minute or so, but it's possible a reboot is currently required for it to update. Will also investigate... (and I got a laugh out of your use of BS icon, in English speaking countries BS stands for a male cattle's droppings, which I'm sure you didn't mean and were referring to BZ, Blazam, still funny)
Thank you, I had a feeling there was some post-install hang on account of my logging server receiving almost a GB per hour of errors after every fresh install. Having the user-end experience reported is incredibly helpful. I now know where to begin looking for causes. September was always predicted to be a difficult time to work on Blazam for myself. This has led to a slump in feature work, I've been focusing on quality and bug improvements for the previous month. Of course your errors and poor experiences will be addressed first, as always, no point in adding more features with their own bugs while old ones still exist. October should bring a 25%-50% increase in available time to devote to testing and implementing these suggested features. |
You are correct, the setup contained the following line...
Which would insert the database name as the username, when it should have been...
This will be included in the next setup update. The web installer will have to be redownloaded, as it does not self-update, or even check for updates. |
After testing, the feature is functional albeit with one caveat, and one poor UX implementation. The caveat is that the icon is delivered in a way that the icon is cached by client browsers. Blazam currently tells browsers to cache the icon for 24 hours, so a change may take up to 24 hrs to show for all users. The poor UX (user experience) implementation is that the setting page where the icon is set also uses the cached version, meaning changes are not shown immediately, and leads to the impression that the default logo was uploaded. A disclaimer will be added warning about the caching situation. The settings page will be modified to show the image currently in the database instead of the cached method.
|
Fixed setup v1.4 has been released and addresses this issue |
Improved icon upload experience dropped in 1.0.4 update to Blazam last night. |
|
Work has begun on a display of effective permissions of other users. Once this is complete work will shift to access requests. I'm still not sold on exactly how to implement this. For example a request to assign/unassign could easily evolve into a desire to request for edit, or other actions. Flexibility requires complex code and we want to get this correct on the first attempt. Streamlining this into the existing notification system presents its own challenges as well. |
|
Effective permissions simulators are completed. The cleanest display is to only show a single user's access, as showing all access for all groups would be hard to understand and interpret. In the future I hope to add per field read and edit access to be shown, but for now it's just a simple can read (any field), can edit (any field). Example permissions for a regular user against a group Next task is to work on an actionable notification upgrade, currently notifications are only just that, notifiers. Changing this to an actionable response by another user is not a trivial task and may take some time to get to the desired user experience. But it can be done. Thorough planning will have to be done to ensure it is flexible enough for future additions. |
|
Hi Roei, I'm wondering what your opinion is, the simplest way to do this is to allow all users to request assign/unassign access to all groups they can read but can't already assign/unassign. They would need to already have read access. Is this acceptable for your use case? Thanks. |
|
Hi Chris,
Yes I believe its fine.
All users can see the groups , but specific ones that are fairly sensitive
for example board members.
By the way I think I found a bug on your Upgrade process, it seems to fail
again and again, and the only way I was able to install it is by offline
installer and only once I stopped the IIS.
Roei
…On Mon, Oct 28, 2024, 02:49 Chris Jacobsen ***@***.***> wrote:
Hi Roei,
I'm wondering what your opinion is, the simplest way to do this is to
allow all users to request assign/unassign access to all groups they can
read but can't already assign/unassign. They would need to already have
read access. Is this acceptable for your use case?
Thanks.
—
Reply to this email directly, view it on GitHub
<#464 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BKIM6Y3BTMIS7V6SBJO5KDDZ5WC2PAVCNFSM6AAAAABL3QBSVGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINBQGI3TCMZTGI>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
First, there was missing information in the documentation regarding update permissions until a couple weeks ago. In addition to write permissions to the installation directory, the account used to update must also have permissions to manage IIS sites (or services for service installations). If you're using the Blazam AD credentials for updates, and that AD user is a domain admin, they should already have permission to manage IIS, only explicit folder permissions are required. If the first point does not apply to your situation, if you can, please copy the contents of lastUpdateAttempt.txt in the Update folder of the installation directory. Remove any passwords and usernames prior to pasting publicly to this thread. That will let me know how and why the update is failing to apply. If you can identify the failure yourself, you can paste only the relevant logging. Lastly, I am a few days away from having working group management access requests. Many changes were done to the notification system to make this possible and is flexible enough for future additions to notification functionality. Thank you for making Blazam awesome! |
|
I have setup my user for the update , but per what I see in the logs it is
using the Directory connection username and not mine , this user does not
have local admin permissions on the machine running BLAZAM. And it also
explains why my user is not shown in the logs, since when I do it manually
on the machine it works but only if I stop the site, even the installer is
not stopping it , it is just stuck, and I see also on its logs that there
is no use of my user in the process even not if I say run as Admin.
…On Tue, Nov 5, 2024, 23:51 Chris Jacobsen ***@***.***> wrote:
By the way I think I found a bug on your Upgrade process, it seems to fail
again and again, and the only way I was able to install it is by offline
installer and only once I stopped the IIS.
First, there was missing information in the documentation regarding update
permissions until a couple weeks ago. In addition to write permissions to
the installation directory, the account used to update must also have
permissions to manage IIS sites (or services for service installations). If
you're using the Blazam AD credentials for updates, and that AD user is a
domain admin, they should already have permission to manage IIS, only
explicit folder permissions are required.
If the first point does not apply to your situation, if you can, please
copy the contents of lastUpdateAttempt.txt in the Update folder of the
installation directory. *Remove any passwords and usernames prior to
pasting publicly to this thread.* That will let me know how and why the
update is failing to apply. If you can identify the failure yourself, you
can paste only the relevant logging.
Lastly, I am a few days away from having working group management access
requests. Many changes were done to the notification system to make this
possible and is flexible enough for future additions to notification
functionality.
Thank you for making Blazam awesome!
—
Reply to this email directly, view it on GitHub
<#464 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BKIM6Y6OBLROLOKXI2ZVC7DZ7E4VRAVCNFSM6AAAAABL3QBSVGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJYGIYTOMRZHA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
I see the issue and will have it fixed for the next update. It is indeed only using the AD credentials. |
UpdateEverything but email notifications of a request is completed. Workflow screenshotsUserNon-admin view showing request button Request Dialog AdminAdmin Request Notification Approval dialog BehaviorUpon approval, a delegate and access level will be created if needed, and the direct mapping to the requested object is assigned. |
|
Looks amazing.... This is an amazing feature
…On Sun, Nov 10, 2024, 17:31 Chris Jacobsen ***@***.***> wrote:
Update
Everything but email notifications of a request is completed.
Workflow screenshots User
Non-admin view showing request button
image.png (view on web)
<https://github.com/user-attachments/assets/224ff74d-1d37-452b-b580-8e8958d1f083>
Request Dialog
image.png (view on web)
<https://github.com/user-attachments/assets/7d188d1f-d110-4395-817b-b84a82feab61>
Admin
Admin Request Notification
image.png (view on web)
<https://github.com/user-attachments/assets/849c1cb1-cbe2-40f5-909a-5dba0643c0b9>
Approval dialog
image.png (view on web)
<https://github.com/user-attachments/assets/ad27253b-d45c-4e00-bca9-cc583b01f3d0>
Behavior
Upon approval, a delegate and access level will be created if needed, and
the direct mapping to the requested object is assigned.
—
Reply to this email directly, view it on GitHub
<#464 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BKIM6Y25PNTGGEBVT26BZOTZ7534NAVCNFSM6AAAAABL3QBSVGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINRWG43TQNBUHA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Now the only missing piece is the ability to call the template user
creation via API. At least for now.
I will see if I can assign one of my dev to submit a cr to your review if
it's not on your plans
…On Sun, Nov 10, 2024, 17:56 Roei Bar ***@***.***> wrote:
Looks amazing.... This is an amazing feature
On Sun, Nov 10, 2024, 17:31 Chris Jacobsen ***@***.***>
wrote:
> Update
>
> Everything but email notifications of a request is completed.
> Workflow screenshots User
>
> Non-admin view showing request button
> image.png (view on web)
> <https://github.com/user-attachments/assets/224ff74d-1d37-452b-b580-8e8958d1f083>
>
> Request Dialog
> image.png (view on web)
> <https://github.com/user-attachments/assets/7d188d1f-d110-4395-817b-b84a82feab61>
> Admin
>
> Admin Request Notification
> image.png (view on web)
> <https://github.com/user-attachments/assets/849c1cb1-cbe2-40f5-909a-5dba0643c0b9>
>
> Approval dialog
> image.png (view on web)
> <https://github.com/user-attachments/assets/ad27253b-d45c-4e00-bca9-cc583b01f3d0>
> Behavior
>
> Upon approval, a delegate and access level will be created if needed, and
> the direct mapping to the requested object is assigned.
>
> —
> Reply to this email directly, view it on GitHub
> <#464 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/BKIM6Y25PNTGGEBVT26BZOTZ7534NAVCNFSM6AAAAABL3QBSVGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINRWG43TQNBUHA>
> .
> You are receiving this because you were mentioned.Message ID:
> ***@***.***>
>
|
|
Webhooks and an API are planned (probably next features to be added). I won't stop you because I'd love the help, but getting just template user creation via API should be easier than webhooks. I'm gonna spend some more time (2-3 days) testing and fixing little UI issues before releasing this version (v1.1). If the template API turns out as easy as I suspect, I may be able to include it in that release. |
|
You're original feature request is being pushed through nightly testing right now. A preview will soon be available at https://blazam.org/demo Once testing is completed it will drop as v1.1.0 for public usage. This thread is too long and I want to abandon it. For API feature tracking on your side, please continue that discusion in the existing webhooks request which I have modified to include API #585 |
|
There are some issues with self update that have popped up on my main test installation. I am unable to reproduce the problem with other test installs, or fresh installs, so the thinking is it's just an issue with that specific test server/installation. But I wanted you to be aware and report any issues if you use self update after applying this next update. Email notification of requests is untested, but should function and is built just like the other notification types. Version 1.1.0 will drop within the next couple hours. I will therefore close this issue as completed. However, improvements to the visual presentation (tooltips, informational messages, etc...) of the access request feature will continue regardless. |
Discussed in #463
Originally posted by barroei1981 August 1, 2024
[Error] Current User State was not provided to this directory entry ApplicationException { TargetSite: BLAZAM.Session.Interfaces.IApplicationUserState get_CurrentUser(), Message: "Current User State was not provided to this directory entry", Data: [], InnerException: null, HelpLink: null, Source: "BLAZAMActiveDirectory", HResult: -2146232832, StackTrace: " at BLAZAM.ActiveDirectory.ActiveDirectoryContext.get_CurrentUser() in D:\a\BLAZAM\BLAZAM\BLAZAMActiveDirectory\ActiveDirectoryContext.cs:line 32
at BLAZAM.ActiveDirectory.Adapters.DirectoryEntryAdapter.get_CurrentUser() in D:\a\BLAZAM\BLAZAM\BLAZAMActiveDirectory\Adapters\DirectoryEntryAdapter.cs:line 101
i am logged in with the Admin user, and i cant set any additional users ince i get find anything on the AD Search
The text was updated successfully, but these errors were encountered: