Roles, Users, Sessions and more

Roles, Users, Sessions and more

  
Hi,

How can I show a list of roles which are GRANTED to the user in his/her session?
I like to have a page where userinfo is shown with all the granted permissions.

I have tried User_Role and User_Effective_Role, but those only contain the possible permissions:
The persistant ones (or the ones that have been added by Create_User_Role etc.)
When I grant roles dynamically which are not persistant They do not show up in those tables.
(or am I doing something wrong?)

Besides the obvious add all "Check<permission>" which could be faulty when you miss 1 or 2 :)

Hello

I'm using 7.0 and both the User_Role and User_Effective_Role entities shows the granted roles to the user.

I did a small test espace that list the USer_Role and User_Effective_Role for the logged on user, and when grating a role or revoking a role using the Roles primitives, it shows as expected.

How are you granting the roles dynamically?

Check the attached espace for testing purposes. If you create a user and grant the Rolling role, when you login on that espace with that user you can see the effective roles. Granting new roles will update the tables accordingly.

Cheers

Miguel Simões João

Statler & Waldorf wrote:
Hi,

How can I show a list of roles which are GRANTED to the user in his/her session?
I like to have a page where userinfo is shown with all the granted permissions.

I have tried User_Role and User_Effective_Role, but those only contain the possible permissions:
The persistant ones (or the ones that have been added by Create_User_Role etc.)
When I grant roles dynamically which are not persistant They do not show up in those tables.
(or am I doing something wrong?)

Besides the obvious add all "Check<permission>" which could be faulty when you miss 1 or 2 :)
 
 
 
Hello again,

I've notice that I've used persistent roles only ... you're right, non-persistent roles are stored in the session and not on the database metadata. This means that the User_Role and User_Effective_Role will not have information about these roles.

This is fully documented at Persistency in Roles

The non-persistent roles were design to be volatile, hence they reside in the session. This means that usually the application's logic grants the non-persistent roles on user log on, and it's automatically revoked when the session timesout. This volatile nature suggests that there's usually no need to manage the non-persistent roles.

What's your use case to use non-persistent roles but have to list them nonetheless?

Cheers

Miguel Simões João
Hi Miguel,

My use-case is that the roles/users are coming from LDAP and are changed whenever the user switches from Database.
If I make them persistant I would be able to create/delete them via queries. but it also meanse
I have to logout/login the user to get rid off the "in-memory-roles"
This is a maintenance which can be very tricky especially when you use multiple applications,

I like to list them just for debugging purposes. So when a user calls "I cannot acces that app/page" I can ask them to click on a certain link and make a screenshot of that page :)
Hi

Yeah, that's tricky. The only way I can think of is not pretty, as you've already confirmed. You have to call the CheckPermission action for each non-persistent role for that user to check which roles the user is assigned to. And this only works within the user's session, because the non-persistent roles are stored in the user's session.

Since it's for debugging and error reporting purposes, I suspect that this may not impact the normal usage of the applications.

Other then that, I don't see a better way to do it. Hope it helps.

Cheers

Miguel


Hi,

Just to clarify:
You do not need to use the specific Check<Permission>() methods.
The CheckRole(RoleId:,UserId:) builtin function gives you what you need if the UserId = Session.UserId.
So you can do a query to find all the RoleId's and just iterate that method. Everything is done in memory using the session information so it's pretty efficient even for persistent roles.

Note: This only applies if the UserId = Session.UserId and in the session where the roles are granted.

This method was called CheckPermission(PermissionId:,UserId:) until 6.0.

Regards,
João Rosado