Tagged with permissions - Visokio Forums http://forums.visokio.com/discussions/tagged/permissions/feed.rss Mon, 30 Oct 17 15:02:53 -0400 Tagged with permissions - Visokio Forums en-CA Deployment: Rendering HTML5 browser versions inside your own iFrames (2.9 Plus) http://forums.visokio.com/discussion/2980/deployment-rendering-html5-browser-versions-inside-your-own-iframes-2.9-plus Wed, 29 Jul 2015 06:47:59 -0400 antonio 2980@/discussions
The option "Allow render in any iframe" is by default unticked, that means Omniscope will only allow the current site/domain to frame the content.
This is the case you have a web server serving your web page at e.g. yourserver.com and you embed Omniscope Mobile into an iframe provided that Omniscope is on the same domain (e.g. yourserver.com/myfile.iok) .

If for instance your webserver is yourserver.com and you want to embed Omniscope Mobile running on a different server (e.g. omniscope.me/myfile.iok), than you will need to tick the "Allow render in any iframe" option to allow cross domain embedding of the Mobile app.

Find the options in the "Permissions" section in the Omniscope Web Server settings.
image

N.B. the option "Allow client to display embed option" should be set accordingly to the "Allow render in any iframe".
]]> Idea: Saving browser sessions in hosted IOK folders? http://forums.visokio.com/discussion/2701/idea-saving-browser-sessions-in-hosted-iok-folderss Fri, 29 Aug 2014 11:33:03 -0400 mustafa 2701@/discussions
This would prevent users from updating everyone else's view of a file, while allowing them to save their local changes made from the browser. It would use far less server memory than having multiple copies of the IOK file, since the data would be shared. When a given user next logs in they would get their own configuration of the file as they left it, but will also have the ability to revert back to the master file configuration.

This would allow each user to have their own saved state of an IOK file; the master IOK file itself would hold the data (along with the original "master configuration").

A new user permission would control whether you could save back to the "master configuration" in the IOK itself or not.

We are also considering allowing some kind of URL query param to specify the "saved user id" which will be used to identify the user. There is a related discussion here about query params mentioned here:

http://forums.visokio.com/discussion/comment/9410/

Let us know of your thoughts and ideas and if you would be happy to help develop this idea.

]]> Security: Mobile Web Server user permissions http://forums.visokio.com/discussion/2388/security-mobile-web-server-user-permissions Mon, 28 Oct 2013 15:04:16 -0400 antonio 2388@/discussions
To enable this feature, just create a folder.xml configuration file and put it into your sharing folder (or subfolder).
You can start by using the folder.xml.default file, present into the mobile sharing folder, as template.

Remember, the settings present into the folder.xml file will override the default anonymous/folder permissions, and the default users credentials and permissions. As a note for system administrators, folder.xml works like Apache .htaccess file.

Here follows the main aspects you have to knowledge to properly configure the folder.xml file:

Permissions


These are permissions you can set on a folder or per user basis:
  • listDirectory : allow users to list existing files and subfolders
  • downloadFile : allow users to download the IOK files
  • viewInMobile : allow users to launch the Omniscope Mobile app for the existing IOK files
  • fileManagement : allow users to upload IOK files, rename and delete resources, create new folders in the folder
  • getStatic : allow users to get/access static resources from the folder, and to customise default styles (e.g. logo, icons, css files)
  • viewServerState : allow users to view the server state through a monitoring page

N.B. A missing permission in the configuration is equivalent to deny

User Credentials


To specify user credentials is required you specify:
  • username : in clear text
  • password : hash encrypted string using MD5 algorythm. As reference you can use this link to generate the hash.


folder.xml file structure


  • Anonymous section
    The <anonymous> element describes the unauthenticated permissions, and is also used as default values for per-user permissions.
    Unauthenticated public access will be given these permissions. Any false/missing permissions will require authentication.
  • Users section
    The <user> element describes the credentials and the permissions per user, and is made by the following elements/attributes:
    • Enabled : whether or not the user is enabled.
    • Credentials : the user username and password
    • Permissions: the user permissions that will override the anonymous ones



folder.xml example


<?xml version="1.0" encoding="UTF-8"?>
<mobilefolder>
<anonymous>
<permissions listDirectory="true" downloadFile="false" viewInMobile="true" fileManagement="false" getStatic="false" viewServerState="false"/>
</anonymous>
<users>
<user enabled="true">
<credentials>
<credentials username="antonio" password="9aeb94180027a7081352cba05e6a3782" />
</credentials>
<permissions>
<permissions listDirectory="true" downloadFile="true" viewInMobile="true" fileManagement="true" getStatic="true" viewServerState="true" />
</permissions>
</user>
<user enabled="true">
<credentials>
<credentials username="guest" password="4aeb93180027a708186hy4505e6a6465" />
</credentials>
<permissions>
<permissions listDirectory="true" viewInMobile="true" getStatic="true" />
</permissions>
</user>
</users>
</mobilefolder>


Common use cases:


  • Anonymous access not allowed, Admin user full permissions, Guest users browse and play IOK files
    <?xml version="1.0" encoding="UTF-8"?>
    <mobilefolder>
    <anonymous>
    <permissions listDirectory="false" downloadFile="false" viewInMobile="false" fileManagement="false" getStatic="false" viewServerState="false"/>
    </anonymous>
    <users>
    <user enabled="true">
    <credentials>
    <credentials username="admin" password="9aeb94180027a7081352cba05e6a3782" />
    </credentials>
    <permissions>
    <permissions listDirectory="true" downloadFile="true" viewInMobile="true" fileManagement="true" getStatic="true" viewServerState="true" />
    </permissions>
    </user>
    <user enabled="true">
    <credentials>
    <credentials username="guest" password="4aeb93180027a708186hy4505e6a6465" />
    </credentials>
    <permissions>
    <permissions listDirectory="true" viewInMobile="true" getStatic="true" />
    </permissions>
    </user>
    </users>
    </mobilefolder>

  • Anonymous can browse folders, no Admin user, Guest users browse and play IOK files
    <?xml version="1.0" encoding="UTF-8"?>
    <mobilefolder>
    <anonymous>
    <permissions listDirectory="true" getStatic="true" />
    </anonymous>
    <users>
    <user enabled="true">
    <credentials>
    <credentials username="guest" password="4aeb93180027a708186hy4505e6a6465" />
    </credentials>
    <permissions>
    <permissions listDirectory="true" viewInMobile="true" getStatic="true" />
    </permissions>
    </user>
    </users>
    </mobilefolder>


]]> Security: Group Permissions http://forums.visokio.com/discussion/2572/security-group-permissions Tue, 27 May 2014 07:02:09 -0400 Veaceslav 2572@/discussions Mobile Web Server Authentication

Group Permissions

Mobile Server authentication has been redesigned to include LDAP/Active Directory (AD) authentication and Single-Sign-On (SPNEGO) mechanisms.

Each server request goes through a security check first and if it is authorized, the request is processed and a proper response is sent back to the client.

Authorization permissions may be added to anonymous users and authentication groups. Permissions cannot be added for each individual user. To make sure a user has specific permissions you need to create a group with those permissions and add the user to that group.

Omniscope Mobile web server allows you to configure per folder authorization/permissioning configuration.

To enable this feature, just create a folder.xml configuration file and put it into your sharing folder (or subfolder).
You can start by using the folder.xml.default file, present into the mobile sharing folder, as template.

Remember, the settings present into the folder.xml file will override the default anonymous/folder permissions, and the default authentication groups and permissions. As a note for system administrators, folder.xml works like Apache .htaccess file.

Editing tip for folder.xml
Instead of manually editing the folder.xml file we suggest you copy an existing folder.xml into the correct folder and then use Omniscope Mobile Web Server UI main toolbar (Settings > Edit folder.xml configuration...) to edit the folder.xml.

Permissions

Here follows the main aspects you have to knowledge to properly configure the folder.xml file.

These are permissions you can set on a folder or per group basis:
  • listDirectory : allow users to list existing files and subfolders
  • downloadFile : allow users to download the IOK files
  • viewInMobile : allow users to launch the Omniscope Mobile app for the existing IOK files
  • fileManagement : allow users to upload IOK files, rename and delete resources, create new folders in the folder and save. Also used to control if mobile is in "Viewer" mode.
  • getStatic : allow users to get/access static resources from the folder, and to customise default styles (e.g. logo, icons, css files)
  • viewServerState : allow users to view the server state through a monitoring page
  • exportData : allow users to export a view's data as a CSV file.

N.B. A missing permission in the configuration is equivalent to deny

folder.xml file structure


  • Anonymous section
    The <anonymous> element describes the unauthenticated permissions, and is also used as default values for per-group permissions.
    Unauthenticated public access will be given these permissions. Any false/missing permissions will require authentication.
  • Groups section
    The <group> element describes the authentication group and its permissions, and is made by the following elements/attributes:
    • Enabled : whether or not the group is enabled. Disabled groups are not considered during authentication
      Note: If the enabled attribute is missing the group will be enabled by default. A group is disabled only if the enabled attribute is present and is set to false
    • Name: specifies the group name e.g. Data Analysts, Guests, Administrators, Employees, etc
    • Permissions: the group permissions that will override the anonymous ones
    • Mechanisms: a list of authentication mechanisms to be used when authenticating users for this group e.g. LDAP Query, List Of Users, SPNEGO (Single-Sign-On)
      • ListOfUsers: defining a list of users, e.g. :
        <listOfUsers>
        <users>
        <credentials username="test" password="098f6b627b4f6" />
        <credentials username="visokio" password="72261efef7c41" />
        </users>
        </listOfUsers>

        Credentials element has two attributes: username and password (the MD5 encrypted password).
        To generate password MD5s, visit this link

      • ldapQuery: LDAP Query mechanism enables Omniscope Server to query an LDAP/AD server to validate user credentials
        Attributes:
        • distinguishedName: LDAP group distinguished name E.g. CN=Users,DC=example,DC=com
        • url: A full URL pointing to your LDAP/AD server
          Example 1: 'LDAP://ldapserver.example.com:389'
          where LDAP is protocol name, ldapserver.example.com is the LDAP/AD server and 389 is the default port for LDAP protocol
          Example 2: 'LDAPS://ldapserver.example.com:636' where LDAPS is LDAP over SSL protocol,
          ldapserver.example.com is the LDAP/AD server and 636 is the default port for LDAPS protocol
        • ignoreSslIssues: false most of the time. Set true only if your LDAP/AD server has not been configured to use a trusted certificate and you are using LDAPS protocol
        • securityAuthentication: Security authentication type supported by your LDAP/AD server. By default, LDAP/AD server uses a simple security type. However, you should contact your administrator to check whether you need to use a different type (CRAM-MD5, or DIGEST-MD5, or none)
        • principalNameFormat: can have only one the the following values:
          1. {Name} : User's simple name will be used to authenticate. e.g. 'username' and 'password' will be used
          2. DOMAIN\{Name}: User's simple name will be added the DOMAIN name automatically e.g 'EXAMPLE.COM\username' and 'password' will be used to authenticate the user
          3. {Name}@DOMAIN: User's simple name will be appended the DOMAIN name automatically e.g. 'username@EXAMPLE.COM' and 'password' will be used to authenticate the user

        • principalDomain: must be set only if 'principalNameFormat' contains a domain name, otherwise it will be disregarded. e.g. 'EXAMPLE.COM'

      • spnegoMechanism: a Single-Sign-On authentication mechanism e.g.:
        <spnegoMechanism>
        <userNames>
        <userName userName="johnsmith" />
        <userName userName="johndoe" />
        </userNames>
        </spnegoMechanism>

        spnegoMechanism element has a list of user names to be verified once users authenticate successfully on LDAP/AD server and are assigned group permissions (roles).
        WARNING: spnegoMechanism will be disregarded during authentication if SPNEGO global settings are not set in config.xml




folder.xml example


<?xml version="1.0" encoding="UTF-8"?>
<mobilefolder>
<anonymous>
<permissions listDirectory="false" downloadFile="false" viewInMobile="false"
fileManagement="false" getStatic="false" viewServerState="false"
exportData="false" />
</anonymous>
<groups>
<group enabled="true" name="Data Analysts">
<permissions>
<permissions listDirectory="true" downloadFile="true" viewInMobile="true"
fileManagement="false" getStatic="false" viewServerState="false"
exportData="false" />
</permissions>
<mechanisms>
<spnegoMechanism>
<userNames>
<userName userName="john" />
</userNames>
</spnegoMechanism>
<ldapQuery
distinguishedName="CN=Users,DC=example,DC=com"
url="ldap://ldapserver.example.com:389"
ignoreSslIssues="false"
securityAuthentication="simple"
principalNameFormat="{Name}@DOMAIN"
principalDomain="example.com">
</ldapQuery>
<listOfUsers>
<users>
<credentials username="Tester" password="f5d1277e04873b9" />
</users>
</listOfUsers>
</mechanisms>
</group>
</groups>
</mobilefolder>


Common use cases:


  • Anonymous access not allowed, Admin user full permissions, Guest users browse and play IOK files

    <?xml version="1.0" encoding="UTF-8"?>
    <mobilefolder>
    <anonymous>
    <permissions listDirectory="false" downloadFile="false" viewInMobile="false"
    fileManagement="false" getStatic="false" viewServerState="false"
    exportData="false" />
    </anonymous>
    <groups>
    <group enabled="true" name="Administrators">
    <permissions>
    <permissions listDirectory="true" downloadFile="true" viewInMobile="true"
    fileManagement="true" getStatic="true" viewServerState="true"
    exportData="true" />
    </permissions>
    <mechanisms>
    <listOfUsers>
    <users>
    <credentials username="admin" password="5d141e04873b9" />
    </users>
    </listOfUsers>
    </mechanisms>
    </group>
    <group enabled="true" name="Guests">
    <permissions>
    <permissions listDirectory="true" viewInMobile="true"
    getStatic="true" />
    </permissions>
    <mechanisms>
    <listOfUsers>
    <users>
    <credentials username="guest" password="f5d1ee04873b9" />
    <credentials username="visitor" password="43ffge14197e45" />
    </users>
    </listOfUsers>
    </mechanisms>
    </group>
    </groups>
    </mobilefolder>

  • Anonymous access not allowed, admin users authenticating with their LDAP accounts, employees browse and play IOK files and authenticate with their LDAP accounts, a new employee user authenticating with List Of Users mechanism if an LDAP account is not yet available and a user authenticating with a Single-Sign-On (SPNEGO) mechanism

    <?xml version="1.0" encoding="UTF-8"?>
    <mobilefolder>
    <anonymous>
    <permissions listDirectory="false" downloadFile="false" viewInMobile="false"
    fileManagement="false" getStatic="false" viewServerState="false"
    exportData="false" />
    </anonymous>
    <groups>
    <group enabled="true" name="Administrators">
    <permissions>
    <permissions listDirectory="true" downloadFile="true" viewInMobile="true"
    fileManagement="true" getStatic="true" viewServerState="true"
    exportData="true" />
    </permissions>
    <mechanisms>
    <ldapQuery
    distinguishedName="CN=Administrators,DC=example,DC=com"
    url="ldap://ldapserver.example.com:389"
    ignoreSslIssues="false"
    securityAuthentication="simple"
    principalNameFormat="{Name}@DOMAIN"
    principalDomain="example.com">
    </ldapQuery>
    </mechanisms>
    </group>
    <group enabled="true" name="Employee">
    <permissions>
    <permissions listDirectory="true" downloadFile="true" viewInMobile="true"
    fileManagement="false" getStatic="true" viewServerState="false"
    exportData="false" />
    </permissions>
    <mechanisms>
    <spnegoMechanism>
    <userNames>
    <!-- User 'john' with password 'SomePassword' is defined on the
    LDAP server and logged in the client machine to test SPNEGO -->
    <userName userName="john" />
    </userNames>
    </spnegoMechanism>
    <ldapQuery
    distinguishedName="CN=Users,DC=example,DC=com"
    url="ldap://ldapserver.example.com:389"
    ignoreSslIssues="false"
    securityAuthentication="simple"
    principalNameFormat="{Name}@DOMAIN"
    principalDomain="example.com">
    </ldapQuery>
    <listOfUsers>
    <users>
    <credentials username="NewEmployee" password="d1274e417e04" />
    </users>
    </listOfUsers>
    </mechanisms>
    </group>
    </groups>
    </mobilefolder>

]]>