Sharing - Limiting Auto-Complete to only show users within groups

Comments

20 comments

  • Avatar
    David Hertzberg

    Hi, this is something we are waiting for a long time ! More a a feature than as a plugin ....

    One question : if a user A belongs to 2 groups, and a user B belong to only one of these 2 groups => user A sees all the users of the two groups, and B sees only the users in his group ?

    Thanks,

    David.

    0
    Comment actions Permalink
  • Avatar
    Gideon B

    Hi David, 

     

    The answer is yes. User A will see all members in Groups 1 and Groups 2. User B will only see members in his Group (let's assume B is in Group 2, he wont see who is in Group 1. Users on see members in their Group.)

     

    Thanks, 

    Gideon

    0
    Comment actions Permalink
  • Avatar
    Mike van

    As an OEM this is huge for us as well, but it doesn't quite work right yet.

    It seems that when you use the plugin it no longer will give the groups as an option to publish to. As soon as I remove the plugin they show up again.

    If would expect

    1. If you are not part of a group you can share with all groups

    2. If you are part of a group or multiple groups you can share with those groups as well as the people in the groups

    0
    Comment actions Permalink
  • Avatar
    David Hertzberg

    Hi Mike,

    Interesting request, I would be curious to know better your SiSense implementation. And thanks for testing it more completely than I have been !

    In our case though, group should also remain private. So for us it would be only to apply your 2nd point : if I am part of the group, I can share to any member of any group I belong to, and as well as being able to share with any group I belong to.

    I would also add that some users should be able to see all users and all groups : administrator, and maybe member of special groups like "OEM Admin" for instance. Probably in your implementation, the only user not belonging to a group is the OEM Admin ! In our case, OEM admins has a special group, and in some occasion users do not belong to a group, probably for bad reasons though, but I would not be comfortable with your point number 1, as it means that if you forget to place a user in a group, he sees all groups (so all customers).

    Best,

    David.

    0
    Comment actions Permalink
  • Avatar
    Mike van

    I think we are on e the same page here. Unless you are an admin you should only be able to share groups your are part of of users that are in those groups. In fact you should be able to add users to the groups that you are part of as that allows you to organize access a bit cleaner.

    We try and not give users direct access to a group as it becomes harder to manage. We give access to groups most of the time and then add/remove people from the groups.

    I agree about your point on 1, as long as it doesn't apply to admins. At all cost we have to prevent one customer from seeing another, I'd rather they see nothing then another customers information

    0
    Comment actions Permalink
  • Avatar
    Vince Varallo

    I am on build 6.2.1.70 and this doesn't appear to be working. I can still see the "everyone" group after the plugin was downloaded and installed.  Has anyone tried this on that build?

    0
    Comment actions Permalink
  • Avatar
    Ilan Shichor

    Hi Vince, have you restarted the IIS and Sisense.Repository services? 

    0
    Comment actions Permalink
  • Avatar
    Vince Varallo

    Hi Ilan, yes, i even rebooted the server and cleared my browser cache.  The "everyone" group still appears.  This worked for the previous version of 6.2.1 before the last hotfix.

    0
    Comment actions Permalink
  • Avatar
    Aaron Stronge

    Hi Gideon, first off, thank you for this plugin - it came at exactly the right time for us and filled what was going to be a security hole we were going to have a hard time getting past.  We are, however, having an issue with how it currently functions.  Our testing notes the following behavior: users can only see users that are within the same group as them (good), but they cannot see the group itself (not good).  This is a significant issue for us, because it prevents us from assigning groups of users to an ElastiCube or sharing baseline dashboards, and also potentially raises other security concerns.  At the moment we are assigning users via an admin user w/ no group affiliation, which allows us to see all users (but again not groups).  Could you take a look at this for us?    Thank you!

    0
    Comment actions Permalink
  • Avatar
    Mike van

    Any chance you could provide us with a version that also shows the groups themselves, I have to believe this will be a fairly easy change. Looked at doing it myself but its probably a bit above my head

     

    Thanks

    1
    Comment actions Permalink
  • Avatar
    Mike van

    Also, it is a bit annoying that an Admin that goes to the users and groups page in the admin section has these filters applied. So if you want to move users into groups you have to temporarily disable the plugin for it to work.

    If you are an admin or sysadmin it should not apply the plugin, it should only work for designers 

    0
    Comment actions Permalink
  • Avatar
    Nishad Amin

    @Mike, I just updated the js file to handle for admins and supers, its probably not secure, but it does the trick for us for now. See attached .js file. I recommend testing on a test environment. We are currently running v6.2.2. Just be sure to replace the extension to ".js"




    beforeshareduserssuggested.js_remove
    0
    Comment actions Permalink
  • Avatar
    geeta ramdas

    Hi Gideon,

    I am using Sisense version 6.2.5.141. And this plugin does not seem to work.

    I installed the plugin, restarted IIS, Restarted Sisense services and cleared browser cache.

    But when user belonging to group 1 logs in he is able to see users belonging to group 2. And i think the reason is that all users by default get added to Everyone group, And that group is still visible in the group list.

    Kindly let me know what am i missing. This feature is very crucial for us.

     

    Thanks

    0
    Comment actions Permalink
  • Avatar
    David Oyler

    Hi Gideon;

    We are on version 6.2.1.70, using the exclude admin version. It works fine for us, but we also need to be able to publish to groups. Any way you can add that in?

    0
    Comment actions Permalink
  • Avatar
    Mike van

    @Nishad

    Tried your change but doesn't appear to do the trick, part of the problem is that it never displays groups as options, all our publishing happens to groups versus individual logins for maintainability and they don't ever appear to show up as an option even for admins. I am hoping SiSense will come out with a robust version of this soon as it is a pr nightmare for us that very customer can see all other customers eventhough in the end they can accidentally give them access to their cube

    1
    Comment actions Permalink
  • Avatar
    Nishad Amin

    @Mike, my apologies.


    Try this one, it seems the baseRoleName object I was looking for before became private at some point. 

     

    @Sisense -- This is an updated version of the plugin, that allows Super & Admin users to see ALL users and groups.

     

     




    beforeshareduserssuggested.zip
    2
    Comment actions Permalink
  • Avatar
    Trevor Paskett

    The current version of this plugin downloaded from here:

    https://documentation.sisense.com/sharing-autocomplete-limited-current-user-group/

    Does allow super admins to see everything and shows the group + users on non-super admins.

    Tested 11/6/17 on 6.7.1.12005

    0
    Comment actions Permalink
  • Avatar
    Oxana Noa Umansky

    Thanks Trevor. I'm opening a ticket with our PS team to look into this.

    0
    Comment actions Permalink
  • Avatar
    Avi Tavdi

    Hi Trevor, im not sure i understand your question, can you please elaborate?

    0
    Comment actions Permalink
  • Avatar
    Malinda Jepsen

    We would like to see this always hide names (groups and users) and let you share with any email address/group. At the time you do the actual share, is when the user/group should be validated rather than pulling from the list. This will eliminate every user from our implementation being exposed to every user.  We also share dashboards with groups and not individuals.  We can't use groups for limiting the list of users because we don't create separate groups for our 1300+ firms (over 4,000 users).

    0
    Comment actions Permalink

Please sign in to leave a comment.