Multiple organizations - Fetching the details and modifying a user in another organization

Imported Google Group message. Original thread at: https://groups.google.com/forum/#!topic/tyk-community-support/dNT3Mymyu0A Import Date: 2016-01-19 21:10:51 +0000.
Sender:Miii Eeee.
Date:Tuesday, 28 April 2015 10:36:14 UTC+1.

Hi,

I would like to have a multiorganization set up.

Originally I created the first organization and user using the command line:

$ ./tyk-analytics --neworg --newuser

Then I created a new organization and a new user in that organization with the following calls:

curl -v -X POST -H ‘admin-auth: xxxxxxx’ -d ‘{“owner_name”:“anotherorg”}’ http://localhost:3000/admin/organisations

curl -v -X POST -H ‘admin-auth: xxxxxxx’ -d ‘{“first_name”:“tom”, “last_name”:“clark”, “email_address”: "[email protected]", “org_id”: “553e68e53779d15741000001”}’ http://localhost:3000/admin/users

My problem now is the following I don’t know how to modify or see the details of that user.

If I go to the dashboard, I only do not see anything related to organizations and in users, only the users that are in the organization that I initially created seemed to appear. If I do any calls to /api/users with the acess key of one of those users I can only perform actions on the users in that organization and not in other organizations. On top of that, the admin api does not have a method to fetch all the existing users, I tried

curl -v -X GET -H ‘admin-auth: xxxxxxx’ http://localhost:3000/admin/users

and I get “Not found”.

Could you please help me understand how can I get get the details and update the user that I created in that second organization?

Thanks,

M

Imported Google Group message.
Sender:Martin Buhr.
Date:Tuesday, 28 April 2015 10:56:44 UTC+1.

Hi,

Yes I see the trouble, the way the dashboard handles “super user access” is by creating a user that is not tied to an Org ID, so my reocmmendation would be this:
Run ./tyk-analytics --newuser
Call the user something like “super”
When it comes to assigning the user to an org, select None
Log in with that user and refresh their API token
Now use this API token to query GET /api/users (or use the dash), and you will see everyone. Users that have no OrgId assigned have visibility over pretty much everything. You will still need to use the reserved /admin/* APIs and secret to create users and new organisations, but this global super user will have visibility across everything. It’s mentioned in the security heirarchy document as a special case.

You’ve exposed a little hole in the advanced API, in that you don’t get the API key for the created user, otherwise you could use that to query the users table and see the users for that organisation, something we can add in future, want to raise a github ticket?

Let me know if that works.

Thanks,
Martin

  • show quoted text -