package domain, role and user on sitecore - sitecore

I am new to sitecore.
I have a question regarding packaging Domain and Roles on sitecore (we are using sitecore 6.3.1).
I am packaging content from our dev box to stage and I would like to transfer the Domain, Roles and user created on dev to stage.
The package designer shows a button called 'Security Accounts'. I added the specific user \ who belong to the specific domain and role.
On installing the package to stage site, it throws an error 'blah domain not found, cannot create user'.
So the question is, do i have to create a domain manually on the stage server before I install the user? or is there a way where I can copy the domain and roles to create the user?
Help much appreciated.

If your target solution doesn't have the domain the user lives in, you'll have to create it manually. However, the roles can be transferred via package the same way as users. If the user A is in role B, and you don't add role B to the package, there should not be any error - simply the user A won't be a member of the role B on target environment.

I have discovered that the domains are stored in /App_Config/Security/Domains.config and you can migrate between installations simply by copying or editing this file.
Or you can create the domains manually via the Security Domain tool.
Either way the domain must exist before you can install a package with users or roles.

I would think the answer Yan comes with would work with domains.
But you might need to have the Domain(s) in a package which you install first, or have it as the first "part" of your package, so it gets installed first.


Sitecore domains and roles

I want to add couple Sitecore domains and roles and have an ability to store these settings in our solution to share with other teammates. We use TDS to save Sitecore items into our solution usually, but I don't know how to save domains and roles.
Just for test: I added a domain and a role for that domain. I found that new role in the usual membership table in Core DB and a new domain in the special config file ..\Website\App_Config\Security\Domains.config.
I can see only one way at the moment: use this config file to share with other teammates(or create some patch file) and use serialize/deserialize feature for Roles(..\Data\serialization\security\sitecore\Roles).
Does somebody know any other way to solve this task? it might be that Sitecore stores Roles as usual Sitecore items somewhere in Code DB as well, however I didn't mange to find this folder in the tree.
Thank you in advance for the help.
Your config solution for domains is correct.
For roles, TDS does support the ability to sync them since version 5.1. You must enable this in the project properties under the General tab first. This adds a new node under your TDS project called Sitecore Roles that produces a different context menu with a Sync Sitecore Roles option.
You can use Sitecore packages to move security accounts. In Sitecore package, you have the option to add security accounts. You can refer to this article about moving the Sitecore users and roles.
But remember you need to migrate passwords after installing the package. As all of the transferred users will have their passwords set either to a random value (when using Sitecore packages), or to the default value "b" (when using serialization). Please refer to for transferring passwords.

Azure AD multitenant permissions

I have an Azure webapp that's managing it's users via Azure AD. I want the users to be able to register in my Azure AD directory to create an account (self-service), so I gave the app read-write access to the directory and setup a page using the Graph API to create the users.
Until here, everything is great. But the problem I have now is that I want to enable multi tenancy, so users of external AD directories can login to my app. This works, but I need to login as an administrator for the account because it also asks read-write access to their directory.
Is there a way to fix this? I only want read-write access to my directory to be able to create user accounts. I don't want to ask permission to touch their directory because, most probably, they wouldn't trust my app.
I found a quick and dirty solution: Add another app to the Active Directory. This app should be single tenant and have only permission to read and write the active directory. We can the use this app's credentials to access the Graph API and the other app's credentials to authenticate users.
I wait to see if someone has a better solution for this scenario...
sorry for the late response here. In general, an operation to create objects in a directory (like users) requires admin permissions. Also it looks like the web app you are creating uses app-only permissions, which definitely requires admin consent. In the multi-tenant case, the admin of the consenting tenant must be the one to consent to this type of app - only someone in this role really has the authority to grant consent for this level of access.
Hope the helps,
No need to use a secondary app in lieu of the authentication role - - there may be some peculiar side effects on the authenticating user anyway such as extraneous / incomplete logging, role inconsistencies, and missing system / internal references.
What are you using for login credentials for your app (TenantID etc.)?
AD is very strict in credential management, so I would go back to the app structure.
At the query level, you could make all tables entirely separate per tenant with no shared table data and include a multitenant identifier column so no one can sql inject if you were sure to include the multitenant identifier as an explicit variable.
Then in an entity model, you could inherit a multitenant interface for everyone which referred back to the tenant identifiers (as a part of EF).
This way the burden is isolated to OAuth or other libraries on top of that to take care of the third-party authentication.

create permissions for web application module in wso2

I am using WSO2 application server to deploy my web application. There is User and Role management section in carbon products to manage roles and users in connected user store and use them for authorization purpose.
I want to create similar permission model for the access control of various modules in my web application deployed on WSO2. Also I want to assign these custom permissions to the role of connected userstore (where RDBMS or LDAP).
Please help me in this regard.
You can use the existing permission model for this. If you check the "Users and Roles" menu, you will see the permissions attached to each role. You can create your own role, and assign permissions to that according to your need. For the webapps, There are different level permissions are defined;
configure etc..

Sitecore Access rights for a custom role not behaving as i expected

I am having trouble with setting the secutrity rights for the Media Library of one of our customers. For the "Sitecore Client Authoring" role I have specifed that it has only read access for the entire Media Library. I needed to "unprotect" items to do this but the Access Viewer tells I have succeeded.
Subsequently I wanted to specify access rights for a custom role. That custom role is a member of the following roles:
sitecore\Sitecore Client Forms Author
sitecore\Sitecore Client AccountManaging
sitecore\Sitecore ClientAuthoring
sitecore\Sitecore Marketeer Form Author
The problem is that the Access Viewer keeps telling me (when I look at the access rights for that custom role) that my custom role has write rights on Directory A because the sitecore\Sitecore Client Authoring account has been granted the 'item:write' access right for the '/sitecore/media library' item. When I look at the sitecore\Sitecore Client Authoring role in the Access Viewer the system tells me a different story. There the sitecore\Sitecore Client Authoring role only has read rights.
This is the basic structure of the Media Library for this customer.
Media Library
Directory A
Directory B
Directory C
Directory A'
Directory B'
Directory C'
Any idea why the write access rights are granted to my custom role?
You could also try to reset the cache(/sitecore/admin/cache.aspx). If it's the 6.X issue, the access result is not resetted in time, so the wrong result keeps available in the cache.
Try iisreset and take a look at Access Viewer again. Does it reflect the situation correctly now?
It seems there was an issue in some older versions of SC 6.X.

Meteor Github authorization

I am using the meteor accounts-github module to handle my authentication/account creation in my application.
I want to ensure that any new user who attempts to sign into the application is a member of a particular Github organisation. I also want to verify this not just when the user is first created, but on every sign in. If the user has been removed from this Github organisation then they should not be able to sign in to my application.
Essentially, I am adding some admin functionality to a website, and I only want Github users who are members of a particular organisation to be allowed to sign in and perform this admin functionality (such as update some basic content).
Is there a way to perform this Github API call on every user creation and sign in event?
you will need to customize the authentication a bit, checkout my project:
I implemented it so that only github account is accepted.