I am currently trying to implement a role that can just manage permission for certain namespaces.
The goal of this role is to be able to give the role view and edit to other users in namespace where the account which will have the managerrole will be in.
The problem I am facing is that I can currently give the role edit and view, but I can give those roles to the managerrole account as well. That allows him to read secrets of a namespace and I do not want that.
Furthermore, the managerrole can also delete rolebindings that are above his current permissions (e.g. managerrole can delete a rolebinding of an admin of the namespace).
Basically, I would like to restrict the managerrole so it :
Cannot give to himself the role edit (rolebinding for specific namespace)
Cannot delete rolebinding above his role (rolebinding for specific namespace - e.g. admin)
Its not possible for managerole to not have edit /view permissions for itself because it can only manage the same for others if has those permissions for itself.
for example , an administrator can only provide admin permissions to someone else if he himself has the same or more permissions.
Related
Is there a way to create RBAC roles in such a way that only provides a user to create a project and be admin for that project?
I cannot create cluster-admin role restricted for a project as we dont know what project it can be.
The usecase is , a user should be able to create a project and be admin to only his project
It's not possible to create an RBAC policy that will let them create a specific project. We handle this by having an onboarding system that permits people to request projects through a github pull request; when we approve the PR, our tooling creates the project and then sets up the requester as a project admin by creating per-project groups and rolebindings.
Have you looked at the self-provisioner role? I think this is what you are looking for.
That allows user to create projects. In that project they will then have local admin rights, except to modify quotas. Note that they actually have to use new-project to do this, they still can't just randomly create namespaces. (This is one of the reasons projects exist.)
Look at the docs for RBAC, including self-provisioner and differences between admin and cluster-admin.
Also see the section of project creation including how you template out the new projects.
I would like to create an Azure Active Directory Custom role with the following perimeters:
Who to assign the role to:
Either a user, or group
What access will the role have:
Default role permissions from "User Access Administrator" directory role
Scope:
The custom role would only grant access in the specified AAD Groups
(My idea is to have users with this custom role, be able to fill the roles of a User Access Administrator ONLY in the Scoped AAD Groups)
This would provide application administrators the required rights to assign application roles to the specified "Scope" AAD groups, with least privileged in Active Directory
Is it possible to scope an Azure Active Directory custom role to an AAD Group? Not assign the role to a group, but rather the custom role only grant permissions to manage the AAD Group (Assign / Remove application roles to the group... etc)?
Meaning no rights/permissions exist in AAD, except for User Access Administration of that specified "Scope" AAD Group
If so, what would the scope format be, when creating the custom role? Preferable in JSON or Powershell
There is no support today for custom roles in Azure Active Directory. Only the predefined Administrator Roles, as described in the documentation, are available for use.
You may, however take a look at the advanced self-service or delegated group management capabilities and combine them with some existing role (like User Access Adminsitrator or Application Administrator). You may also like to see the difference between Application Administrator and Cloud Application Administrator.
In persuade for least privilege access, you may find the Least Privilege Role by Task document useful. And also the Microsoft Azure AD Privileged Identity Management to control and audit privileged tasks.
Last, but not least, a preview feature - Administrative Units may be of interest to you.
To summarize it
As of today (2018-12-04), there is no option to create custom role within Azure AD. Neither to constrain given role to a specific Group (be it security or office)
I believe this is already available now? https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-custom-overview
I searched a lot about mandatory access control lists and i did not find useful information about how to apply macl in documentum. i need to know the steps and how to configure.
I already had Documentum CS 7.3 with TCS license enabled and i tested it by applying esignature on pdf document
macl allows you to dynamically apply acl to objects depending on specific conditions.
Example 1:
Software developers are assigned read permission on documentation documents
Team Leads are assigned write permission on documentation documents.
Project Managers are assigned delete permission on documentation documents.
Example 2:
while Users are located in US
users are assigned a write permission on documents under US cabinet and read permission on documents under all other cabinets e.g: UK, Egypt, UAE.
If Users logged in from another network location like UK
Users are assigned write permission on documents from UK cabinet and * read permission * on documents under all other cabinets.
I found The answer to my question by using:
the Required Group, and Required Group sets
where you can give some users some permissions and apply it only if they are members of a specific group only.
Required Groups
(Users/Groups must be a member of all listed groups to access this item)
Required Groups List
(Users/Groups must be a member of at least one of the listed groups to access this item)
I found an issue with EMC's documentation documents:
It states that in order to benefit from Trusted Content services Capabilities you must have TCS license installed. but, practically whether you installed the TCS license or not you can create dynamic ACLs and benefit from the group membership restriction. (practically TCS is not required "case was Tested", and there is misleading information about Dynamic ACLs usage and implementation) no scenario is provided
Sorry, but from your question one could assume that there is something called mandatory ACL within Documetnum platform. However there isn't - AFAIK.
There are several ways with which you can dynamically apply ACL or in terminology of Documentnum platform permission set.
Based on repository configurable parameter:
inherit from object type
inherit from user who created object
inherit from parent folder
If this doesn't fits you you can write TBO (Type Based Object) code which acts as trigger and runs your custom logic.
There are other ways to achieve what you want but you need to be more specific about your requirement.
If your client is D2, you can utilize the dynamic permission model based on documents attributes. This way you can achieve what you are asking for.
Is it possible to retrieve the list of users in a Google Apps Domain with a non-admin account?
Non-admin users can call users.list(viewType=domain_public) which offers the same amount of details that the users see in the domain contacts directory.
Depends on what you think an admin account is.
Long ago the user roles were just "regular" and "admin". Now you can choose from a fine-grained set of permissions and define a role name for them. "Superadmin" is now a built-in role that has every permission possible.
So, if you define a role which can retrieve the user list and assign it to a user I wouldn't call it an admin account.
You need to be a true admin to do that, though :)
As a complement to the other (excellent) answer, what I do in our domain is to create a full list of domain users in a spreadsheet with all necessary informations and run a script every night that updates the spreadsheet automatically. When I make a change (add or remove user) I can run the script manually to avoid temporary differences.
This script runs as "me" but any domain user has access to the list (I invite them to this shared doc when I create their account so it shows up in their drive/shared with me folder). With this solution I don't need to give special rights to any users.
The new version 2 API introduce methods to access permissions. Apps can create, delete, modify and read one permission but why the get method does't return the value property which limits what apps can do with permissions ? The JavaScript embeddable sharing component is a solution for some use cases but not for all.
The value property is omitted in order to preserve privacy. A user that can read the permissions on a file should not be able to see the email addresses of all the other users with permissions.
You should use the permission id, which can be found with the about method as the about resource, and is:
The current user's ID as visible in the permissions collection.