What API should I use to check if a specific user is granted a policy?
Example: I want to check if a user AB in compartment XY is granted an "instances" resource.
I tried to use IdentityClient.listPolicies(comparment), it lists all the policies in the compartment but not the effective policies for the user.
There isn't a way to do this yet. If you base your policies on group membership, it's easiest to look up what groups user AB is in.
https://docs.cloud.oracle.com/iaas/tools/oci-cli/latest/oci_cli_docs/cmdref/iam/group/list-users.html
Related
The document shows that the r_fullprofile member permission is needed to get the user's organizations field.
I can not find in the document way to get the r_fullprofile permission.
I have already created new developer application.
Question:
How to get permission to fetch user's organization data via API call.
As per my understanding, I have only seen basic and lite profile member permissions.
Currently LinkedIn provides only 3 type of products, which are given below
and the scopes are provided based on these products.
For you requirement, you can opt for the marketing developer program, which will give the permission r_organization_admin
and using this permission, you can use following endpoint to get user's organizations along with roles.
We also did similar things in our app, where we list down user's organizations and user can select them to share their posts from our app.
I am currently trying to implement a role that can just manage permission for certain namespaces.
The goal of this role is to be able to give the role view and edit to other users in namespace where the account which will have the managerrole will be in.
The problem I am facing is that I can currently give the role edit and view, but I can give those roles to the managerrole account as well. That allows him to read secrets of a namespace and I do not want that.
Furthermore, the managerrole can also delete rolebindings that are above his current permissions (e.g. managerrole can delete a rolebinding of an admin of the namespace).
Basically, I would like to restrict the managerrole so it :
Cannot give to himself the role edit (rolebinding for specific namespace)
Cannot delete rolebinding above his role (rolebinding for specific namespace - e.g. admin)
Its not possible for managerole to not have edit /view permissions for itself because it can only manage the same for others if has those permissions for itself.
for example , an administrator can only provide admin permissions to someone else if he himself has the same or more permissions.
I would like to create an Azure Active Directory Custom role with the following perimeters:
Who to assign the role to:
Either a user, or group
What access will the role have:
Default role permissions from "User Access Administrator" directory role
Scope:
The custom role would only grant access in the specified AAD Groups
(My idea is to have users with this custom role, be able to fill the roles of a User Access Administrator ONLY in the Scoped AAD Groups)
This would provide application administrators the required rights to assign application roles to the specified "Scope" AAD groups, with least privileged in Active Directory
Is it possible to scope an Azure Active Directory custom role to an AAD Group? Not assign the role to a group, but rather the custom role only grant permissions to manage the AAD Group (Assign / Remove application roles to the group... etc)?
Meaning no rights/permissions exist in AAD, except for User Access Administration of that specified "Scope" AAD Group
If so, what would the scope format be, when creating the custom role? Preferable in JSON or Powershell
There is no support today for custom roles in Azure Active Directory. Only the predefined Administrator Roles, as described in the documentation, are available for use.
You may, however take a look at the advanced self-service or delegated group management capabilities and combine them with some existing role (like User Access Adminsitrator or Application Administrator). You may also like to see the difference between Application Administrator and Cloud Application Administrator.
In persuade for least privilege access, you may find the Least Privilege Role by Task document useful. And also the Microsoft Azure AD Privileged Identity Management to control and audit privileged tasks.
Last, but not least, a preview feature - Administrative Units may be of interest to you.
To summarize it
As of today (2018-12-04), there is no option to create custom role within Azure AD. Neither to constrain given role to a specific Group (be it security or office)
I believe this is already available now? https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-custom-overview
I want some guidance as to how to go about this:
I want to have some objects in my S3 bucket by accessible only be a few users (users from my web app). I looked through the AWS docs and it seems as though I need to give each of my users AWS access keys(?).
Obviously I don't want to do this, so is there any way in my app to lock out some users and let other in? I'm using Node.JS and MySQL (to store my users) if that makes a difference.
Thanks a lot for the help.
The very simple description of the S3 access / permission scheme is...Access to S3, like most other AWS resources is based on IAM-centric access controls. So, you can either grant access to your S3 buckets by either granting users access to it (setting it on S3) or granting S3 access to a user (setting it in IAM as a policy). So, whatever or whomever is accessing S3 must be authenticated to AWS. Again, that is a very high-level description and meant to simply point out that access is based on user/role authentication.
Now, assuming your web-app is running on AWS (EC2?), than your EC2 instance has been (hopefully) assigned an IAM role. Once that IAM Role has been assigned the permissions to do so, the application running on the EC2 instance can now access any AWS resource via that Role.
But, you don't want ALL of your webapp users to access S3, so my two thoughts are:
1) Check the users credentials within your app (assuming the user needs to authenticate somehow with your application) and make the determination of whether or not to call S3 based on the users credentials. You would then use the IAM Role assigned to the EC2 instance (an EC2 instance can only have 1 IAM Role assigned to it) and access S3 or not.
This second idea is a pretty bad one and smells bad to me. I'm pointing it out merely as a possibility and to highlight how the use of IAM Users / Roles works.
2) This suggestion would not utilize the IAM Role assigned to the EC2 instance, though I would always advocate for assigning a Role to the instance, you can always lock down that role and deny access to all AWS resources, but you can't add a role to the instance after launched.
Have two IAM Users (S3Granted and S3Denied, each of which obviously have appropriate policies for accessing S3). Each user of your webapp (e.g. Hillary Clinton, Donald Trump, Bernie Sanders and Ted Cruz) would then each map to one of the two IAM Users based on whether or not they should have access to S3. This would be a field in your MySQL database. You wouldn't bother checking the credentials up-front (because then you would just be performing Option #1 and would proceed with the S3 call regardless of the user and S3 will either grant or deny access based on the IAM User account your webapp user is associated with. You technically wouldn't need the S3Denied User (you could just have no user), but I figured it would be cleaner to specify the IAM User.
e.g.:
WebAppUser/Bernie Sanders --> IAMUser/S3Granted
WebAppUser/Hillary Clinton --> IAMUser/S3Denied
WebAppUser/Ted Cruz --> IAMUser/S3Granted
WebAppUser/Donald Trump --> IAMUser/S3Denied
For Option #2, you would then need to store the Access keys for both IAM Users m(S3Granted and S3Denied) somewhere so that you could properly authenticate.
Also, you would need to do a bit of exception handling so that you could properly notify your users that they have been denied access.
Overall, #2 is just a bad idea. It would be much cleaner if you simply had a field in your MySQL database that specified whether or not they can access S3 and either make the S3 call via the IAM Role or refuse to do so within your webapp. Don't leave it to S3 to grant or deny access.
We're developing a web app using the Zend framework and Mysql.
Currently, accounts are unique by email address. We want to be able to allow the admin of an account to grant access to the admin of another account. This person would then be a "user" of the linked account. The account holder would then log into their admin account and then select which linked account they want to access.
Please note: the access should only be one way. Account 1, who grants access to Account 2, should not be able to access account 2. Only account 2 can access account 1. If Account 1 wanted access to account 2, account 2 would then have to grant access to account 1.
What is the best method of going about this?
I think trying to tie permissions to accounts is your problem, you need to add a second 'layer'. Let's stick with Google Analytics as the example:
Let's say Joe Bloggs wants to use Google Analytics. He first has to create a Google account (assuming he doesn't already have one). He then creates a Google Analytics account for his site. Say Joe then wants to give access to Jane Smith, let's assume she already has a Google account. To give her access all he is doing is giving her Google account access to his site, he's not giving her access to his Google account.
Zend_Acl is role based so let's try and apply ZF concepts to this example. The user management screens in GA allow you to give users either "View reports only" access, or "Account administrator". So you'd define a role in Zend_Acl for each of these access levels:
$acl = new Zend_Acl();
$acl->addRole(new Zend_Acl_Role('guest'));
$acl->addRole(new Zend_Acl_Role('admin'), 'guest');
the second parameter on addRole means the role should inherit all permissions from the other role specified. So what I've done above is define two roles: guest and admin; and said admin should inherit all permissions that guest has.
You then have your 'resources', which are the things that can be accessed. So we'll define one for reports, and one for user management:
$acl->add(new Zend_Acl_Resource('reports'));
$acl->add(new Zend_Acl_Resource('users'));
we'll then give 'guest' access to reports, and 'admin' access to users:
$acl->allow('guest', 'reports');
$acl->allow('admin', 'users');
then in the relevant controllers (or plugin, or wherever) you can check permissions:
public function reportsAction()
{
[...]
// assume $role contains the role of the currently logged in user
if (!$acl->isAllowed($role, 'reports')) {
// show a permissions error
}
}
public function usersAction()
{
[...]
if (!$acl->isAllowed($role, 'users')) {
// permissions error
}
}
As far as storing this in MySQL goes, you just need a lookup table that links users, sites (in this example) and roles:
userID | siteID | role
1 1 admin
2 1 guest