I would like to create an Azure Active Directory Custom role with the following perimeters:
Who to assign the role to:
Either a user, or group
What access will the role have:
Default role permissions from "User Access Administrator" directory role
Scope:
The custom role would only grant access in the specified AAD Groups
(My idea is to have users with this custom role, be able to fill the roles of a User Access Administrator ONLY in the Scoped AAD Groups)
This would provide application administrators the required rights to assign application roles to the specified "Scope" AAD groups, with least privileged in Active Directory
Is it possible to scope an Azure Active Directory custom role to an AAD Group? Not assign the role to a group, but rather the custom role only grant permissions to manage the AAD Group (Assign / Remove application roles to the group... etc)?
Meaning no rights/permissions exist in AAD, except for User Access Administration of that specified "Scope" AAD Group
If so, what would the scope format be, when creating the custom role? Preferable in JSON or Powershell
There is no support today for custom roles in Azure Active Directory. Only the predefined Administrator Roles, as described in the documentation, are available for use.
You may, however take a look at the advanced self-service or delegated group management capabilities and combine them with some existing role (like User Access Adminsitrator or Application Administrator). You may also like to see the difference between Application Administrator and Cloud Application Administrator.
In persuade for least privilege access, you may find the Least Privilege Role by Task document useful. And also the Microsoft Azure AD Privileged Identity Management to control and audit privileged tasks.
Last, but not least, a preview feature - Administrative Units may be of interest to you.
To summarize it
As of today (2018-12-04), there is no option to create custom role within Azure AD. Neither to constrain given role to a specific Group (be it security or office)
I believe this is already available now? https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-custom-overview
Related
I would like to create an Azure customised role (in JSON format) with Global Admin perms but with a limitation to creating resources. Anyone can help with that?
(or a more relevant built-in Azure role?)
Much appreciated!
Not an expert of Azure/JSON
By default, global-administrator built-in role won't assign RBAC roles to Azure resources. You can see the same mentioned here.
Azure AD and Azure resources are secured independently from one another. That is, Azure AD role assignments do not grant access to Azure resources, and Azure role assignments do not grant access to Azure AD.
If you just want the role not to create resources, you would need to clone all perms of global administrator & Owner roles & individually exclude create actions like Microsoft.Compute/*/create, Microsoft.Storage/*/read etc., in notActions list
I like to have User-A can contribute to the API-A but doesn't have access to the API-B.
When I look at the Azure APIM Built-in roles (link below) I am noticing that the API Management Service Contributor role is defined for all APIs.
Is it possible to to define a "Service Contributor" role per API as opposed with all APIS?
If not, is there any other technique that help me to achieve the same goal
AFAIK, you can restrict the user to specific set of APIs.
1) Through Product Level where you can add the APIs and allow all APIS to the specific set of users by keeping the Scope level to Product for the users.
Created 2 different APIs in APIM Instance like the below:
Open the New APIM Developer Portal after adding the APIs and publish the APIM instance > Portal Overview under Developer Portal.
In APIM Instance > Products > Added new product "Dotnet6FunctionAPIs" - Added the Net 6 Function App APIs > Checked the options "Requires Subscription", "Requires approval" and then published the product.
4. In APIM Instance > Users - created a user and in Products > Dotnet6FunctionAPIs Product > Access control > Allowed the access to Developers group.
Login to the developer portal with the new user login credentials https://<apiminstance_name>.portal.azure-api.net/ > Products > Dotnet6FunctionAPIs product > Click on Subscribe.
Here the Admin can approve the access of that product APIs to the user and can cancel the subscription whenever admin wants to.
After Subscription approval, the user can test the API present in the product.
If you observe here, I have allowed the users (under Developer group) to the product "Dotnet6FunctionAPIs" that contains specific APIs added to it.
This is one of the ways to restrict users from not accessing the other APIs by adding only specific APIs to the product and giving that product access to the users.
Updated Answer:
As Markus told, there are 3 built-in roles in APIM. API Management Service Contributor is for CRUD access to Complete APIM Instance (all APIS & Operations) and cannot be restricted to specific APIs.
I have seen the permissions given to API Management Service Contributor built-in role. Among those permissions, I believe we need to modify at API Policy Level which is
Write (Access) - Set API policy configuration (Permissions) - Creates or updates policy configuration for the API.
Is there a way to create RBAC roles in such a way that only provides a user to create a project and be admin for that project?
I cannot create cluster-admin role restricted for a project as we dont know what project it can be.
The usecase is , a user should be able to create a project and be admin to only his project
It's not possible to create an RBAC policy that will let them create a specific project. We handle this by having an onboarding system that permits people to request projects through a github pull request; when we approve the PR, our tooling creates the project and then sets up the requester as a project admin by creating per-project groups and rolebindings.
Have you looked at the self-provisioner role? I think this is what you are looking for.
That allows user to create projects. In that project they will then have local admin rights, except to modify quotas. Note that they actually have to use new-project to do this, they still can't just randomly create namespaces. (This is one of the reasons projects exist.)
Look at the docs for RBAC, including self-provisioner and differences between admin and cluster-admin.
Also see the section of project creation including how you template out the new projects.
I searched a lot about mandatory access control lists and i did not find useful information about how to apply macl in documentum. i need to know the steps and how to configure.
I already had Documentum CS 7.3 with TCS license enabled and i tested it by applying esignature on pdf document
macl allows you to dynamically apply acl to objects depending on specific conditions.
Example 1:
Software developers are assigned read permission on documentation documents
Team Leads are assigned write permission on documentation documents.
Project Managers are assigned delete permission on documentation documents.
Example 2:
while Users are located in US
users are assigned a write permission on documents under US cabinet and read permission on documents under all other cabinets e.g: UK, Egypt, UAE.
If Users logged in from another network location like UK
Users are assigned write permission on documents from UK cabinet and * read permission * on documents under all other cabinets.
I found The answer to my question by using:
the Required Group, and Required Group sets
where you can give some users some permissions and apply it only if they are members of a specific group only.
Required Groups
(Users/Groups must be a member of all listed groups to access this item)
Required Groups List
(Users/Groups must be a member of at least one of the listed groups to access this item)
I found an issue with EMC's documentation documents:
It states that in order to benefit from Trusted Content services Capabilities you must have TCS license installed. but, practically whether you installed the TCS license or not you can create dynamic ACLs and benefit from the group membership restriction. (practically TCS is not required "case was Tested", and there is misleading information about Dynamic ACLs usage and implementation) no scenario is provided
Sorry, but from your question one could assume that there is something called mandatory ACL within Documetnum platform. However there isn't - AFAIK.
There are several ways with which you can dynamically apply ACL or in terminology of Documentnum platform permission set.
Based on repository configurable parameter:
inherit from object type
inherit from user who created object
inherit from parent folder
If this doesn't fits you you can write TBO (Type Based Object) code which acts as trigger and runs your custom logic.
There are other ways to achieve what you want but you need to be more specific about your requirement.
If your client is D2, you can utilize the dynamic permission model based on documents attributes. This way you can achieve what you are asking for.
What exactly is possible using the "manage an enterprise" scope in an application?
I have a client asking if it's possible for an app to access the event feed (and the corresponding files) for an ENTIRE account without a single user needing to have access to every file in the account. Would enabling the "manage an enterprise" scope grant an app this kind of access/functionality?
This is our fault for not providing enough detail. 'Manage an Enterprise' provides access to all of the methods available under the users endpoint as well as admin_logs.
Note that while this scope enables access to these capabilities, only certain user types (i.e. admin, coadmin) have these capabilities.