I'm using an RHEL7 image.
The GCE docs say that the cloud console can be used to manage (Linux OS) user accounts, including (Linux OS) group membership:
https://cloud.google.com/compute/docs/access/user-accounts/#create_a_new_user_account
However, the instructions start with:
Go to the User Accounts page.
https://console.cloud.google.com/iam-admin/useraccounts/
That link to the User Accounts page will require you to select a project. Once selected, the resulting page is not the User Accounts page - it's the project's overall Dashboard page. If you enter into the search bar at the top of the Dashboard page [user accounts] and then click the offered item [User accounts] (subtitled IAM & Admin), the resulting page just says "(!) Failed to load".
This feature requires whitelist at this point:
"This is a Beta release of User Accounts. This feature might be changed in backward-incompatible ways and is not recommended for production use. It is not subject to any SLA or deprecation policy. Request to be whitelisted to use this feature".
Related
I'm writing a Playwright test that starts with a Google Auth0 login. After I fill my test user and password in the UI (google login), in Firefox and Webkit the authentication passes successfully, while, on Chromium, I'm getting the Verify it's you message (with a "send sms" message).
The account does not have 2 steps authentication.
When it happened locally, I opened the browser in headful mode, and after few clicks (which I assume "told" the browser that I'm a real user) the problem disappeared (I can now run my tests in headless mode locally). But, it still happens on CI (GitHub)
I run the test with chromium flags: --disable-dev-shm-usage and --disable-web-security.
I couldn't find any data about it anywhere...
When Google determines that a user is logging in from an unknown device or a new location, they may prompt the user with an additional login challenge.
The login challenge that the user receives depends on the information that associated with the account.
Does the prompt say "Enter a phone number to get a text message" or something else like "This device isn't recognized..."
If the former I believe you can circumvent this extra prompt by having a phone number linked to the Google account in question. If the latter I believe the prompt is once per user per device.
My understanding it is basically Google trying to get a valid phone number for the account (to prevent spam etc).
-- Edit
The only other thing I can think of is that you can temporarily turn off the verify-it's-you challenge, for 10 mins, but only if the account is a member of a Google Workspace or Cloud Identity service. I am not sure this is possible for an unmanaged account - or how useful it would be. The other issue is that for "free services" Google doesn't really offer any kind of support.
Anyhow, you might try "Temporarily turn off login challenges for a user" -
https://support.google.com/a/answer/12077697
There is also so good information on this verify-it's-you challenge here.
https://workspaceupdates.googleblog.com/2018/04/more-secure-sign-in-chrome.html
It has some notes on disabling the challenge per organization via response headers, but again this is for an organization and managed accounts.
If you wish to disable the new screen for your organization, you can
use the X-GoogApps-AllowedDomains HTTP header to identify specific
domains whose users can access Google services. Users in those domains
won’t see this additional screen, as we assume those accounts are
trusted by your users. This header can be set in Chrome via the
AllowedDomainsForApps group policy.
When I log in with an account which does not belong to the expected domain, this message is shown (which is correct).
I think this message is kind of ugly and not understandable for a non-developer person. Is there a way to modify this message in the Google Cloud Console or inside the OAuth code? I would like to display for example:
The email you used does not belong to the happy.com domain.
I fount this Feature Request In the Public Issue Tracker, and there they suggest to follow the steps of Customize the rejected-app message. Basically it mentions:
Your current account, user#domain.com, doesn't have permission to do these steps. To continue, switch to an administrator account. This will open the Google Admin console.
Switch to administrator account now or Learn more
From the Admin console Home page, go to "" and then Security and then API controls.
Under App access control, go to the Settings section.
Type your custom text in the box under the following message: Show this message if a user tries to use an app that can’t access restricted Google services.
Click SAVE.
If this doesn't make it, I would recommend you to comment on that FR in which they mentioned:
I have filed this feature request internally.
You might also want to ‘star’ the FR to ensure that you receive updates about it. You can also adjust notification settings by clicking the gear icon in the top right corner and selecting settings.
I have followed the instructions on this page to add the ability to sign up / log in to my application using a Microsoft Account. Personal accounts seem to work fine, but organizational IDs do not. And if I type in an email address that is both an organizational ID as well as a personal account, at no point am I prompted to choose "Work or school account" vs. "Personal account". When I use the same email to log into Azure, I am prompted to pick one.
The configuration instructions talk specifically about enabling "Accounts in any organizational directory and personal Microsoft accounts (e.g. Skype, Xbox, Outlook.com)." and I have confirmed that this option is set properly in my registered application.
Is there something else I need to do to enable sign up and log in with organizational IDs in my AADB2C application?
Although you registered an app with the type is Accounts in any organizational directory and personal Microsoft accounts (e.g. Skype, Xbox, Outlook.com), it doesn't mean you have enabled sign-in for users from an Azure Active Directory (Azure AD) organization.
The configuration in this article is only for MSA. You define the account as a claims provider that Azure AD B2C can communicate with through an endpoint by adding a claims provider.
If you want to enable sign-in for Azure AD users, you should define Azure AD as a claims provider.
You should finish the configuration on this page.
I am trying to get security on Reporting services set up. I have installed reporting services with all the defaults and I was able to create and publish a report. Using the link [http://server/reports] I was able to view that report. Bearing in mind that i am in the domain administrators group.
I then asked a non domain admin user to review the report but they got the message: • The permissions granted to user 'DOMAIN_ABC\username' are insufficient for performing this operation. (rsAccessDenied)
It then dawned on me that I would need to set up security by assigning the 'Browser' role to DOMAIN_ABC\Domain Users.
At that point I realized that I had no way of interfacing with the security side of things as none of the Home, My Subscriptions, Site Settings tabs were displaying (as is the case with a 2005 RS deployment we have). Thus began my search for how to get the 'admin' view into the environment to enable security and access. I have thus far been unsuccessful so far, I have tried running IE as the 'Administrator', added the server to my 'Trusted' sites list. Checked the RS config file, set the Service Account to 'Local Service' but still no joy. Does anyone know what I may try?
Thanks in Advance,
Jonathan
You can not view the admin settings unless u got that permission.
Only Report manager administrator can create roles and users from report manager url [http://localhost/Reports/] then go to site settings ----> security,----> new role assignment.
If the user in system Administration group then only he can view the site settings option in the home page, If the user is on other group like content manager /System user then he can not view the site settings option.
You need to first add the user in the System Administrator group.then he can view all these settings.
Hope this helps...
UserManager.createUser() gives me the "You do not have permission to perform that action" error, but I'm already able to create new domain users under the same apps account (non-paid) manually as a super admin. Any reasons why running it through a script would throw this error?
Google Apps Control Panel > Domain settings > User Settings > Select the checkbox enabling the Provisioning API > Save your changes. That needs to happen first.
as a complement to Bryan's answer :
from the doc :
Class UserManager
This class allows administrators to create, update, retrieve and delete users in a Google Apps domain. To use this class you have first to enable the Provisioning API on your domain. For a next-generation control panel, enable the API by logging in to your admin account, and select Domain settings and the User settings tab to select the checkbox enabling the Provisioning API. If your control panel is not Next generation, enable the API by logging in to your admin account, and clicking the Users and groups tab. Then click the Settings subtab, select the checkbox to enable the Provisioning API and save your changes.