We get the ACL for the user(abc#xyz.com) on all the sharepoint libraries through Authority service in Manifold CF.
User(abc#xyz.com) is not having a direct access on the particular sharepoint library and also does not have access through defined groups(Visitors/Owners/Members) but the user has access to the library only through an AD group which is added as a visitor to that Sharepoint library and so we are not getting the visitors token for the user(abc#xyz.com) in the ACL.
Q1. Will authority service give the tokens in the ACL for a user if he has access to the library through AD group?
Q2. If not, then can how can we modify the authority service in order to get the tokens in the ACL?
Would appriciate any help/thread in this regard.
Trying to get the tokens in ACL for the given user.
Related
Usually, when reading about OAuth2, you can find information that the permission should be defined in scopes to state exactly what is needed. I recently looked into how Microsoft does that in their Azure Portal. It turns out that the only scope I get when accessing the portal is "user_impersonation". Why is that? My guess is that the token would be too big if they included all the permissions as scopes?
More generally, it seems to me that there are at least two approaches to dealing with authorization in OAuth2:
Store all permissions in the token - the Resource Server just looks at the token to decide what data to expose
Store limited information in the token (like userId) - the Resource Server has to find permissions in some data base related to the provided userId in the token.
It seems that Microsoft is using the second approach. Unfortunately, I didn't find any information about that way of doing auth. Are there some good resources to read about it?
Until now, as I said, all resources I read say that you should include the permissions as scopes.
For the API permissions of most of the services in Azure Portal, you can see User_Impersonation delegated permission. This is because user_impersonation permission is enough to access that particular service API on behalf of the signed user
For the other services like Microsoft Graph, you can see many other permissions like user.read, user.readwrite etc.,
While generating the access token in OAuth flow, you can add the scope with the permissions added for the app registration. The token will generated with these permissions
Are Azure's RBAC tools and capabilities appropriate for delineating and enforcing app-specific user permissions?
What I've been seeing is that Azure's RBAC capabilities seem to involve managing Azure resources: BLOB services, storage accounts, app services, etc.
But what I don't see are examples of Azure RBAC being used to manage app- (or domain-) specific permissions, like "Allow the user to approve purchasing this widget" or "Allow user to categorize these items as Foo, Bar, or Baz", or "Allow the user to view financial data only from these company divisions".
Am I fundamentally misunderstanding how Azure RBAC works, or what it's used to manage? Can anyone point out examples of Azure role definitions that include permissions like the ones above, or point to documentation of how I might set those up?
I believe you are looking for application specific permissions which can be achieved, by configuring API permissions in apps, registered in AD. Please correct me if my understanding is wrong.
So the difference between API Permissions and Role Assignments is as below:
API Permissions: 2 types.
Delegated permissions are appropriate for client apps that access a web API as the signed-in user, and whose access should be restricted to the permissions you select in the next step.
Delegated permissions are used when authentication is done under user's context and are returned in scope claim of the token.
Application permissions are for service or daemon-type applications that need to access a web API as themselves, without user interaction for sign-in or consent. Unless you've defined application roles for your web API, this option is disabled.
App permissions are used when authentication is done under application (service principal) context and are returned in roles claim. For example, if you have a web application, you can configure it to allow access to the user, if the scope claim contains read, otherwise deny access. Or grant write access to application only when roles claim contains write.
You should configure API Permissions when you would like to return the permissions in the Access token. When application consumes the token, it makes authorization decision on the basis of permissions present in the token.
Role Assignments:
RBAC is the authorization system you use to manage access to Azure resources. When using RBAC, an administrator grants permissions to roles, and not to individual users or groups. The administrator can then assign roles to different users and groups to control who has access to what content and functionality.
Role assignments are used to assign permission to users/service principals on Azure Resources. In this case authorization is done by Azure and not by the end application which happens in case of API permissions.
Please ref the below articles for detailed explanation with examples.
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added
In the Microsoft documentation, it is recommended that professionals use User Delegation Shared Access Signatures rather than key-based Shared Access Signatures. Specifically, why is this the case?
In this document, it is specified that:
Microsoft recommends that you use Azure AD credentials when possible
as a security best practice, rather than using the account key, which
can be more easily compromised. When your application design requires
shared access signatures for access to Blob storage, use Azure AD
credentials to create a user delegation SAS when possible for superior
security.
This Azure official document explains why it is recommended to use User Delegation Shared Access Signatures.
When a client accesses a blob service resource with a user delegation SAS, the request to Azure Storage is authorized with the Azure AD credentials that were used to create the SAS. The role-based access control (RBAC) permissions granted for that Azure AD account, together with the permissions explicitly granted on the SAS, determine the client's access to the resource. This approach provides an additional level of security and avoids the need to store your account access key with your application code. For these reasons, creating a SAS using Azure AD credentials is a security best practice.
For an application to work, it requires read/write access to most user calendars in the organization, which is achieved with app-only permission requirement for Graph API, which allows access to all calendars.
This looks a little bit too wide for some security people, and they asked me if there is some way to restrict this to a specific subset of accounts. I haven't found any settings in this direction. "Grant permissions" in App registration section of the Azure AD management portal will give access to all user calendars, including the future ones too.
Could somebody give a straight answer if it is or not possible; and I would be grateful for a link to an official Microsoft page where that can be seen.
Thank you!
Yes, there is a way. follow the steps below and wait 30 to an hour for policy to propagate.
Configure ApplicationAccessPolicy
To configure an application access policy and limit the scope of application permissions:
Connect to Exchange Online PowerShell. For details, see Connect to
Exchange Online PowerShell.
Identify the app’s client ID and a mail-enabled security group to restrict the app’s access to.
o Identify the app’s application (client) ID in the Azure app registration portal.
o Create a new mail-enabled security group or use an existing one and identify the email address for the group.
Create an application access policy.
Run the following command, replacing the AppId, PolicyScopeGroupId, and Description arguments.
New-ApplicationAccessPolicy -AppId e7e4dbfc-046f-4074-9b3b-2ae8f144f59b -PolicyScopeGroupId EvenUsers#contoso.com -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group EvenUsers."
Test the newly created application access policy.
Run the following command, replacing the AppId and Identity arguments.
Test-ApplicationAccessPolicy -Identity user1#contoso.com -AppId e7e4dbfc-046-4074-9b3b-2ae8f144f59b
The output of this command will indicate whether the app has access to User1’s mailbox
Ref: https://learn.microsoft.com/en-us/graph/permissions-reference#calendars-permissions
Ref: https://learn.microsoft.com/en-us/graph/api/resources/calendar?view=graph-rest-1.0
Currently we are evaluating a SAML solution as a corporate user authentication system.
The goal is to have only SAML as the main system without any redundancy of user data throughout different platforms.
Even if SAML authenticates the user how can the domino server create a session without mapping it to a user in the nab.
Is it somehow possible to have domino session without having the actual entry in the NAB?
And is it possible to retrieve group membership from SAML without having the actual group document in the nab?
Even if all of that works is it still possible to use these users and groups in the ACL and in readers and author fields?
The combination of SAML, and configuring Directory Assistance on the Domino server to integrate with an LDAP service that is provided by your corporate systems would allow you to accept SAML credentials for users who do not have a Person document in the Domino Directory.
But no, you can't use SAML to retrieve group membership. You can't use SAML to retrieve anything. It's not a directory query mechanism. It's only an authentication mechanism that communicates trusted identity information. You can, however, configure Domino Directory Assistance to use an external LDAP source for groups, and your local groups, ACLs and Reader/Author fields can also refer to these users.