I use Django auth groups. The groups contain permissions(https://docs.djangoproject.com/en/4.1/ref/contrib/auth/#group-model). Now groups are assigned to users based on their actual role. In my test setup one group contains the permission (market.xyz). This group is assigned to the logged in user.
In the debugger I see that the group permission is assigned (line 88)
But if I call user.has_perm(per1) I get False (line 87).
Same results for calling user.has_perm('market.xyz').
I can not make sense of this result. Is it necessary to activate the auth group mechanism? Do I have to add some additional Middleware?
To be sure I double-checked the documentation about group permissions being available on user level (https://docs.djangoproject.com/en/4.1/topics/auth/default/#groups):
A user in a group automatically has the permissions granted to that group. For example, if the group Site editors has the permission can_edit_home_page, any user in that group will have that permission.
Above I already suspected that some kind of Middleware is missing to activate the auth groups. Pretty close! After some trial and error I discovered that the ModelBackend makes it all work. IMHO the documentation on auth groups could make a remark on this!
AUTHENTICATION_BACKENDS = [
"foo.bar.MyOwnAuthBackend",
"django.contrib.auth.backends.ModelBackend",
]
Related
I have a SPFx webpart which is a form for users to submit requests which will run the group and teams provisioning code.
The code works fine when the user is logged in as a 'Global Admin', but when a normal user with minimum permission levels uses the form, the provisioning is not allowed and is faced with these errors:
Creating group is not allowed:
Tenant admin has not enabled Unified group creation error
Creating teams is not allowed:
Teams disabled in user license admin error
Is there a way to run the code regardless of the user context? or any ways to elevate the privilege of the webpart or block of code with admin permissions?
https://learn.microsoft.com/en-us/sharepoint/dev/spfx/use-aad-tutorial
You will need to specify that specific api permissions your application needs.
basically starting from here: https://learn.microsoft.com/en-us/sharepoint/dev/spfx/use-aad-tutorial
specifically, the graph api permissions that you will need is at least Group.ReadWrite.All, Directory.ReadWrite.All in order to create a team.
Hopefully this helps a bit.
Is there a way to run the code regardless of the user context?
Yes. You could implement Get access without a user to use Application permission to create the resources. It will allow you to create a group without a user.
You can also check with your admin if the ability of creation Groups for users has been disabled. See Manage who can create Groups.
And it's strongly recommended to check if the Teams license is assigned to the user.
We have a single-page Javascript app that makes calls to Microsoft Graph API using delegated permissions.
One of the things it does is get a list of users via the /users endpoint.
Now when the request URL was https://graph.microsoft.com/v1.0/users?$select=id,displayName,givenName,surname,mail,userPrincipalName,
everything worked fine.
But then we changed it to include a filter.
Specifically we only want Guest users.
So we changed the request URL to https://graph.microsoft.com/v1.0/users?$filter=userType eq 'Guest'&$select=id,displayName,givenName,surname,mail,userPrincipalName,userType.
Now some of the users get a 403 Forbidden when we try to make the query.
What is puzzling is that they can get the full list of users, but are unable to get a subset of the users.
This user is themselves a Guest user, and has the Guest Inviter directory role.
This gives them the ability to read all users.
I have a Global Admin account which is able to use the second request as well (it would be pretty stunning if it could not).
The app itself has the necessary scopes since it is able to read the users, it just depends on the user and their permissions in AAD.
My theory is that the user does not have permission to access the userType property, and this causes the 403.
It is probably part of the "full profile".
Philippe confirmed this by stating you cannot access this property through the User.ReadBasic.All scope.
If we look at the Guest Inviter role's permissions: https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#guest-inviter.
We can see that they have microsoft.aad.directory/users/basic/read, a Global admin on the other hand has microsoft.aad.directory/users/allProperties/allTasks.
My question is, what do I need to do to enable this query for the user?
I would like to avoid giving them Global Admin in this case.
The application's token has the following scopes:
Directory.AccessAsUser.All
User.Read
We used a less privileged scope before,
but we needed to add features that required higher privileges.
The scope we have is the "most privileged" scope for listing users: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_list.
The application is also registered as a Native app, if that makes a difference.
Signing out and signing back in (to refresh the token) also does not help.
This problem occurs with a fresh sign-in with the same scopes in the token.
The only difference is the role of the user in AAD.
Request id: 6079bcb2-6f90-44cc-8a57-83a8e1676333, timestamp Thu, 15 Nov 2018 06:49:59 GMT.
Unfortunately your theory is actually correct about guest users not being able to filter on userType. I have just spoken to the engineering team behind this logic on Microsoft Graph. They are looking into a fix here so that it adheres to our Roles based access control (RBAC) for this property and not the pre RBAC logic that it is doing right now. There is no time frame currently on this, they are planning it into their sprint. I'll see if I can get an update in the next few days.
You are most likely experiencing this if your application only has delegated permissions for https://graph.microsoft.com/User.ReadBasic.All. With only User.ReadBasic.All, your app doesn't have permission to read the userType property, which also means it doesn't have permission to filter on that property.
You'll probably find any user in the tenant will have the same experience, including a member or a global admin, not just your guest user. If your app requests for User.Read.All instead, the filter should work as expected for your guest user in the Guest Inviter role.
What do you have set under Azure Active Directory -> User Settings -> External collaboration settings -> Guest user permissions are limited?
If the guest permissions are limited, guest users are unable to enumerate the directory users & groups.
I can Authenticate user in Active directory but I need to know can we authenticate a specific user in group if we have multiple groups.
Basically I am redirecting to http://[mydirectory].onmicrosoft.com and validating the user but I need to know do we have mechanism to validate a user from specific group so that I can give access according to that.
Assuming this is Azure AD (and not on-premises Windows Server AD), then you have three options to restrict access to an application via groups.
Option 1: Require user/group assignment to application
This is the only option that does not require adding authorization logic in your application.
When configuring your application in the classic Azure portal, you can set the application to require user assignment:
Then, under "Users and Groups" for that application, you can choose which individual users or groups should have access to the application.
The most important thing to consider here is that this will only apply to direct members of the group, not to nested members.
Option 2: Request group claims
This option will allow you to request that the token returned to the application after a user has signed in contain the list of groups that the user is a member of. This includes groups that they are transitive members of (i.e. nested groups).
From your application's configuration page in the classic Azure portal, you can download and upload the app's manifest JSON file. In the manifest, locate the "groupMembershipClaims" attribute, and set it to "All" or "SecurityGroup" (the latter will exclude distribution lists).
Once this is set, after the user signs in, the resulting token will have a groups claim that contains a list of group object IDs that the user is a member of. Your application can then use these claims to decide whether or not the user should have access.
Dushyant Gill goes into group claims in detail in his blog post: http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/ (archive.org link)
The important consideration here is that there is a limit to the number of groups that can be returned. If the user is a member of more groups that this limit, then an "overage" claim is issued, and your application will need to make an Azure AD Graph API call to get the full list. (This is also described in Dushyant's blog post.)
Option 3: Use the the Microsoft Graph API or the Azure AD Graph API directly
The final option is to simply call the Microsoft Graph API (or the Azure AD Graph API, they both act almost identically for this) to establish if the signed in user is a member of a given group. Your application can then make the authorization decision.
There are several approaches you can take (these are all transitive checks, so nested groups are supported):
isMemberOf to check whether a the user is a member of a specified (single) group. This is the simplest if a single group should grant access to your app.
checkMemberGroups to check if the user is a member of any groups in a list of groups. This is useful if different groups grant different roles or permissions in your application.
getMemberGroups to return the full list of groups the user is a member of. This is generally not particularly useful for doing authorization checks.
A user is added to 2 different groups. 1 group is provided author access and another group is provided with editor access. First group has user role 'A' and second group has user role ' A,B'. What is the access and role the user would have?
The user would have the highest access level of all groups (in this case editor access) and all roles assigned to groups (in this case A and B) in database's ACL.
There is only one exception: if the user is listed with his own name in ACL then only these rights the user would have, no matter which listed groups he's member of.
The access levels are combined. However, Deny access takes precedence over Allow access.
See the docs for more info: http://www-12.lotus.com/ldd/doc/domino_notes/7.0/help7_admin.nsf/b3266a3c17f9bb7085256b870069c0a9/52f8492cea3792698525706f0065c44b?OpenDocument
Also, as the doc states it is helpful to use the Effective access feature within the ACL dialog to see exactly what the user access is.
I have three custom entities; Project, ProjectStageExternal and ProjectStageInternal,I have added a workflow which will create ProjectStageInternal and ProjectStageExternal records when admin creates a Project record.
Now I have a security roll named customer. Users having this roll only read the Project and ProjectStageExternal records.
The problem is workflow is not working when ownership is changed to users having customer security roll. Its showing this following error: The selected user does not have sufficient privileges to be assigned records of this type.
what am I missing here?
Thanks.
That security role has basically no permissions on those entities, so the users wont be able to do anything with them.
If you want someone to be able to assign (or have a workflow assign on their behalf) you need to grant the assign permission and probably write as well.
If you dont want to grant them those permissions, change the workflow's Scope to organisation and assign it to an admin user. That means the workflow will run with the admins permissions and security roles.
Only providing Read Privileges to the user/team whom the record is to be assigned will work perfectly fine !!