2 organizations A and B are working on a collaborative project . On org is RBAC implemented. Another org is Attribute based access control. The user from Org A brings the role 'Tutor'- ( Teacher ) for accessing resources in B and the user from Org B brings the role of 'Tutor' - (Student) for accessing resources in A. Both the identity providers have a common agreement that users will bring roles and attributed to access the services and resources offered by the Service providers of the organizations. Let us assume User A has L3 high privileged access. User B who is a student has L1 least privileged access. How to distinguish the 'Tutor' identity provided based on the user security levels? How to translate roles to the relevant attributes and attributes into user roles mapping?
Related
I need to create multiple users in same AD and need to isolate the resources created by one user from other user.Is it really possible.since I am new to Azure I am not aware that this is really possible.It would be great if some one render their hands to advice on this.
There is no absolute isolation, there are only certain restrictions.
The users created in the AAD tenant are all the Members by default, they have the default permissions e.g. Read all properties of groups, Read properties of registered and enterprise applications. So if user A created some resources e.g. group, application, the user B will also be able to read the properties of them.
There are some restrictions, like Manage properties, ownership, and membership of groups the user owns, Manage application properties, assignments, and credentials for owned applications. This means some properties of the resources can just be managed by the Owner of them.
For more details about the default user permissions, you could refer to https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions
And if the user is assigned as the admin role in the tenant, he will have more permissions than the default users, see https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles
Is there a best practice for the storage of users in Azure AD B2C with different account types where the same user might be in multiple groups?
For example, let's say that we have the following user account types.
User Account Types
Member: User that can view their health insurance information.
Group Leader: User that manages a company's health benefits and members.
Of those two types, a member can also be a group leader, and a group leader can also be a member, but they don't have to be. Both account types are managed by a single company.
Recommended Identity Architecture?
Give those account types, how many instances of B2C should there be?
They should be in the same directory. Just user the group membership or role attribute for authorization in the application.
We invite Azure B2B guest users to our AD in order for them to access a web application. Part of this process also adds them as members of a specific security group.
What I have noticed is that a B2B user can log in - (https://account.activedirectory.windowsazure.com) - and is able to see the other members of the group that they are members of.
Given that this information contains customer email addresses then it presents issues relating to GDPR.
The AD Administration Portal user settings are set to "restrict access to Azure AD admin portal"
Any ideas how we could restrict B2B users from being able to enumerate group membership in this manner ?
Let me list some facts
The below part is a manual step that is not related to adding B2B guest user
Part of this process also adds them as members of a specific security group.
When you create a security group, all members can see the list of available information of other members
As guest users on Azure are identified using their email, the email addresses of all members of a security group will be visible to other group members
The workaround for this is to create separate a security group for each domain (i.e each company or each group of users who have the same #xxxx.com at their email). Then gather all those groups in a single parent security group and assign access to that parent group
This way, all guest users will have the same resource access but each group will be able to see only information about members on their same subgroup
I want to restrict access of user to particular objects say specific classrooms say class room A and Class room B. My understanding is that I can have a B2C scope say
AccessClassRoom but not specific Class Rooms. For User Specific data I should not use scopes. Let me know if my understanding is correct
You are correct.
Permissions/roles and scopes provide the two halves for this user access control.
Scopes -- such as AccessClassRoom -- determine whether an authorized application can access data on behalf of an authorizing/consenting user if this user, through their permission/role assignment/s, is permitted to do so.
Azure AD B2C doesn't have any current support for managing permissions/roles and assignments of them to users.
It does, however, have support for managing scopes and assignments of them to applications.
What I need is:
Administrator-level-1 (Can edit all simple users and administrators of level 2 and 3)
Administrator-level-2 (Can edit all simple users and administrators of level 3)
Administrator-level-3 (even less permissions)
By saying edit I mean change password at least. Tried to experiment with roles, permissions, Organization hierarchy etc. Is this possible?
You could create an Organization for each level and then can create a single Organization Role with the following permissions:
User / Update
Organization / Manage Users
Organization / View
Once that is done you assign the level admins to this role on the corresponding organizations.