I was wondering if there was a way to check what all objects does any particular role have access to, and with what privileges in snowflake. Your help is appreciated.
You can use the below command to get the privileges on the objects that a role has been granted access to. This will include the roles granted to the role too.
Show grants to role <role_name>;
https://docs.snowflake.com/en/sql-reference/sql/show-grants.html#syntax
You can use the below command to get the details on the grants of the role to another role or user
Show grants of role <role_name>;
To see what objects a role has access to, the following methods can be utilized.
SHOW COMMAND :
SHOW GRANTS TO ROLE;
Snowflake Documentation Reference: https://docs.snowflake.com/en/sql-reference/sql/show-grants.html#show-grants
The granted_on column in the result if the above show command lists the name of the object, privilege column lists the name of the privilege and the name column lists the name of the role to which the privilege on the object has been granted.
Query the SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_ROLES View.
Documentation Reference: https://docs.snowflake.com/en/sql-reference/account-usage/grants_to_roles.html#grants-to-roles-view
Related
I am trying to give permissions to manage locks on resource groups. Atm I gave permission to write locks with following permissions.
"Microsoft.Authorization/",
"Microsoft.Authorization/locks/"
But the person is only able to manage locks on resources, not on resource groups.
Is there an easy way to find out which permission is needed to perform a certain action?
You can assign User Access Administrator to that specific User in the Subscription Scope . You can go to Subscription >> IAM >> Add role Assignment and select User Access Administration and then in members select the user you want to give permissions.
OR
If you want to give only access to locks then you can create a Custom Role following the below steps :
Go to Subscription>> IAM>> Add>> Add a Custom
Role.
Give Custom Role Name and select Start from Scratch.
In Permissions Tab , Click Add Permissions and search for
Microsoft.Autorization and select it and then again search for
Microsoft.Autorization/Locks and select the three permissions as
shown below and click on Add:
In all other tabs let it be default and in last tab i.e.
review+create , click on create. Once its created Go to
Subscriptions >> IAM >> Add >> Add role assignment and search the newly created role and assign it to the user you want .
Note : If you are assigning the permissions on Resource Group Level then you will be only able to manage the locks of the resources present inside the resource group , but if you assign the same permissions on Subscription Level then you can manage locks on resource groups as well as resources.
With an Azure Resource Group Owner I could not find any user from the list of users in Role assignments. I got a message "An error occurred. Please try again later." instead. Please see screenshot here. screenshot
The Resource Group Owner is a guest member. He is only owner of the resource group in question.
If you have restricted Guest access, they cannot enumerate users, i.e. they cannot get a user list from the AAD tenant.
The user might be able to find another user if they type in their full username in the search field.
Is there a way to combine access rights for a Sitecore item?
For example, I have a page that I would like to lock down to users who are a member of two different roles rather than just just one, and a user who has just one of the roles should be denied access.
I know you can have roles within roles but wondering if there was a simpler way to achieve this?
I'm using Sitecore 7.2.
If you are trying to check this in code, you can easily do so using
var user = AuthenticationManager.GetActiveUser();
return user.IsInRole("Role1") && user.IsInRole("Role2") ? "Granted":"Denied";
But if you are trying to achieve this in Sitecore Security on an item, then an AND of those 2 roles will be assigned. Ex: If I allow access to an item in Role1 but deny in Role2, the user with Roles 1 and 2 will have his/her access denied.
The simplest way to approach this is to define a new role with appropriate access rights and assign the relevant users to it, either manually or by script. That keeps your access rights transparent. You could code your way around the issue, but you could end up creating an admin nightmare, where it's near to impossible to see which roles and users have access to which items. E.g. what would you expect to see in the Access Viewer when looking at one of the roles, or at a user with one or both of the roles? There's a big difference between assigning access rights programmatically and evaluating them programmatically.
One way that you could achieve it via the Security Editor is by utilising Sitecore's Roles in Roles functionality.
Essentially you will want to create a New Role in the Role Manager that will contain the two roles, Role A and Role B. Select your New Role in the Role Manager and click Member Of button. In the modal click Add and select the two roles this New Role needs to contain.
In the Security Editor select the New Role and assign the read, write, create etc permissions to the required Items.
Now when users access those Items they must have Role A and Role B before given access - they will not need the New Role assigned to their account.
If you have a large number of roles to manage and combinations of those it will be very time consuming to manually create those combinations.
A user is added to 2 different groups. 1 group is provided author access and another group is provided with editor access. First group has user role 'A' and second group has user role ' A,B'. What is the access and role the user would have?
The user would have the highest access level of all groups (in this case editor access) and all roles assigned to groups (in this case A and B) in database's ACL.
There is only one exception: if the user is listed with his own name in ACL then only these rights the user would have, no matter which listed groups he's member of.
The access levels are combined. However, Deny access takes precedence over Allow access.
See the docs for more info: http://www-12.lotus.com/ldd/doc/domino_notes/7.0/help7_admin.nsf/b3266a3c17f9bb7085256b870069c0a9/52f8492cea3792698525706f0065c44b?OpenDocument
Also, as the doc states it is helpful to use the Effective access feature within the ACL dialog to see exactly what the user access is.
I'm using AzMan (1.0) for an ASP.Net web app, and I have a question about nested Roles.
Say I have the following roles:
MyApp
MyAppUser
MyAppAdmin
MyAppSupport
For the most part, all users (MyApp) can access the app, but some functions will be specific to the other roles.
I want to declaratively restrict access to the web pages to members of the MyApp role.
[PrincipalPermission(SecurityAction.Demand, Role = "MyApp")]
I will check User.IsInRole or use the AzMan API to check for operation permissions within my code.
The users are assigned to the lower level roles (user, admin, support) and those roles are added to the MyApp role.
The problem is that when I check if the user is a member of the MyApp role, they aren't, even though the role they are in belongs to the MyApp role. Is the only way to check this is to recursively go through all the roles? That'd mean I cant use the declarative security, or to do so I'd have to add all users to the top level group as well (not ideal).
It sounds like you're expecting composite Role Definition (where a Role Definition is defined to include other Role Definitions) to be supported in the call to IsInRole(). I think you'd get the results you want if you used Group inheritance and Role Assignment instead.
In other words, rather than depending on IsInRole to follow the Role Definition for "MyApp" to determine that the Role Definition "MyAppAdmin" is part of that definition, create the inheritance using Groups instead, and then assign one or more groups to your Role Definition using Role Assignment. You could create an "Administrators" group, which might be a member of the "Everyone" group.
I'm really thinking that your role names are really better group names. A role signifies certain capabilities, not a classification of users based on their rights. That's what a group is for.
For example, suppose that most users (not admins or support) have read-only access to your app. I tend to call that role "Viewer" and I assign it the tasks or operations that allows users in that role only the ability to view, not edit, any data. I would assign everyone to that role (whether I do that with just one group or several doesn't really matter). The "Support" role allows users assigned to it to perform certain operations (or tasks grouping operations). Only some people would be assigned to that role (again, maybe they are assigned individually, or I have a group named "Customer Support Reps" -- doesn't matter).
In my app, I could check IsInRole("Viewer") and everyone who is a user will be in that role. But if I check IsInRole("Support"), only the people in the "Customer Support Reps" group assigned to that role would return True.