Is there a way to manage permissions at an experiment level in MLflow? We would like to have a shared server but would like to be able to manage permissions at an experiment level - e.g. admin can view all experiments, user_group1 can manage experiment1 - perhaps different groups can see results vs post results.
Related
Here are the current options. I want to give the BI team only access to the S: SQL
Completely removing the other options is currently not available. However, you can lock them as shown in the picture.
Remove databricks-sql-access entitlement from default users group.
Create a new group called 'sql-users-only' and give them only this entitlement. (so they won't see workspace and they can't spin up endpoints)
Resources:
Databricks provide a lot of control using ACLs. Access control overview
You can restrict the dashboard viewing options as well. Dashboard permissions
I would like to give our team members the necessary permissions to use the Query Performance Insight feature for an Azure SQL database, including the possibility to see the query text of long-running queries.
They already have "Reader" and "Monitoring Contributor" roles, so they can access the Query Performance Insight feature in the Azure Portal and see the IDs of long-running queries. However, when they click on a long-running query, they cannot see the query text. An error is shown indicating that "The connection timed out while running the query".
If I assigned them the "SQL DB Contributor" role, they would be able to use that feature, but they could then also change database settings such as the pricing tier, which I do not want.
Is there a role assignment that does what I need?
I think you will need to create an Azure Custom Role, as described in https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles .
You can start with Reader, and then include permissions you want, or start with SQL DB Contributor, and remove permissions you don't want. This will require experimentation.
From your subscription, create a new Custom Role:
Then from that role, you will add or exclude permissions:
Permissions that would be interesting to me would be:
List Query Store texts - for adding to a Reader
and Update Database - for excluding from a DB Contributor
Once that's done, you would go to the Access Control blade for the server that contains your database, and then add your users with that new custom role. Test, tweak, repeat until you have the security profile you want. Which role you use as your basis depends upon how close to a least-privilege security model you wish to adopt.
Edit: One possible way to figure out the permission to assign would be:
Scale the database up
Scale it back down
Go to the resource group, select your database, and Export Template
Inspect the JSON, which will be the ARM that was applied during the operation (you might need to look at multiple deployments to figure this out)
Once you find the operation, the provider in the JSON should give you a clue as to what to exclude from any roles you create.
Adding to #WaitingForGuacamole's answer: We ended up creating a custom role definition containing Microsoft.Sql/servers/databases/queryStore/write and Microsoft.Sql/servers/databases/topQueries/queryText/action. Assigning this custom role definition to team members who already had the Reader role on the Azure SQL Server then allowed them to view the query texts in Query Performance Insight.
The actual two permissions were provided to us by a very helpful Azure support engineer. YMMV, it might also work with just Microsoft.Sql/servers/databases/topQueries/queryText/action (in addition to the read permissions), as indicated by an Azure Docs Github issue. However, the support engineer was positive we'd also need the Microsoft.Sql/servers/databases/queryStore/write one and we didn't follow up by researching why.
We have a suite of apps we are developing. We have already rolled the app out to about 50 users and have over 200 more. Sharing connections (custom connection & connector) and the apps have become super cumbersome. Long story short, this is a lot of time. Each time we have a new user we have to share 3 apps, 2x connections, and setup access on an internal method we have. We are using SQL, not CDS.
This has been misery. Is there a way to create 1x address that I would share with the Apps/Connection and I would just add users to this group? Would save us time to just add users to the one list. Then access is just shared via this common group. Does anyone know a better method to deploy powerapps like this? We can't share to "everyone". Thanks.
If you have an Azure Active Directory Security Group you can give them access to the connector and powerapp. See: https://powerapps.microsoft.com/en-us/blog/sharing-powerapps-with-multiple-users/
There are some kind of distinctions between Security Groups, Distribution Groups, O365 groups, and on prem vs Azure. I couldn't tell you the difference between them all, but you can follow Microsoft's instructions on how to share a canvas app which will go through some of these different methods of sharing.
We have a RavenDB server with a Master-Slave setup. There is one master DB where documents get written to via one process, which are then replicated to the slaves.
The slaves are accessed via a web application, but we would like to make all replicated documents read-only.
When looking for security options, we find it at DB level and at Document level (using Authorization bundle). The first makes the entire DB read-only which should not be the case. The second is too convoluted and is for more fine-grained security which we don't need.
We were hoping that the web application could connect to RavenDB with certain credentials context (not the application users, but the system user which the website runs as), where certain collections would then be read-only for that identity. This is perfectly possible in SQL Server for example.
Any alternative solutions such as replicating documents as read-only are also appreciated. Our current best idea is to have put triggers on the server which make the required documents read-only on slave databases.
You can easily use API Keys for this:
https://ravendb.net/docs/article-page/3.0/Csharp/server/configuration/authentication-and-authorization#oauth-authentication
One API Key (read/write) for the replication
One API Key (read only) for the application
I need to build an application that manages users and I thought that it will be nice to follow an existing management model, like the one used by Windows or linux, that has users, groups, permissions etc.
I couldn't find any place on the Internet to get explanations about how to implement this.
My application is a web application, probably asp.Net (less important the technology) that manages users. I have few levels, for now system administrators, power users, group managers and simple users.
Each level offers privileges, like power users may see all the users, may promote a user to be up to group manager, may degrade a user (with less powers than his) etc.
There is any place where I can read about how to implement such system?
Probably using the ASP.NET membership provider will work for you. You can use the SqlMembershipProvider which stores the security information in a Sql Server database. If you need more advanced features (and probably more secure), you can use Active Directory or ADAM with the ActiveDirectoryMembershipProvider. The ASP.NET membership provider model is customizable and you can implement your own provider, but the existing ones are quite powerful.