I am trying to give permissions to manage locks on resource groups. Atm I gave permission to write locks with following permissions.
"Microsoft.Authorization/",
"Microsoft.Authorization/locks/"
But the person is only able to manage locks on resources, not on resource groups.
Is there an easy way to find out which permission is needed to perform a certain action?
You can assign User Access Administrator to that specific User in the Subscription Scope . You can go to Subscription >> IAM >> Add role Assignment and select User Access Administration and then in members select the user you want to give permissions.
OR
If you want to give only access to locks then you can create a Custom Role following the below steps :
Go to Subscription>> IAM>> Add>> Add a Custom
Role.
Give Custom Role Name and select Start from Scratch.
In Permissions Tab , Click Add Permissions and search for
Microsoft.Autorization and select it and then again search for
Microsoft.Autorization/Locks and select the three permissions as
shown below and click on Add:
In all other tabs let it be default and in last tab i.e.
review+create , click on create. Once its created Go to
Subscriptions >> IAM >> Add >> Add role assignment and search the newly created role and assign it to the user you want .
Note : If you are assigning the permissions on Resource Group Level then you will be only able to manage the locks of the resources present inside the resource group , but if you assign the same permissions on Subscription Level then you can manage locks on resource groups as well as resources.
Related
We have developed a webapp and configured its authentication to use our Azure Active Directory tenant. This works fine. We have clients which are other organizations and when a user from one of those clients authenticates they are presented with content that is specific to their organization. This also works fine.
Under the hood: To accomplish this, in our tenant we have created groups (one for each client) and we have invited users from those clients and assigned them to the appropriate groups (after they are added we have to manually change their user type from 'Guest' to 'Member')
Problem:
If one of our clients signs in to Azure AD they are able to see ALL other groups and all other users. They are also able to add and delete groups and do virtually everything our global administrator account can! This tells me we have done something very very wrong. We are new to Azure AD and there appears to be very much about it that we do not understand.
What I've tried.
Read about administrative units (that doesn't seem to be it)
Roles and administrators: this page has a long list of roles which have check boxes next to them that appear to do nothing.
Home > Tenant > Users > Username > Assigned Roles > Add Assignment: I can select from any of that same list of roles but they are all different kinds of administrators. This would seem to be granting more permissions, not taking them away.
Home > Tenant > Groups > Groupname > Roles and Administrators: This page simply says "no roles found"
Essentially I need our members to not be able to do anything on azure AD except return a list of the groups they are in as well as their own details (name, email, profile picture, etc.)
Assuming you are adding the client users in a specific that group itself already have some admin privileged/Global Administrator/Directory writer Permission.
In that case only user can do operations on group and other users’ data.
Would suggest you check at the Group->Role and administrator & User->Role and Administrator should have only Directory Read permission.
For me in User->Assigned Role->Active Assignment only have Directory Read Role permission so I can only see my details and list of groups that is present in Active Directory but can not do any operation on any group/users like write/delete/update expect read.
Note: To assigned role at the group level you require an Azure AD Premium P1 license.
Update
For assiging role to group please go through in this way---
AAD->Role and Adminsitrator-> Select Role->Add Assigment->Select Member(Group)
Is it possible to add users to different groups based on the url they are coming from. All users to be added under the same Azure B2C directory but under different group during registration.
Example:
www.admin.com - User should go to "Admin" group.
www.user.com - User should go to "Users" group.
Thanks :)
You could use azure ad dynamic user group to do that, when you create a dynamic group with rules, the system evaluates all rules in a directory to see if the change would trigger any group adds or removes. If a user satisfies a rule on a group, they are added as a member of that group.
Reference - Dynamic membership rules for groups in Azure Active Directory
In your case, create the dynamic user group Admin, to add the users to the Admin group, you just need to add the rule like (user.userPrincipalName -match ".*admin.com*."), another one is the same logic.
After the system updated the group completely, it will appear like below.
As a POC, I created a guest user, ex: 'OwnerABC#website.com' and made the user a Group Owner. According to the documentation and my group settings, I should be able to add members/modify changes with the group as the Group Owner, but I'm unable to do so. When I login as 'OwnerABC#website.com' in Azure Portal UI, I change to the correct tenant and I do not see any groups or users.
I also tried going to myapps.microsoft.com and I try adding a user. The search returns empty for any user I want to add to the group that I'm the owner of. It then gives me an unexpected error page.
enter image description here
What other privileges does the Group Owner need or is there somewhere else that a Group Owner, who is not a global administrator, need to go to make changes to the group?
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-manage-groups
Most probably the "User Settings" for "External Users" in your Azure Active Directory is set to "Yes" for "Guest users permissions are limited" setting. When this setting is set to "Yes" by default Guest users aren't able to do certain tasks like enumerating users, groups and other directory resources.
See screenshots below for checking this setting and description.
Go to Azure Portal > Azure Active Directory > User Settings > Manage External Collaboration Settings (under External Users)
On clicking "Manage external collaboration settings" you should see
So now you have 2 possible ways to achieve what you're looking to do:
Change this setting to "No". Once you've changed the setting, try to login to Azure Portal as the external user OwnerABC#website.com again and you should be able to see other users. (Just give it a couple of minutes after changing the setting for this to reflect. It took a little time in my case at least)
As you can understand the setting above is generic and applies to all guest users in your directory. If you want to do something special only for this guest user, then don't change the setting and let it stay at "Yes", but assign an appropriate "Directory role" to user OwnerABC#website.com. This way only this guest user gets to see other users and not all other users.
Assigning a "Directory role" can be done by navigating to Azure AD > Users > Specific User (OwnerABC#website.com) > Directory role > Add role
How to restrict a user from accessing specific resource groups?
For example, I have 10 resource groups in a subscription out of which the user should be able to access only 3 resource groups where the user can do their operations.
When you create a new user for Azure, they have no permissions at all against any subscriptions, logging into portal will present an empty view with no resources.
If you add that user the reader permission they will then be able to read any resource in the subscription, but not modify anything. As would be expected. With reader permission on the subscription, they cannot create anything, resource groups or otherwise.
If that user is only given permissions to a resource group, with no permission on the subscription, then they will only see the resource group they have permissions in. They will then have whatever permissions they have been granted within that group.
Under the surface, every contributer and reader role has the "Microsoft.Resources/subscriptions/resourceGroups/read" action, meaning that anyone with any contributer or reader role can see all resource groups.
There is no built in role that has explicitly defined resourceGroups/write or resourceGroups/* permission.
The only groups with that permission implicitly applied are contributer and owner, which have "*" applied.
This means that only contributers and owners can create resource groups in a subscription.
It would be possible to create a custom role that denied resourceGroup/write
So, to answer your question, to limit a user only to being able to see specific resource groups, ensure that they don't have any access at the subscription level (any access at all at this level will allow them to see resource groups), and only apply permissions to the resource groups you wish them to see.
For example, I have 10 resource groups in a subscription out of which
the user should be able to access only 3 resource groups where the
user can do their operations.
The above is possible with the following steps
Add the user to the subscription. Dont assign any role at subscription level for this user.
Add the User as contributor to the selected three resource groups (in Access Control (IAM)) property thru role assignment.
The above two configuration will enable the user to only view and operate on the explicit three resource groups, other resource group will not appear in Azure portal.
Best practice would be to add the user to security Group and assign the security group to the roles.
Add the user to the Contributor role in those resource groups.
Go to the resource group, then open Access Control (IAM), and add the user to Contributor role. Repeat for each resource group.
Is there a way to combine access rights for a Sitecore item?
For example, I have a page that I would like to lock down to users who are a member of two different roles rather than just just one, and a user who has just one of the roles should be denied access.
I know you can have roles within roles but wondering if there was a simpler way to achieve this?
I'm using Sitecore 7.2.
If you are trying to check this in code, you can easily do so using
var user = AuthenticationManager.GetActiveUser();
return user.IsInRole("Role1") && user.IsInRole("Role2") ? "Granted":"Denied";
But if you are trying to achieve this in Sitecore Security on an item, then an AND of those 2 roles will be assigned. Ex: If I allow access to an item in Role1 but deny in Role2, the user with Roles 1 and 2 will have his/her access denied.
The simplest way to approach this is to define a new role with appropriate access rights and assign the relevant users to it, either manually or by script. That keeps your access rights transparent. You could code your way around the issue, but you could end up creating an admin nightmare, where it's near to impossible to see which roles and users have access to which items. E.g. what would you expect to see in the Access Viewer when looking at one of the roles, or at a user with one or both of the roles? There's a big difference between assigning access rights programmatically and evaluating them programmatically.
One way that you could achieve it via the Security Editor is by utilising Sitecore's Roles in Roles functionality.
Essentially you will want to create a New Role in the Role Manager that will contain the two roles, Role A and Role B. Select your New Role in the Role Manager and click Member Of button. In the modal click Add and select the two roles this New Role needs to contain.
In the Security Editor select the New Role and assign the read, write, create etc permissions to the required Items.
Now when users access those Items they must have Role A and Role B before given access - they will not need the New Role assigned to their account.
If you have a large number of roles to manage and combinations of those it will be very time consuming to manually create those combinations.