My team and I are handling hundreds of subscriptions that are belonging to different teams.
Many of them have different needs in terms of security, services to be used, etc whereas we, as a central platform, also make sure that everyone work with the same baseline (security, monitoring, automation, etc.).
We of course have a need to handle RBAC and we are using custom roles a lot. I was wondering if there was a way to create a custom role based on another one to benefit from "classic inheritance".
So I could create for example a role named "basic_user" that would contains a set of "Actions" and an "advanced_user" could have "basic_user" accesses plus additional ones, and so on with "super_advanced_user".
I know that Microsoft has designed it the opposite way so far, allowing us to assign multiple roles to a given individual/group, but for internal design reasons, we would like to stick to one role assignment for a given recipient (one AAD group containing all people accordingly to their role).
Is this something technically feasible/reproducible or does anyone heard about such a feature ? Or maybe is it something we should not consider because of some reasons you'd want to highlight ?
The feature that you would like to implement as you described is not currently not available as you were already aware of this. But however you can post about this feature directly via this link. It will reviewed directly by the Microsoft engineering teams and will respond.
Related
I am creating an application that uses Azure AD user groups to grant permissions to specific resources. For example, a particular set of documents can only be accessed by users in specific groups. The application receives the group ids as claims on the JWT and ensures that only documents assigned to groups in the claims are visible.
Now, the question is how to manage groups correctly in Azure AD. When users are assigned to a group become a member of that group and any groups that group is nested in. This seems to imply that my group nesting should be the reverse of the tree structure I would like. Something like this:
Admin --> member of --> Group with most access --> member of --> group with less access --> member of --> group with least access.
To me this seems backwards but it provides the correct access rights to users added to each group.
Am I way off base here or is this a reasonable way to manage access rights with AD groups?
#JoyWang already covered some good points in answer above. Here are some additional considerations. Disclaimer: Due to nature of question, my answer here is mostly opinion and learning from some cases. Idea is to share how I have seen groups getting used along with some related info.
Are the groups specific to your application or more general purpose? Group membership and nested groups are usually used to organize users & groups logically/intuitively rather than design permissions for specific application
Many times Azure AD Groups are used by more than one application and may have a lifetime longer than any one specific application you're developing.
The way you are thinking about nesting groups based on which one has more access v/s less access you're probably concerned about only one particular application that you're developing and thinking about a group's access to this application. This approach will work out if the groups you plan to create are also very application specific and will NOT be used for any other purpose.
Example1: Your application is a blogging app and groups you create in Azure AD are Viewer, Contributor and Admin. (Admin > Contributor > Viewer)
Example2: You have an enterprise using Azure AD and groups organize users logically, say deparatment wise Marketing, Human Resources, Engineering etc.
So, the way you describe nested groups based on lower access permissions to higher, it will technically work out for a simpler scenario like in Example1 but not for Example2 where groups are more general purpose.
Many times general purpose groups already exist and you're expected to reuse them rather than create new ones for your application which require new assignments/membership all over again, but this may or may not be applicable in your specific case.
Also, there can be multiple people managing these groups and their membership so any design/organization pattern you come up with should give importance to intuitiveness even if you have to sacrifice minor application specific efficiency sometimes.
In my opinion, you can look at both flat or nested groups.. if it makes sense from an organization of users and groups standpoint, not just access permissions. Another fictious example: Marketing Group can have a member group like Marketing Content Approvers because it's a subset of Marketing people.
Do consider Application Roles.
They are specific to an application, tied to it's manifest and can be available to you as part of claims in token.
There can be situations like individual resource based access where you want to give permissions to a specific resource where Application Roles may or may not make sense and you still need to rely on groups or users directly. In any case, it's another helpful option available to you.
Managing Groups (as you've asked about this in comments)
Take a look at Self Service Group Management Scenarios (Delegated v/s Self-service) and also Dynamic Groups for dynamic membership rules based on attributes (requires Premium license though).
In AAD, the permissions of a member in the groups depend on the biggest permission of the group which he is a member of. For example, group A can access a resource and group B can't access it, the man is both in group A and B, then he will be able to access the resource.
To me this seems backwards but it provides the correct access rights to users added to each group.
Let we call the three groups as A,B,C, the permission of them is A > B >C. Obviously, if you add A to B, the permissions of A and B both have not been affected. But if you add B to A, the members in A or B will both have the biggest permission, it is no what you want. The same with B and C. This is why it provides the correct access rights to users added to each group as you said.
So in my personal opinion, seems no need to use nested groups, just use three groups with different permissions, it's enough.
I am a part of a group trying to create an Amazon Mechanical Turk Requester task. We'd like to either have a group account or have multiple accounts with access to the same project. I've been looking around and cannot find a way to do this. Is it possible to make this happen without sharing a single account?
This may not be perfect, but if you're an MTurk API customer, you can use Identity and Access Management (IAM) to have a single account (with a credit card on file) but provide multiple sets of API credentials (AWS Access Keys and Secret Keys) that you can provide to reach person/group that wants to use the account. This isn't a perfect solution because:
It is only applicable to the MTurk Application Programming Interface (API)
There aren't quotas or controls to limit spending on one person vs. another
Each account can still access each other's HITs (it isn't separate accounts)
You can learn more about IAM support in MTurk here: https://blog.mturk.com/introducing-mechanical-turk-api-support-for-iam-credentials-8f2de8cd6afb
There is not currently a way to do something similar in the Requester Website (requester.mturk.com).
Hope that helps a little.
We are implementing a Liferay 6. 2 solution, everything was set but then we had a problem. Thing is, we are importing all the users from AD using LDAP with their group information. So, in liferay, we will have users and users' group. We planned to follow organization->sub-organization structure but the customer does not want to assign all the users(no option to assign user groups to organization which i know why and it totally make sense ) to the organization manually which, kind of, makes sense. So, then we had to change our design, now what we are doing is actually creating a department-wise site then assigning user groups to the site and then linking site to organization. So two questions.
Does it make any sense to have organization? if so then what advantages will I have in this particular case.
Do you see any drawbacks in our approach or should we follow a better approach which we are not aware of.
We have to authorize hundreds of users for a cube, and the users must be restricted to individual dimension members. Two dimensions are relevant for the permissioning, a datatype permission (with only 10 members) and a customer dimension (with 2000+ members).
Since one user can be permissioned for any number of datatypes and customers, we could build one role per datatype and one role per customer... ending up with 2010+ roles. The datatype roles are not authorized for any customers and vice versa, therefore we could enable users for any combination of datatypes and customers.
On the other hand, if we create one role per user, we end up with only hundreds of roles. I therefore do not see the benefit of roles in our scenario. We will probably use AMO to maintain the roles.
My question is, if there is a penalty when using one role per user or it this is a tested method. Of course I am also interested in any alternative approach.
Problem in this case is that you don't have any data that would help you automate the roles.
So in order to make use of suggestions by mmarie you will need to further develop your cube and to maintain the user-customer relationship somehow (more horrible admin work).
Technically your scenario seems simple enough to be handled by http://easyroles.com which was made specifically to help out in these situations.
Disclaimer: I am involved with eR tool, but there is no other way I can answer this question since there are no other tools that are made for this.
I'm trying to get my head around SSO concepts and how they fit to my situation, and I've got to the point where I'm a bit stuck. Assuming we use something like Azure AD, or Ping Identity or something along those lines, we want to enable social login (google account / facebook etc) - that is all fine. The bit I keep getting stuck on is how do I control the claims to attach to that identity?
Process (in my head) overview:
- User logs in with google (facebook etc) account, they associate the google account with their 'legacy' account (i.e. link up their social login with their internal identifier that we as a business identify them as) what what ever that process is, does not matter for this discussion (i dont think).
Now when a user logs in with their social account, how do I perform the lookup of that mapping to their internal identifier to add it as a claim, and add the related other claim for that user based on information my organisation knows about them (e.g. If they are over 21, what 'level' of a member they are etc).
I get that if we had one RP using SSO, it as the RP could perform this logic, but we have the situation where we have several internal (and potentially externally managed) systems (4-5 currently) we want to tie together using SSO - which will rely on these claims for access / personalisation etc.
The closest I have seen to this is the concept of a RP-STS - which would effectively from what I could work out sit in front of Ping / AZ AD to form part of the chain, so so it can do the internal lookup and add additional claims as necessary - does that make sense as a concept? Is that the right approach?
I'm sure this can't be un-common - but i can't seem to find any good example / documentation around the full integration (plenty on just AZ AD / Ping etc) that we need. There must be off the shelf products that can do this? (We really dont want custom SSO implementation / components if possible)
The closest I have seen to this is the concept of a RP-STS - which
would effectively from what I could work out sit in front of Ping / AZ
AD to form part of the chain, so so it can do the internal lookup and
add additional claims as necessary - does that make sense as a
concept? Is that the right approach?
That is exactly the role of an RP-STS (or "Federation Provider" in some of the literature). It sits in between your apps and multiple "Identity Providers" and is usually responsible for 2 things:
Protocol transition (e.g. your app might be WS-Fed or SAML, but Facebook is OAuth2)
Claims transformation and enrichment (e.g. add, remove, transform claims based on some logic).
There are several implementations of this with various degrees of sophistication/flexibility, and trade-offs:
Azure Access Control Service can do #1 and (somewhat limited) #2. But it is unclear whether the service has any future or if it will be subsumed by Azure AD.
IdentityServer can do all. It is OSS so you "own" it (e.g. host, operate, customize, etc). It's a great implementation, used in production, written by experts (Dominick Baier & Brock Allen) and very flexible.
ADFS can do some (limited # of protocols, proprietary claim transformation language that is complex to debug, but works). You have to host ADFS yourself. This is a MSFT product.
The company I work for offers similar capabilities too.