Azure Cosmos DB - Access different data per user (SQL) - azure

I am new to web development, so the question might be trivial.
I have some physical devices, which will transmit humidity (and other stuff) to Azure Cosmos DB. I want users to be able to read their devices only(through a graph in a web app). All devices end up the the same collection.
I have set up a system in Azure in the following way:
Device -> Azure IoT-Hub -> Azure functions -> Azure Cosmos DB.
The web app uses Azure B2C for users to be able to sign in, but how do i "assign" device-id´s to a user? I have read that it is possible to create access tokens with specific access to certain partition keys, but how do I store the information with access permissions for each user? Do I need a new database for storing this information only?
In the beginning it is fine if I have to grant permissions manually.
General info:
The data in the Azure cosmos db are using device-id as the partition key.
Users can have more than one device.
The web app is running ASP.NET core (I am new here).
The web app requires log-in to be accessed.
I am coding in Visual Studio 2019, and have used the example with a build-in authorization.
Thank you for your help.
NOTE: It might be too much to ask for, but a general explanation together with a code example would be perfect for me :)
UPDATE:
I managed to fetch the email of the logged in user:
#using System.Security.Claims; // for using ClaimsIdentity
// Get user information
var userEmailAddress = ((ClaimsIdentity)User.Identity).FindFirst("emails").Value;
My initial idea is then to have a database containing: "Email" and "accessible devices". I guess this has to be a separate database since i need the Time-To-Live parameter in cosmos db.

You might be able to achieve what you are looking for by using Resource Tokens.
As in this sample from the documentation, you can assign permissions by partition key:
//Create a user.
Database database = benchmark.client.GetDatabase("SalesDatabase");
User user = await database.CreateUserAsync("User 1");
// Create a permission on a container and specific partition key value
Container container = client.GetContainer("SalesDatabase", "OrdersContainer");
user.CreatePermissionAsync(
new PermissionProperties(
id: "permissionUser1Orders",
permissionMode: PermissionMode.All,
container: benchmark.container,
resourcePartitionKey: new PartitionKey("012345")));

Alright, I have been busy with other projects, but i finally came back to this issue.
So basically the reason why I wanted a separate database was because I need the TTL on the Azure Cosmos-DB, and I do not want to delete the user permissions.
It turns out that it is possible to overrule the database's default TTL by setting a "ttl" field in the document itself. Thereby it is possible to exclude documents from being deleted.
So the basic solution is:
Create a documents with a "ttl" parameter set to -1 to exclude it from being deleted. Then this document can contain information about which users have access to what.

Related

What are my options if I need to store data on behalf of a user in Microsoft Azure?

I am building a Microsoft Teams application and I need to store sensitive user data (access tokens and some additional stuff) for each user using my application.
My requirement is that this data can only be accessible from the user and no one else - and it needs to potentially serve tens of thousands of users. Furthermore, this data shall be accessible from any Microsoft product (i.e. not bound to MS Teams, but let's say, as long as I get a the JWT, then I would be able to access the data).
What are my options using Azure? Is there some kind of storage I can use OOTB? Or, would I need to select an Azure service for this? If yes, which service would be the best? Can I instantiate such service for ALL the users I need to serve, or would I need a separate instance for each tenant the user is coming from (e.g. its company?).
Thanks a lot for helping me out, I tried to figure this out already and I got some ideas, but I am still confused.
Based on the requirement, you can store the sensitive user data with the following options
Azure keyvault: For Secrets Management, Key Management and Certificate Management.
Azure storage tables: To store and retrieve the access tokens, users data and the conversation.

How can I detect the user sign up event from Azure API Management?

I've been using Azure API Management recently, and I would like to know if there is a way to detect the sign up process performed from the included Developer Portal.
Basically I need to be able to get the user unique id, to be able to map data stored in a database.
Is configuring Delegation the only way to capture this event?
Try to enable the Resource Logs, it includes the userId.
Reference - https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-use-azure-monitor#resource-logs

Azure Active Directory - Role based Store Manager

I need to implement the store based access to web portal. For that we have created the following roles
Admin
Store Manager1
Store Manager2
I am able to implement authorization for Store Manger 1, Store Manager 2. If there are around 500 stores do I need to add 500 roles in active directory since each role has different view?
It sounds like quite a lot of work to make roles for each store. Though you could automate it with PowerShell, to me it seems a bit weird.
You could instead just have a Store Manager role, and then on your app side check which stores they access to. One way would be a relational table with one column being the user's id and the other a store id they have access to. You can query that when you authenticate the user and store the values in claims/session data.

Microsoft Azure : Add users and map them to a database + add database roles

I am brand new to Azure so please bear with me ...
Using export tool in SSMS I managed to copy all of my tables from local database to Azure.
Now the most important part, adding users and mapping them to a database is unexplained.Also adding roles to database.Maybe it is explained but I sincerely dont understand a word of it. Seen some movies on YouTube but they mostly deal with database creation. SSMS is virtually useless for the Azure task (Or at least I do not know how). Also I can not find any tool on Azure dashboard to do it with.
So can someone to me explain in plain english the functionality of this stuff.
What I could fathom is that you need to add users first to the Master database. Ok, I add user with a query:
CREATE LOGIN USER1 WITH PASSWORD = 'AG123SAL#'
So the user is added to the Master database.
Now, how do I map this user to a certain database?
How do I set what he can do?
And how do I add roles to my database and add user to role ?
This is all very hard for a total newbie ...
You can use Contained user database model,instead of old model..The way to do this is to connect to database on which you are trying to provide access to a user and run
CREATE USER mary WITH PASSWORD = 'strong_password';
to provide permissions to this user
ALTER ROLE dbmanager ADD MEMBER Mary;
Microsoft recommends this model ,when using SQLAzure since this is database as a service..Below is a quote from microsoft on same
As Microsoft evolves the SQL Database service and moves towards higher guaranteed SLAs you may be required to switch to the contained database user model and database-scoped firewall rules to attain the higher availability SLA and higher max login rates for a given database. Microsoft encourage you to consider such changes today.
If you are looking for old model of login-user based heirarchy,you can read below
to create login:
create login mary with password='password'
Now to map user to database,you need to create user and map to that login.Login to the database ,you want to provide permissions and create user
create user marydb1 from login mary;
you also can assign roles as well
ALTER ROLE dbmanager ADD MEMBER Mary;
Updated as per comment :
create role
create role rolename AUTHORIZATION db_manager*;
*:this should be user has total permissions on the database..since we may use this as base
now add permissions to that role
grant select,update,delete to rolename;
now add users
ALTER ROLE rolename ADD MEMBER username;
Look at this sql server authentication with Azure SQL Database tutorial
https://learn.microsoft.com/en-us/azure/sql-database/sql-database-control-access-sql-authentication-get-started

ASP.NET Multi-tenant App on Azure - handling authentication and connection to separate tenant databases

I have a Multi-tenant App (ASP.NET Web Forms) on Azure, a single SQL Azure DB stores membership and each tenant has a separate SQL Azure DB for their data. Initially with 10 tenants, each tenant with around 2,000 users, but this could increase up to 50 tenants.
Am I on the right track when it comes to authentication and connecting each user to the appropriate tenant DB...
1). User authenticates with Membership DB
2). Retrieve the users TenantID (which is stored as part of User Profile)
3). Select DB Connection string from cscfg file based on TenantID
4). Store Connection string in Session (AppFabric cache)
The above approach requires storing a separate connection string per tenant within the Azure Service configuration file, which could be up to 50? Is their a better way of doing this? For instance adding an additional table to the membership DB to store connection strings? What is best practice?
Your views and opinions would be greatly received.
Thanks in advance.
Ben
My team built a multi-tenant sample app that you can take a look at, to get ideas about identity management, database management, etc. It maps tenant to tenant database, and also supports multiple database servers to deal with 150-database-per-server limit.
You can grab the Cloud Ninja project here.
Another option that you could look into would be Sharding with SQL Azure:
http://blogs.msdn.com/b/sqlazure/archive/2010/12/23/10108670.aspx
Then you wouldn't need all the databases and to worry about storing all those connection strings.
I don't think there's any major problem in your solution.Ref your concern about the connection string, maybe you can use some algorithm to calculate the tenant database base from the tenant name/id.
One thing for security, when you store tenant connecting string in session, you might need to encrypt or hash, to ensure the end user will not be able to know the connection string and hack into your system.
I think there might be issues storing membership data into a central database. the data will grow along with the growth number of tenants. The database backup need extra step to include membership data as well. I will rather keep membership data into individual tenant DB. In terms of connection string, you can use table storage or a single central db to keep tenant information and related connection string. It is not recommended to store into cscfg file as this is dynamic based on number of tenants. Just my 2 cents.

Resources