I have a project in Identity management for which I am hoping someone can point me in the right direction. It's role-based provisioning, basically I need to know how to provision a specific application based on certain user attributes (e.g. job title, dept) and then to automatically raise a provisioning request for that application. The application is a disconnected application and will be provisioned manually.
What we are trying to achieve is that once a user has been created in OIM and if he or she meets those criteria, the OIM will generate the request for the application so they can be provisioned for them. Is there a way to implement this within OIM?
You can just use the scheme where a role in OIM has a membership rule to automatically grant a user the role if some of user's attribute match specific condition.
Then you can create an Access Policy to provision a disconnected resource and attach it to this created role. Usually disconnected resource provisioning will create a SOA workflow where there is a human task to complete the provisioning operation.
All you need is a Role with desired membership rule and an Access Policy attached to it. Role and membership rule can be created with OIM Role creation wizard. You can create a policy from admin console and associate your role and resource with it. Do provide default required parent form fields (at least IT Resource).
In case you want to add default entitlements edit the child form and add those.
Related
We have an issue with App registration custom role functionality within Active directory in Azure. When user is added to a custom role we need a way to somehow specify additional information that we need to send from azure to client application. Precisely in our case we have entity “restaurants" within our client application. We need to somehow inform client app from Azure that certain role can access only certain restaurant or multiple restaurants. So in a way we need to add additional information to the role-user relationship (which is many to many) and specify for which restaurant is the role added to the user.
Currently the only way for me to do this is to add a pattern in custom app role value field and to specify restaurant ID (or IDs) for each role but that means we need to add custom role for each role and restaurants. If we have 50 restaurants and 3 roles that would result us in having to make 150 custom app roles inside azure. Please let us know if this is somehow possible to be setup this relationship more elegantly.
Please let me know if further clarification is needed.
Thank you.
I found sample code from Microsoft docs but it doesn't seem to work.
If anyone has any insight that would be helpful.
Also the broad question is if that is even possible.
As the NodeJS uses Tedious library, it's not clear if Tedious is able to support AAD connection.
Sample code was taken from: https://learn.microsoft.com/en-us/azure/azure-sql/database/connect-query-nodejs?tabs=windows
It has the code sample with type: azure-active-directory-msi-app-service which I think should work.
The error I am getting is 'Security token could not be authenticated or authorized.'
The managed-identity user is added to the resources, with permissions
The code was working after adding a 'reader' role for principle user in sql server.
The steps that are required to connect SQL Server through AAD - Managed identity for NodeJS project are as below:
Create sql-server with sql-server database in an azure resource.
Create an azure-web app within the same azure resource.
Create a principle user in the web app.
This can be done by going to the azure web app > Settings > Identity menu > System-assigned tab and turning on the toggle.
In the sql-db create the user with the same name as principle user that was created in step 3. The name is same as web-app.
Also assign db_reader, db_writer, and ddladmin roles to the user.
You may use the below script to create and assign role to the user. (One thing to consider if it fails to create the user, you might need to rename the app-service name as in my case it was not allowing me to create the User saying it already exists).
**CREATE USER [<identity-name>] FROM EXTERNAL PROVIDER;
ALTER ROLE db_datareader ADD MEMBER [<identity-name>];
ALTER ROLE db_datawriter ADD MEMBER [<identity-name>];
ALTER ROLE db_ddladmin ADD MEMBER [<identity-name>];**
Add the reader role to the principle user in the sql server. (The one that I was missing).
This can be done by going to the Sql server resource(in Azure)> Access control (IAM)
Select Reader and select member/user (principle user with the app name), and assign the role reader to that user/member.
After all these configuration part is done, use the code from microsoft docs. For me lower node version was not working so needed to upgrade the node version.(14 in my case).
https://learn.microsoft.com/en-us/azure/azure-sql/database/connect-query-nodejs?tabs=windows
Also the connection was successful only in the deployed version.
Hope this is helpful !! :)
I have one Salesforce profile and one permission set in Salesforce. As per the requirement, there are two user personas in our Salesforce application.
Persona 1 -> SF Profile
Persona 2 -> SF Profile + Permission Set
To achieve the above configuration using Azure AD auto-provision, we have created two security groups and added relevant business users into those two groups. Currently, we struggling to determine the best approach on how to assign the Salesforce permission sets to the users in the "Persona 2" user group.
You already have Single Sign-On configured in SF, right? At the bottom of the page there's place for just-in-time (JIT) login handler class.
You'd have to write that class but there are some online examples for ... implements Auth.SamlJitHandler. Once you have the class skeleton ready - use System.debug(JSON.serializePretty(attributes)); or something similar to see what Azure Active Directory sends. Last time I used this AAD couldn't send groups info but it could send role(s). So we determined unique sets of users and if role is X - check if the user has permission set X assigned and if not - assign it. We then expanded it to other SF features (groups, queues, user role, profile...). PermissionSetAssignment is the table you need.
If you don't want to write code for this there's always Identity Connect but that's paid and on-premise agent program (I think). No idea if it can work with AAD. But you'll get simple interface for the mapping.
I have an Azure Active Directory Application (and associated Service Principal). That Service Principal needs to be able to add and remove members from an Azure Active Directory Group...so I have added Read and write directory data under Application Permissions:
And I have code that uses the Client ID and Client Secret to get an Authentication Token an perform these operations using the Azure Graph API.
However, this permission is far too broad. I need the Application/Service Principal to only have the ability to add and remove members from specific groups (not all)...and not the ability to perform other types of operations.
Is there a way to do this?
Thank you.
There is a preview feature that partly fits your requirement: "Group.ReadWrite.All". It lets your principal create and update groups and their navigation properties (incl. members). It does not however reduce the permissions to modify only certain groups.
AAD permission scopes are described here: https://msdn.microsoft.com/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-permission-scopes
Preview features may be subject to change and you'll have to agree to reduced service terms etc.: https://azure.microsoft.com/en-us/services/preview/
We managed to install weceem plugin and could map with user roles. But we need more control as follow. There are tenants in the system, users of which have the same roles. But each tenant in the grails app is fully isolated from other tenants. So we plan to create one space for each tenant. Then we want to grant access for users of one tenant to their specific wecem space. This way users of one tenant can't access the content of another SPACE meant for another tenant. We can't isolate based on roles, because users of all tetants will have same role - like 'Tenant Admin'.
Can we write an intercptor in the controller (or somewhere else) which will be invoked by the security framework, and we want to write custom code in that intercptor to determine that the tenant is accessing only his specific SPACE and that allow access, else deny ?
can we create SPACE progamatically from the main application ? like, when a tenant is created in the system, we want to create a SPACE for him.
There is a default weceem-security bridge (weceem-spring-security plugin) that defines user management system between application and weceem. You can implement your own security decision that takes tenants into account and define credentials to the specified Space. Check the weceem-security plugin sources to get the ideas https://github.com/jCatalog/weceem-spring-security/ . According to second question - you can create Space programmatically from the application if you need.