Azure Active Directory - Role based Store Manager - azure

I need to implement the store based access to web portal. For that we have created the following roles
Admin
Store Manager1
Store Manager2
I am able to implement authorization for Store Manger 1, Store Manager 2. If there are around 500 stores do I need to add 500 roles in active directory since each role has different view?

It sounds like quite a lot of work to make roles for each store. Though you could automate it with PowerShell, to me it seems a bit weird.
You could instead just have a Store Manager role, and then on your app side check which stores they access to. One way would be a relational table with one column being the user's id and the other a store id they have access to. You can query that when you authenticate the user and store the values in claims/session data.

Related

What are my options if I need to store data on behalf of a user in Microsoft Azure?

I am building a Microsoft Teams application and I need to store sensitive user data (access tokens and some additional stuff) for each user using my application.
My requirement is that this data can only be accessible from the user and no one else - and it needs to potentially serve tens of thousands of users. Furthermore, this data shall be accessible from any Microsoft product (i.e. not bound to MS Teams, but let's say, as long as I get a the JWT, then I would be able to access the data).
What are my options using Azure? Is there some kind of storage I can use OOTB? Or, would I need to select an Azure service for this? If yes, which service would be the best? Can I instantiate such service for ALL the users I need to serve, or would I need a separate instance for each tenant the user is coming from (e.g. its company?).
Thanks a lot for helping me out, I tried to figure this out already and I got some ideas, but I am still confused.
Based on the requirement, you can store the sensitive user data with the following options
Azure keyvault: For Secrets Management, Key Management and Certificate Management.
Azure storage tables: To store and retrieve the access tokens, users data and the conversation.

Azure Cosmos DB - Access different data per user (SQL)

I am new to web development, so the question might be trivial.
I have some physical devices, which will transmit humidity (and other stuff) to Azure Cosmos DB. I want users to be able to read their devices only(through a graph in a web app). All devices end up the the same collection.
I have set up a system in Azure in the following way:
Device -> Azure IoT-Hub -> Azure functions -> Azure Cosmos DB.
The web app uses Azure B2C for users to be able to sign in, but how do i "assign" device-id´s to a user? I have read that it is possible to create access tokens with specific access to certain partition keys, but how do I store the information with access permissions for each user? Do I need a new database for storing this information only?
In the beginning it is fine if I have to grant permissions manually.
General info:
The data in the Azure cosmos db are using device-id as the partition key.
Users can have more than one device.
The web app is running ASP.NET core (I am new here).
The web app requires log-in to be accessed.
I am coding in Visual Studio 2019, and have used the example with a build-in authorization.
Thank you for your help.
NOTE: It might be too much to ask for, but a general explanation together with a code example would be perfect for me :)
UPDATE:
I managed to fetch the email of the logged in user:
#using System.Security.Claims; // for using ClaimsIdentity
// Get user information
var userEmailAddress = ((ClaimsIdentity)User.Identity).FindFirst("emails").Value;
My initial idea is then to have a database containing: "Email" and "accessible devices". I guess this has to be a separate database since i need the Time-To-Live parameter in cosmos db.
You might be able to achieve what you are looking for by using Resource Tokens.
As in this sample from the documentation, you can assign permissions by partition key:
//Create a user.
Database database = benchmark.client.GetDatabase("SalesDatabase");
User user = await database.CreateUserAsync("User 1");
// Create a permission on a container and specific partition key value
Container container = client.GetContainer("SalesDatabase", "OrdersContainer");
user.CreatePermissionAsync(
new PermissionProperties(
id: "permissionUser1Orders",
permissionMode: PermissionMode.All,
container: benchmark.container,
resourcePartitionKey: new PartitionKey("012345")));
Alright, I have been busy with other projects, but i finally came back to this issue.
So basically the reason why I wanted a separate database was because I need the TTL on the Azure Cosmos-DB, and I do not want to delete the user permissions.
It turns out that it is possible to overrule the database's default TTL by setting a "ttl" field in the document itself. Thereby it is possible to exclude documents from being deleted.
So the basic solution is:
Create a documents with a "ttl" parameter set to -1 to exclude it from being deleted. Then this document can contain information about which users have access to what.

Azure App Registration change/switch directory

I am trying to set in order the Azure's Subscription of the company where I work. Long story short I have to deal with two Azure Active Directories. The first one is the main AAD (we will call it "MasterAD") where all the resources are deployed (servers, DBs, etc). The second one is a development purpose AAD ("DevAD"). In the DevAD there are two "App registrations" that we use to log in our clients in our web applications.
I would move those App registrations to the MasterAD. This way I could manage all the resources in one place without going around through ADs (and remember what is located where).
Is it possible to do that without changing the Application's IDs/Keys? I would not ask all my clients to grant again permissions for a "new" App registration.
You can't move the application object and keep the ids.
The ids will change.
I would do this:
Create new apps in MasterAD
Make sure all existing users are in MasterAD (as members or guests)
Change apps to use MasterAD instead with new client id / authority / keys
One thing to keep in mind that users' object ids are different in each directory.
One user added as a guest to another directory has a different unique id there.
If you have tied data to user object ids in a database etc., you'll have to prepare a migration to change those ids all at once.

Microsoft GraphAPI: How do I retrieve the assigned groups of an azure user?

As you can see my question above, I was wondering if it is possible to retrieve the assigned groups of an Azure Active Directory (AAD) based user via Microsoft GraphAPI.
My situation is, that I have an ASP.NET MVC project with Microsoft Azure enabled. My goal is, that an Azure user can login on my website with it's Azure account.
The idea is, that an azure user is an admin or an user (depending on the azure groups) and depending of this role group, the user can view more or less of my webpage.
For example:
When Peter logs in with his azure account on my webpage, he should only be able to see:
Add new Document
Edit Document
Remove Document
because he is only assigned as "User" in Azure Active Directory.
But when Sabrina logs in with her azure account on my webpage, then she should be able to do the same as Peter, but she also can see:
Manage Products
Add new customer
etc.
because she is been assigned as an admin in Azure Active Directory.
My problem is, that I did not find out how I retrieve the assigned group of an user with Microsoft GraphAPI. The part, which user can see or not after I got the roles is not a big deal.
I already tried this API call:
https://graph.microsoft.com/v1.0/me/
But it seems, that the response of this call does not include the actual assigned group of that user.
Do you think it is possible to retrieve the assigned group of an azure user? Is this even possible? Or do I have to do something else to retrieve these information?
I hope you understand my point and I am also looking forward for any response. Thanks in advance!
Add /memberOf to the URL to receive the groups a user is member of.
https://graph.microsoft.com/v1.0/me/memberOf
Here's a link to the specific graph api - https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups
Take a look at this sample application on Github. It does something very similar with a task tracker application, where different users are able to perform different actions based on the group they belong to -
https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims/blob/master/README.md
Also, in cases where a user is a member of too many groups, you get back an overage indicator and have to make a separate call to get all groups. Read about “hasgroups” and “groups:src1” claims here - https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-id-and-access-tokens
According to your system architecture, if some user has too many joined groups, the API https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups will return too many groups.
But if the groups with permissions in your system are not too much, you can use this API: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_checkmembergroups to check if the current user is the member of specified groups.
It is not good idea to use this API: https://graph.microsoft.com/v1.0/me/memberOf. Because it returns only the groups that the user is a direct member of, but security group can be member of security group.

How do I manage authorization (not authentication) with node and a postgresql db?

This question is regarding authorization, not authentication which i will be managing with passportjs. How do i restrict access for data that's bound to specific users without spreading user_id's all over every table in the database?
Should i create a new database user for each new user of my app and restrict access that way? Or is the "user id in every table" approach actually a good way to go?
I'm working on a project right now where someone else wrote the authorization logic and it works using a kind of authorization path in the code so it can find which user a resource belongs to using some breadcrumb logic.
But I'm really at a loss here and I'm having a hard time finding any information regarding this since almost all articles that I find are about authentication rather than authorization. And I do not mean access to a resource, but rather the filtration of data returned from a resource that the user has access to.
If you want to restrict access of users to certain objects, you either have to store that information with the user or with the object.
The latter is the preferred way because it makes permissions disappear with the object. That's the way PostgreSQL does it – it stores an access control list (ACL) with every object.
So you can either use PostgreSQL to implement privileges (then every application user or at least every group with equal privileges has to have a database user, and you can use permissions on tables and columns and row level security), or you implement it in your application and have some sort of ACL with every row in the database.

Resources