I have scenario as, I have say 5 branches for example Branch A, Branch B, Branch C etc. All branches have different set of users and different set of data(in liferay portlets). My requirement is like, Whenever user from Branch A logs in he should not able to logged in to other branch. In short he should not have any permission to view, login to Branch B (other than his own branch).
All 5 branches has two sub-sites.
Eg. Branch A has sub sites Site A1 and Site A2. separate users are associated to the site.
My Question is what should I use to develop such system.
As of now I had created one Organisation and created Location Sub organisation.
How can I restrict user to log in himself into his own organisation and not anyone else.
How can I restrict user to view the contents on his own site and not other site.
Do I need to create User Groups.
Any Pointers would be helpful. Thanks in advance.
First of all: You don't need Locations. They're just like Organizations, but can't have any more suborganizations. This is a limitation that you don't need to impose on your branche offices. You can, but don't need to.
You always log in to your account, not into an organization. When there's content in an organization's site that must not be seen by non-members of that organization, just make the pages private - this restricts them to be seen only by members of the organization.
Membership of organizations is centralized anyways - thus nobody can become member of another organization without an administrator making the connection.
If you need user groups depends on what your overall structure is. If you interface with LDAP, I like to use user groups as the importing target for LDAP groups. If you don't, it still might make sense to group users into User Groups - just to keep an overview over the different memberships and permissions that you give. It's a lot easier if you restrict yourself to not grant any roles and permissions to individual users, only to User Groups - at least once you have a certain number of users.
Related
Is there a possibility where I can share the configuration of my boards and backlogs with the others in my team?
This way they all have the same columns and order columns that I have.
To configure (add, remove and order) columns in the "Boards/Backlogs" page, the users do not need any additional permission, as long as the users at least have the Reader permission in the project.
Each user can configure the columns on the "Boards/Backlogs" page on his own side. All the changes each user does for columns can only be applied to the "Boards/Backlogs" page on his own side, and not affect on other users' sides.
So, if you want your other team members have the same columns and columns order with that of you on the "Boards/Backlogs" page, you can ask the members to add, remove and order the columns on their own side following the style on your side. For more details, you can see "Change column options".
To configure the "Boards/Boards" page, you need the permissions for configuring team settings. To configure team settings, you must be added to the team administrator role or be a member of the Project Administrators security group.
Only the Administrator users can configure the "Boards/Boards" page. The style configured by the Administrator users is applied to the whole team. That means all the members in your team will see the same things on the "Boards/Boards" page. So, you do not need to grant every team member the permissions to configure the "Boards/Boards" page. Just you Administrator users have the related permissions is OK.
Context:
I have recently been given the role as Azure Devops administrator in the small company I work in. I have no previous experience with this role, and I am currently reading through the extensive documentation on the topic.
What I've got:
An azure organization with several users, groups, permissions, and projects, some of which are up to 6-7 years old. Responsibility for the organization has been passed along several times without any clear plan or consequence, and I am attempting to get an overview and clean up the structure.
What I want to do:
I want to grant all users in the entire organization permission to read, comment on, tag people, and create new work items in Boards (especially backlog and sprint) in all projects, including the ones they are not a team member or user of themselves. I have tried several permission group setups, but I can't get anything to work. Suggestions are welcome.
Sorry but I'm afraid we don't support this feature.
We can't do this if the user is not a member of the project. (Unless he's a PCA, but it's not recommended to grant users as a PCA cause it'll make much risk).
So you need to add all users to projects first to give their permisions to boards. Here are detailed steps.
Create a new group Group1 in Organization Settings -> Security/Permissions. Add all users in the organization to this group.
Go to Project Settings -> General/Permissions and create a new group Group2. Set the Group1 as members of Group2.
Go to Project Settings -> Boards/Project configuration -> Areas. Choose the ... context menu for the node you want to manage and select Security.
Search Group2 and set 'Edit work items in this node' to Allow. Note that some important permissions should be set to Deny.
This solution needs you to add groups and set permissions in projects one by one.
I am creating an application that uses Azure AD user groups to grant permissions to specific resources. For example, a particular set of documents can only be accessed by users in specific groups. The application receives the group ids as claims on the JWT and ensures that only documents assigned to groups in the claims are visible.
Now, the question is how to manage groups correctly in Azure AD. When users are assigned to a group become a member of that group and any groups that group is nested in. This seems to imply that my group nesting should be the reverse of the tree structure I would like. Something like this:
Admin --> member of --> Group with most access --> member of --> group with less access --> member of --> group with least access.
To me this seems backwards but it provides the correct access rights to users added to each group.
Am I way off base here or is this a reasonable way to manage access rights with AD groups?
#JoyWang already covered some good points in answer above. Here are some additional considerations. Disclaimer: Due to nature of question, my answer here is mostly opinion and learning from some cases. Idea is to share how I have seen groups getting used along with some related info.
Are the groups specific to your application or more general purpose? Group membership and nested groups are usually used to organize users & groups logically/intuitively rather than design permissions for specific application
Many times Azure AD Groups are used by more than one application and may have a lifetime longer than any one specific application you're developing.
The way you are thinking about nesting groups based on which one has more access v/s less access you're probably concerned about only one particular application that you're developing and thinking about a group's access to this application. This approach will work out if the groups you plan to create are also very application specific and will NOT be used for any other purpose.
Example1: Your application is a blogging app and groups you create in Azure AD are Viewer, Contributor and Admin. (Admin > Contributor > Viewer)
Example2: You have an enterprise using Azure AD and groups organize users logically, say deparatment wise Marketing, Human Resources, Engineering etc.
So, the way you describe nested groups based on lower access permissions to higher, it will technically work out for a simpler scenario like in Example1 but not for Example2 where groups are more general purpose.
Many times general purpose groups already exist and you're expected to reuse them rather than create new ones for your application which require new assignments/membership all over again, but this may or may not be applicable in your specific case.
Also, there can be multiple people managing these groups and their membership so any design/organization pattern you come up with should give importance to intuitiveness even if you have to sacrifice minor application specific efficiency sometimes.
In my opinion, you can look at both flat or nested groups.. if it makes sense from an organization of users and groups standpoint, not just access permissions. Another fictious example: Marketing Group can have a member group like Marketing Content Approvers because it's a subset of Marketing people.
Do consider Application Roles.
They are specific to an application, tied to it's manifest and can be available to you as part of claims in token.
There can be situations like individual resource based access where you want to give permissions to a specific resource where Application Roles may or may not make sense and you still need to rely on groups or users directly. In any case, it's another helpful option available to you.
Managing Groups (as you've asked about this in comments)
Take a look at Self Service Group Management Scenarios (Delegated v/s Self-service) and also Dynamic Groups for dynamic membership rules based on attributes (requires Premium license though).
In AAD, the permissions of a member in the groups depend on the biggest permission of the group which he is a member of. For example, group A can access a resource and group B can't access it, the man is both in group A and B, then he will be able to access the resource.
To me this seems backwards but it provides the correct access rights to users added to each group.
Let we call the three groups as A,B,C, the permission of them is A > B >C. Obviously, if you add A to B, the permissions of A and B both have not been affected. But if you add B to A, the members in A or B will both have the biggest permission, it is no what you want. The same with B and C. This is why it provides the correct access rights to users added to each group as you said.
So in my personal opinion, seems no need to use nested groups, just use three groups with different permissions, it's enough.
We are implementing a Liferay 6. 2 solution, everything was set but then we had a problem. Thing is, we are importing all the users from AD using LDAP with their group information. So, in liferay, we will have users and users' group. We planned to follow organization->sub-organization structure but the customer does not want to assign all the users(no option to assign user groups to organization which i know why and it totally make sense ) to the organization manually which, kind of, makes sense. So, then we had to change our design, now what we are doing is actually creating a department-wise site then assigning user groups to the site and then linking site to organization. So two questions.
Does it make any sense to have organization? if so then what advantages will I have in this particular case.
Do you see any drawbacks in our approach or should we follow a better approach which we are not aware of.
Not sure if this belongs here or on Serverfault.
I have a Sharepoint installation and several Active directory domains. In each domain, I have some Security groups.
I need to create Sharepoint groups that contain those Active Directory groups, but I need to inlude the actual users instead of just the security group. (So in I have Group G1 with Users U1 and U2, my Sharepoint group needs to contain U1 and U2 instead of G1).
Before I build something like this myself (which is rather straight-forward with a Timer Job and some Management forms), I just wonder if something like this is already built in to Sharepoint 2007? Or if they are existing solutions?
Googling brought only results about the normal AD<>SP Profile import, which works fine, but nothing about Security Groups.
This definitely isn't built into SharePoint. It may be available in a third party solution, however my guess is it would be an uncommon requirement so unlikely.
I would probably develop the solution myself. It shouldn't take long.
I would write a timer job for this (if you want to keep the AD groups and SP groups in sync).
Make sure all your groups are in 1 OU (to make for an asy stsrting point for an LDAP query), then iterate through all the security group objects with Directory Services in the TimerJob execute method. Then, iterate through all user objects in the group and add them to the corresponding SP group, remove users that are removed from the AD group from the SP group too.