Is there a way to create a group admin using the API?
Someone who is able to add and delete users from the group but not from the general administrator account?
I can see there are only 3 permissions profile that can be assigned to a group, Administrator
Thanks.
Currently DocuSign does not use a tiered administrator structure with either the API or their standard console.
Several DocuSign employee's that I've talked with have suggested that a tiered structure is in the works but they don't have a release date for that as yet.
As a temporary fix to this, if you have an account administrator at DocuSign (and depending upon your account set up) you can request that they create sub-accounts to which you can assign groups of users and limit administrators from reaching other accounts. This is the solution we used for multiple business units that didn't need access to each others documents.
You can create more permissions profiles, but the degree to which your users can access settings remains largely the same.
Hope this helps.
Related
Recently we have purchased a production account. I have logged into the account as Account Administrator but I am unable to see Docusign Admin. This was not the case for the developer account where it was already present from beforehand.
I need it as I have to add an organisation.
Below I have added a picture of how it looks in dev account.
So, most likely you have someone else in your company who is the admin. You will to find out who that is.
Every account has to have one admin at all times. You don't see to have administrative rights, but someone else may have.
If not, or if you don't know who that is - you will need to contact customer support to get this restored and take over as admin.
Another option is that you have multiple accounts in production. Meaning, when you log in, your user is a member of more than one account. You need to switch accounts. That switcher is an option on the right-top menu.
If you had "Admin" in Demo, then someone had to add that as it is not provided by default. Admin tools (Org Management and Access Management w/ SSO) are only included in the Enterprise Pro plan. For Business Pro or Standard plans, it is a paid add-on. Check to see if your account is an Enterprise Pro plan.
Also, if your company already has Org Mgmt, a "DocuSign Admin" (org, not account admin) needs to link this new account to the Org.
I'm writing an API integration for docusign and I wanted to create a second organization for testing, but I can't do it because when I reach the screen to add accounts to the organization, I can't see any accounts listed.
I visit https://admindemo.docusign.com/create-organization
I fill the Name and Description, and press Next
In the Link Accounts page, I see no accounts. How can I add some accounts to this screen?
I'm not sure I understand the relationship between accounts and users, because I have created some users from the Admin>Users screen, but those are not displayed in the account page.
If it isn't asking too much, could I have a short explanation of the difference between these users and what the Organization page asks for, "Accounts"? I remember when I created these "Users", I had to provide an email account, and for me that relationship between Service and Email is what I normally consider an Account.
How can I add some new Accounts to create a second Organization and test the API?
Or, since I want to create more organizations to test if DocuSign has an option to make an organization Primary, is there such an option? I tried browsing the Organization settings but I could not find this.
Can I make one organization the "Primary" organization for an account? How would this be reflected in the response of the API endpoint?
Thank you very much!
Here is a diagram explaining the relationship between organization, accounts, members and users. Hope this make sense.
An account can only belong to a single organization, therefore, you need another account to get another organization (but an organization can have more than one account).
How can i restrict users access to their OneDrive account in office365 without disabling license?
You could use Conditional Access to disable access to OneDrive for everyone who is not a member of a certain security group.
From an implementation standpoint I would not recommend this approach though as your users will still see OneDrive and SharePoint in all their apps and webportal, but get an error when they are trying to connect. Which will likely confuse them.
While you say you don't want to disable the licenses, you could use group based licensing in Azure AD. This not only allows you to assign licenses to users based on group memberships automatically, but also select which features of a given license should be enabled for members of this group.
When a user needs a license simply switch from one group with OneDrive Disabled to the other with OneDrive enabled. This will give your users a better experience until you actually enable OneDrive for them.
As you can see my question above, I was wondering if it is possible to retrieve the assigned groups of an Azure Active Directory (AAD) based user via Microsoft GraphAPI.
My situation is, that I have an ASP.NET MVC project with Microsoft Azure enabled. My goal is, that an Azure user can login on my website with it's Azure account.
The idea is, that an azure user is an admin or an user (depending on the azure groups) and depending of this role group, the user can view more or less of my webpage.
For example:
When Peter logs in with his azure account on my webpage, he should only be able to see:
Add new Document
Edit Document
Remove Document
because he is only assigned as "User" in Azure Active Directory.
But when Sabrina logs in with her azure account on my webpage, then she should be able to do the same as Peter, but she also can see:
Manage Products
Add new customer
etc.
because she is been assigned as an admin in Azure Active Directory.
My problem is, that I did not find out how I retrieve the assigned group of an user with Microsoft GraphAPI. The part, which user can see or not after I got the roles is not a big deal.
I already tried this API call:
https://graph.microsoft.com/v1.0/me/
But it seems, that the response of this call does not include the actual assigned group of that user.
Do you think it is possible to retrieve the assigned group of an azure user? Is this even possible? Or do I have to do something else to retrieve these information?
I hope you understand my point and I am also looking forward for any response. Thanks in advance!
Add /memberOf to the URL to receive the groups a user is member of.
https://graph.microsoft.com/v1.0/me/memberOf
Here's a link to the specific graph api - https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups
Take a look at this sample application on Github. It does something very similar with a task tracker application, where different users are able to perform different actions based on the group they belong to -
https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims/blob/master/README.md
Also, in cases where a user is a member of too many groups, you get back an overage indicator and have to make a separate call to get all groups. Read about “hasgroups” and “groups:src1” claims here - https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-id-and-access-tokens
According to your system architecture, if some user has too many joined groups, the API https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups will return too many groups.
But if the groups with permissions in your system are not too much, you can use this API: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_checkmembergroups to check if the current user is the member of specified groups.
It is not good idea to use this API: https://graph.microsoft.com/v1.0/me/memberOf. Because it returns only the groups that the user is a direct member of, but security group can be member of security group.
We are building a enterprise product, and expect a lot of customers, to not have active directory of their own.
We plan to use AAD as our IAM provider.
We plan to create a master AAD for the product, and then invite users of each customer (tenant) as external users to the master AAD, using their business email id. Each set of users for a given customer, will be added to an external group for manageability.
Would this be the right approach, for supporting multi-tenanted IAM for a product hosted in Azure?
It's a pretty hard question. AAD's multi-tenancy basically requires the org to have an AAD to have proper separation etc.
But in the case of an org not having an AAD, this is one option.
One crucial thing you must not forget with this path is to turn on the option in the AAD tenant to restrict Guest user permissions. This makes it so that the invited users can't just go to portal.azure.com and get a full list of all users in the tenant. At least usually this is a desired thing when multiple clients are in the same tenant.
Other options could be:
Setting up an AAD tenant for each customer
Good separation for customers
There might be a limit how many you can create
I'm not aware of an API you could use for this (but hey Selenium works :D)
Set up your own identity provider with e.g. IdentityServer
Maximum customizability
Lot of work for you to develop and maintain
Everything would of course be easier if they just had an AAD :)
It would depend on some details of the approach you want to follow. If you are expecting for them to use their business email, then you may consider having Single Sign-On (many organizations expect not needing to duplicate accounts and you may want to delegate your customers the hassle of resetting passwords).
Also, you need to determine what kind of isolation need(do you want to have a single set of users or have a clear separation by tenant?) and the budget (AAD cost is measured on a per-user basis) you have for this? Azure AD B2C could be also an option, or as #juunas mentioned, implementing your own solution with something like IdentityServer.