On this page it makes it clear how to grant access to a data object for a user or a role.
https://docs.databricks.com/data-governance/table-acls/object-privileges.html
I want to do it for a service principal (a service principal on workspace level).
I can't find info regarding how to reference the service principal.
Can it be done? If so how?
Assuming you have added the service principal account to your workspace,
you can use the UUID(ApplicationID) of the service principal in order to grant access:
GRANT SELECT ON SCHEMA alpha TO `UUID`;
Related
I have created an App role for my AZURE AD Backend Api and assigned this role to a group. Now I want to authenticate user in my .net core backend application on the basis if user has a group which has this role. I am getting the group ids in the access token but how can I get app roles assigned to these groups.
Please check how you enabled group claims in Azure Portal.
If you check the Emit groups as role claims option like below you cannot see application roles, but you can see group ids.
If the above option is enabled, make sure to uncheck the box.
Note
If you use the option to emit group data as roles, only groups will
appear in the role claim. Any application roles that the user is assigned to won't appear in the role claim.
Also, I would suggest you refer to this Microsoft official documentation below which states that if you add a service principal to a group, and then assign an app role to that group, Azure AD does not add the roles claim to tokens it issues.You can modify the “groupMembershipClaims” field in application manifest if you want to include groups claim in your token like below: -
Add app roles to your application and receive them in the token
For more in detail, please refer below link:
Configure group claims for applications by using Azure Active Directory
Let's say I'm using one realm mycomp in Keycloak to handle all users (+ master realm for Keycloak superadmin).
I'm have role of Customer Support (CS) that should be able to view users and manage their basic data like names, email, password reset etc.
I'm able to grant realm-management permissions like manage-users or view-users to any user in 3 ways:
assign directly
by creating composite role for CS
by creating group with and adding there CS
The problem is that giving manage-users rights CS end up being able to manage roles and groups so it is able to grant other users management permissions. Thats not valid for my config - it is a role of some higher level admin.
How to grant some users permissions to view and manage basic user data without allowing them to manage roles?
So in the end of the day I finally managed to find an working solution.
Problem was that Role manage-users cant be overriten by Policy.
With help of Pedro Igor Silva from Keycloak (https://issues.redhat.com/browse/KEYCLOAK-18151) I managed to setup configuration that fullfills the usecase.
With Keycloak preview feature admin_fine_grained_authz enabled I created global composite Role user-managers and granted it query-users Role from realm-management client. Then I created Policy that grants manage permission on Users resource when user has user-manager role.
That works perfectly
In an Azure Data Factory (ADF_1) from a Resource Group (RS_1), I need to share a self-hosted IntegrationRuntime from ADF_1 (where this IntegrationRuntime resides and run well) into ADF_2, located in another Resource Group (RS_2).
For sharing process the first step is:
"1.Grant permission to the Data Factory in which you would like to reference this IR (shared)"
When I'm trying to grant permission from UI, I receive the error:
"The client 'xxx#yyy.com' with object id 'xxxx' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/...' or the scope is invalid."
My role is 'Contributor' on both Resource Groups (RS_1 & RS_2)
Thanks a lot for any suggestion
The Contributor role is not enough to add the role assignments(i.e. grant permission in this case), to do this, you need the Microsoft.Authorization/roleAssignments/write action permission as mentioned in the error message.
To solve the issue, your account needs the role which has Microsoft.Authorization/roleAssignments/write permission e.g. User Access Administrator or Owner.
I need to know how can I restrict access to Azure Storage containers/blobs for certain roles like I want users with Admin role to access container A & B and I want users with HR role to access only container B and not A, how to achieve this?
You should take a look at SAS, shared access signature provides you with a way to grant limited access to objects in your storage account to other clients, without exposing your account key. It's through the setup of policies, checkout the below screenshot(it can be done via code or Azure portal):
More Details about SAS can be found here: https://azure.microsoft.com/en-us/updates/manage-stored-access-policies-for-storage-accounts-from-within-the-azure-portal/
In this article, 3 schema about spring security implementation are introduced. I want to know the differences between user schema and acl schema, which one is better to use, or in other words, I want to know the domain usage of each one, in order to choose the best solution for my application.
You cannot use ACL schema without User schema (because authentication process depends on User schema and normally you always need authentication). You have two options:
User schema
User schema & ACL schema
Let's see what they can do for you:
User schema is for authentication and authorisation based on roles. You can secure URL or method invocation. With User schema you can handle followig cases:
A user with ADMIN role can acces to /admin.html.
A user with PRODUCT_MANAGER role can acces to /add_product.html
A user with PRODUCT_MANAGER role can acces to /manage_product.html?id=x.
A user with PRODUCT_VIEWER role can acces to /view_product.html?id=x.
ACL schema is for enhanced authorisation. It will take in account actual domain object. You will be able handle following cases:
A user with PRODUCT_MANAGER role can acces to /manage_product.html?id=136 only if he is a owner of the product with id=136.
Some PRODUCT_MANAGER can give ability to manage his own product with id=136 to another PRODUCT_MANAGER.
So go on with User schema and add later ACL schema if you need it.