net core application. I am trying to implement authentication and authorization. I have users they are split into multiple regions. For example I have below regions.
GE GSAS
- user1
- user2
APAC
-user3
-user4
SE&A
-user5
-user6
These users have different permissions or roles. For example, RegionalAdmin,GlobalAdmin,Users etc
These users will be creating some orders in the portal. For example, Regional head can reassign orders within that region only to other users. For global head he/she can reassign orders to anyone. Users can create orders and view delete and users cannot reassign orders. All these users are part of Azure AD tenant. Now I am trying to implement authentication and authorization. I started thinking the design strategy like this, I can create groups as per regions and add users to groups. Based on the groups I can have authentication or authorization. But these users have different permissions like RegionalAdmin,GlobalAdmin etc and these users have some extra functionalities aloowed in web/api permission. Can someone help me regarding this and how to organize groups or roles with respect to above scenario. Any help owuld be greatly appreciated. Thank you
Assuming regional admin you mentioned as a custom role in your application(as there is no such role in AAD), it is always better to use the administrative-units and a suggestable approach would be to create groups separately for regional admin, global admin users and assign roles to these groups accordingly.
A user can be assigned to multiple groups and roles can be assigned to individual users/groups.
Authorize applications based on the role permissions granted by the administrator to groups. Please refer this link for the detailed documentation on how to create/manage roles for an application in Azure AD.
Related
net core application and trying to implement authentication and authorization. I have set of users and these users belong to different regions. For example I have region APAC and I have some users in it. Then I have roles like global admin or regional admin. Now these users are type of regional admin global admin etc. Now I want to return role claim in my token. To return role claim in my JWT token I should add app roles in manifest. So how should I return app roles now. If I select as group then all users belong to that group emits this role details. I am little bit confused here. I have grouped users according to regions. Inside each region users are of type regional admin, global admin etc and they have different permissions inside app. Segregation of these groups vs roles I am finding lot of challenge and no use full document also I found. Can some one help me to segregate these groups vs roles.
As I understand you have users with different roles under the groups segregated by the regions. When you are trying to authorize by group all the users with different roles of the group emit the group role details.
Assuming regional admin you mentioned as a custom role for your application(as there is no such role in AAD) following is a suggestable approach.
A user can be assigned to multiple groups and Roles can be assigned to individual users/groups.
Create groups separately for regional admin, global admin users and assign roles to these groups accordingly.
If you are using the role claim in the token for role-based access control, authorize applications based on the role permissions granted by the administrator to groups. Please refer this link for the detailed documentation on how to create/manage roles for an application in Azure AD.
A user has a company_id and a many to many relationship with tasks.
Each user has a role.
Each role has permissions.
An admin should be able to see all tasks within the company.
A user should only be able to see his own tasks within the company.
What are the pitfalls of each approach?
Assign all admins to the m2m when a task is created
Include a see_all_tasks permission as part of the admin role
Given that you already have roles and permissions configured in your application. You should be assigning the users the roles against a company, like Admins will have a Administrator role in all Companies.
Any user in the application will be having a role per company that allows him to perform his task in the context of the company.
Ex: I can be a Admin for CompanyA & Enduser for CompanyB. This should give you the desired result.
In case of having a consolidated list of tasks being shown across all companies, I will aggregate roles for each task based on the companyId and then enforce permissions.
I can't understand how to create custom roles in fusionauth. I want to create my own set of roles and put them in respective groups.
Are roles and groups are synonymous in fusionauth ? I see roleIds object inside groups but can't find much detailed documentation on that.
Also jwt token has roles[]. Is it possible to return those custom roles in jwt token?
Any help is appreciated.
You may use the UI or the API to create roles for an application. When you create an Application in FusionAuth you may create the roles at the same time. The UI link above is a tutorial to create an application in the UI.
The roles for the default application FusionAuth cannot be modified. This application represents the admin user interface. You will create at least one application that represents your application.
Are roles and groups are synonymous in fusionauth ?
No. Roles belong to an Application. An application in FusionAuth represents and authenticate resource. A Group is a logical grouping of users, and a way to manage roles across multiple applications.
To manage roles for an Application once it has been created navigate to the Application Roles. Settings --> Applications --> Manage Roles The Manage Roles button is the dark blue one in the row action.
The FusionAuth Group can be used to assign roles from multiple applications to a user through Group membership.
For example, assume you have multiple Applications, Support Portal and Workday, and each of these applications contains an admin role.
A FusionAuth Group could be created called Admins and it would be assigned the admin role from Support Portal and Workday.
A User can be assigned the admin role for both of these Applications through Group membership. The user will still require a registration to the application to receive the roles assigned to the Group. This mechanism provides a way to manage role assignment for groupings of users.
The roleIds inside of the Group object is how the API will interact with Application Roles. If you utilize the UI you can just point and click.
Also jwt token has roles[]. Is it possible to return those custom roles in jwt token?
The roles assigned directly through a User Registration or by Group Membership will come back in the JWT in the roles claim when logging into a specific Application.
I'm exploring the WSO2 Identity server as a possible solution for a requirement we have.
We manage a lot of accounts, and every account has it's own admin users, users & roles.
We have a set of available permissions which is shared between all accounts, and (permissible) users can create new users, roles, attach roles to users etc..
But, the Users / Roles must be separated between the different accounts.
Also, accounts can be created / modified during run time.
What is the best practice to achieve this using the WSO2 IS? Maintaining User store per account? Using multi-tenancy?
I'm all over the WSO2 docs and can't seem to find a recommended solution to this requirement.
Thanks!
AFAIK it is better to go with multi tenancy. There you can create multiple tenants for each group and have an admin user/users/permission/roles specific to that particular group
Can usergrid support User's in (Group or Role) have access to ALL user's in same (Group or Role)? The way i understand it is because users are in /users/user1, you would have to iterate over all the users in the group and give explicit permissions to a (group/role/user). Can you prefix user's /users/group_user1?
Could use the organization / application but /users and permissions are specific to a single application.
Basically I want to model organization and groups within a single usergrid application, things such as inheriting permissions, etc.
Any ideas? I am going about this in the wrong way? Other frameworks/apis?
Users are linked within a role, so depending on how you configure your roles you can do set a resource within a role like this:
/roles/{role uuid}/users/*
Which would look more like this in a real example:
/roles/7a7fbe9ec74-70f39f37-1825-379f-8385/users/*
You can then set your verbs (GET, POST, DELETE) as you see fit within that role to allow all members of that role to see or change users within that role. I assume you're looking for them to be able to do a GET but if you have additional linked resources below that user, you can add them explicitly as well like this:
/roles/7a7fbe9ec74-70f39f37-1825-379f-8385/users/*/mylinkedrsource/**
Then you can set the verb to GET for roles/{id}/users/* and add POST or PUT for the resources linked below /users/*/{linked resource}
Cross posting from the usergrid google group:
I think you can do what you need with groups.
The idea with groups is that all users in that group get the group's permissions.
So if you do this:
create a group.
give that group permissions for various resources
add users to that group
all users in the group will have the permissions of the group
or
create a group
create various roles, each with various permissions
add the various roles to the group
add users to the group
all users in the group will have the roles (and thus the permissions) of the group
So in this way, you could create various roles for your users. And add users to roles as needed to satisfy the needs of the users. Then, you can create one group for admins. Add all the roles to that admin group, then add your admin users to that admin group. They will have the collective permissions of all the roles.