Azure Data Factory - share Integration Runtime on different Resource Groups - authorization

In an Azure Data Factory (ADF_1) from a Resource Group (RS_1), I need to share a self-hosted IntegrationRuntime from ADF_1 (where this IntegrationRuntime resides and run well) into ADF_2, located in another Resource Group (RS_2).
For sharing process the first step is:
"1.Grant permission to the Data Factory in which you would like to reference this IR (shared)"
When I'm trying to grant permission from UI, I receive the error:
"The client 'xxx#yyy.com' with object id 'xxxx' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/...' or the scope is invalid."
My role is 'Contributor' on both Resource Groups (RS_1 & RS_2)
Thanks a lot for any suggestion

The Contributor role is not enough to add the role assignments(i.e. grant permission in this case), to do this, you need the Microsoft.Authorization/roleAssignments/write action permission as mentioned in the error message.
To solve the issue, your account needs the role which has Microsoft.Authorization/roleAssignments/write permission e.g. User Access Administrator or Owner.

Related

How to grant a service principal access to data object with Spark SQL

On this page it makes it clear how to grant access to a data object for a user or a role.
https://docs.databricks.com/data-governance/table-acls/object-privileges.html
I want to do it for a service principal (a service principal on workspace level).
I can't find info regarding how to reference the service principal.
Can it be done? If so how?
Assuming you have added the service principal account to your workspace,
you can use the UUID(ApplicationID) of the service principal in order to grant access:
GRANT SELECT ON SCHEMA alpha TO `UUID`;

Azure Logic app, AzureAD remove group members, insuficcient permission

I'm creating a Azure Logic app to replace members of defined Azure AD group. I have used this blog (https://geekshangout.com/logic-app-remove-azure-ad-group-members/) as of base for my job, but so far remove-member fails with insufficient permissions.
Basically logic app does:
Retrieve list of users from Azure SQL table with specific query: OK
Get list of users from AzureAD group : OK
For-each member:
remove member.objectID from azure group object ID:: Fails with following error:
"body": {
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2022-02-10T07:32:44",
"request-id": "--------------",
"client-request-id": "------------"
}
}
}
So far: I re-created the logic app and taking care of:
Admin consent is given as described in the blog, by using the Global Admin account.
I can see in the 'Enterprise Applications' blade this 'logic app' created
permissions should be correct: API name: Microsoft graph, Claims: Directory.readwrite.all, group.readwrite.all, user.readwrite.all, offline_access , as of Microsoft documentation describes (https://learn.microsoft.com/en-us/connectors/azuread/)
Awaited now about 24 hours, so no 'cloud-lag' should be problem.
Should this 'Enterprise Application' have an additional permissions? If so, what and where?
Already tried to create a custom role with permissions described here: https://learn.microsoft.com/en-us/azure/active-directory/roles/custom-group-permissions
"Life is not a problem to be solved, but a reality to be experienced"
~T
Assuming the user with which you set up the Logic Apps connection for Azure AD is authorized to manage this group's membership (e.g. which would be the case if this was a Global Administrator), the most likely cause for this is that the group you are trying to change membership for is a role-assignable group.
Role-assignable groups are special groups to which directory roles can be assigned. Adding a member to the group is equivalent to assigning a directory role to that member, so neither of the delegated permissions Directory.ReadWrite.All nor Group.ReadWrite.All allow this. (For regular groups, either of them would be sufficient.) The app would also need to be granted the delegated permission RoleManagement.ReadWrite.Directory.
From the look of things, the built-in Logic Apps connector for Azure AD is not built to handle group membership for role-assignable groups.
If you really do need to be able to do this, you could update the delegated permissions granted to the connector to include RoleManagement.ReadWrite.Directory, but you should be very careful about this (and your entire solution, including the SQL database and the Logic App), as misuse could carry significant security risks.

Graph api GET group/planner/plan fails because of permission. This flow used to work lately. Any change happenned on this?

I have a Flow that retrieves a Token then uses it to perform Graph calls to groups API with the HTTP Premium connector.
I have a successful call to :
https://graph.microsoft.com/v1.0/groups/859[...]/owners
This shows my token is valid and has the permissions needed for this call.
Then I have a failing call to :
https://graph.microsoft.com/v1.0/groups/859[...]/planner/plans
You do not have the required permissions to access this item.
According to MS doc, the permission needed are :
/owners : Delegated (work or school account) Group.Read.All and
User.ReadBasic.All, Group.Read.All and User.Read.All, Group.Read.All
and User.ReadWrite.All, Group.Read.All and User.Read.All and
Application.Read.All
/plans : Delegated (work or school account) Group.Read.All,
Group.ReadWrite.All
Here is the permissions from the token I retrieve in my Flow :
"scope": "ChannelMember.ReadWrite.All Group.ReadWrite.All
GroupMember.ReadWrite.All User.Read User.Read.All"
All of those permission has been granted in the Sharepoint admin console.
Any idea of what is going wrong here ?
The likely issue is that you are an owner of the group, but not a member (these are two separate collections of people). Currently Planner data for a Group can only be accessed by members. If you are an owner, you can also add yourself as a member to gain access.

Is there a tool that will tell me what permissions will be required to create a Cloudformation template?

My team is attempting to move towards templatization of our services and their infrastructure.
We have found it to be extremely time-consuming to determine the set of permissions required to execute or update a given Cloudformation template. Our process is:
Create a user with permissions cloudformation:CreateStack and/or cloudformation:UpdateStack
Have that user attempt to create/update the specified stack
Observe which missing permission caused the stack operation to fail
Add that permission to the user
Go to 2.
The alternative to this would be to create a "God User" who has unlimited permissions and have that user execute the create/update - which seems to violate the Principle Of Least Privilege
Alternatively, is there a tool that can list "what permissions have been exercised by a given user in the past N minutes?". If such a tool existed, we could create the "God User", have them execute the template, and then create a more limited-scope user that has precisely the permissions that the God User had used.
There is no simple way/tool to do this.
Here are a couple of approaches you can try-
Using an User that has Admin priviledges, create the Stack. Once done, wait for 15-20 minutes for CloudTrail to populate. Now in CloudTrail list the API calls made by the 'Event Source' - 'cloudformation.amazonaws.com'. That should be roughly all the API calls required. There can be a few more calls required, for other operations as you keep on adding functionalities to the Resources. Again, you would need to figure that out this way.
Create a CFN service role , and add admin privileges to this Role. Use this Role to create/update/delete the Stacks. Allow the IAM users only iam:PassRole and cloudformation:* . However, users will be able to create different resources using CFN.
Use Service Catalog and create Products. Service Catalog Products are CFN Templates which can be launched by a specific user/Role/Group. The user does not need permission to create/modify the Resources in a Stack/Product. Also the end user cannot change the Product to add more Resources. Here's a great video that explains this stuff : https://www.youtube.com/watch?v=A9kKy6WhqVA
Hope this helps...

Keycloak set group as owner of resource

I am new to Keycloak and I try to use it as authentication server in my solution.
I have the following entity's model: the devices are owned by a particular company to which some users belong. User with role admin can grant permission for viewing some set of devices to a regular user but only those devices that belong to the admin's company. Thus all users except admins can view only a subset of all devices in company.
Based on these requirements, I decided to make companies as groups and devices as Keycloak's resources. To evaluate permissions, I chose rule based policy.
The question is -- Can I set group as an owner of resource to check this relation in policy?
If someone is more experienced in keycloak and knows how to better represent such model, please help.
Thank you in advance.
As working on keycloak, I didn't find any way to set the multiple owners for particular resources.
I'm having the alternate option to give the access permission, that owners have for their resources.
Let say Resource A owner is OWNER A, now there are two more user USER A and USER B. If suppose OWNER A already share the access permission to USER A and USER A wants to share Resource A to USER B on behalf of the Resource owner, then how should USER A can share the resource scopes to USER B?
Answer
Keycloak provides the facility of token exchanging or impersonation feature. With the help of this USER A can able to share the resources to USER B on behalf of the OWNER A (Owner of Resource A).
Reference: You just need to follow this Keycloak Impersonation
Add comments if you still face the problem
In Keycloak, you may represent a particular company (or any organization or organizational unit) as a realm:
https://www.keycloak.org/docs/latest/server_admin/index.html#core-concepts-and-terms
Create a new realm:
https://www.keycloak.org/docs/latest/server_admin/index.html#_create-realm
Then represent the company's users as users in the company's Keycloak realm
https://www.keycloak.org/docs/latest/server_admin/index.html#user-management
... and devices as Keycloak Clients (any kind of resource you want enforce permissions on is a Client in Keycloak model):
https://www.keycloak.org/docs/latest/server_admin/index.html#core-concepts-and-terms
An admin role is already defined by default for each role (Roles menu).
Instructions tested on Keycloak 4.0.0.
For each device, create the corresponding Client in Keycloak (Clients menu). Switch on Permissions Enabled on the Permissions tab of the new client. A list of admin console permissions will appear just below the switch button, such as the view permission.
Then, in order to assign the permission to view the device to some user, the admin should click on the view permission (link) just mentioned, create a User Policy (Create Policy... listbox) and select the users (assignees) in the Users field.
In order to assign the permission on multiple devices to the same group of people, use a Group or Role Policy instead (put the users in the same group before).
In order to assign the permission to groups of devices, use one Group/Role per group of device, then assign users to the Group/Role.