I have a question similiar to LDAP authorization but more specifically to OBIEE and Microsoft AD.
As described in documentation, if I use BI Publisher I only need to create a couple of XMLP_% roles in Active Directory and grant them to users after AD authentication is set up.
My questions are:
Can I use similiar approach to using Analytics?
Am I obligated to use external store for user roles?
Can I use DefaultAthenticator provider for roles and grant them to Active Directory users?
I want to use existing tools only if possible. Which options do I have for storing roles apart from database tables?
You don't need to create anything inside the AD at all. You just map whatever AD groups you want to OBI application roles.
DefaultAuthenticator is the WLS-embedded LDAP. Leave that alone, otherwise you lock out your "weblogic" admin account.
Related
Let's say I'm using one realm mycomp in Keycloak to handle all users (+ master realm for Keycloak superadmin).
I'm have role of Customer Support (CS) that should be able to view users and manage their basic data like names, email, password reset etc.
I'm able to grant realm-management permissions like manage-users or view-users to any user in 3 ways:
assign directly
by creating composite role for CS
by creating group with and adding there CS
The problem is that giving manage-users rights CS end up being able to manage roles and groups so it is able to grant other users management permissions. Thats not valid for my config - it is a role of some higher level admin.
How to grant some users permissions to view and manage basic user data without allowing them to manage roles?
So in the end of the day I finally managed to find an working solution.
Problem was that Role manage-users cant be overriten by Policy.
With help of Pedro Igor Silva from Keycloak (https://issues.redhat.com/browse/KEYCLOAK-18151) I managed to setup configuration that fullfills the usecase.
With Keycloak preview feature admin_fine_grained_authz enabled I created global composite Role user-managers and granted it query-users Role from realm-management client. Then I created Policy that grants manage permission on Users resource when user has user-manager role.
That works perfectly
I am trying to build a pure JavaScript rest-client application that must support anonymous retrieval of information from a REST server that already supports JWT for authentication/authorization for external applications. The server is already being used by other client applications supporting multi-tenancy. Actually embedding the tenant information in the JWT.
Besides that the application needs to support users(human beings) that will want to mark(or select) some resources as favorites so a mechanism is needed for users/role creation and further authentication/authorization for the users. But these users can't be isolated to a single tenant, they will want to use across tenant resources.
So, right now I found that I need to use a JWT value for the anonymous data retrieval that of course should be tenant-agnostic. This means that I have to create an user with a special role that just have permissions for read only resources, except for the permissions for user creation (when the clients do sign up) again this should be tenant-agnostic. And when the user log-in into the system the JWT should be replaced for the one that have the user credentials again tenant agnostic. I am not sure if this is entirely correct, so how should we handle a situation like this ?
My other concern is, that we have the same back-end supporting authentication and credentials storage for human clients (tenant-agnostic) and application clients (tenant-aware), so there is logic that is a little bit more complicated in order to handle the privileges and tenant restrictions here. This could be just my impression but I feel that there should be a separation between application users and human users in the logic and/or data store.
But I am not completely sure and I want to know if some of you have previous experience or could have some ideas about this topic ?
Can you try the following approach, Create the users, assign the users with a read-only role for the tenants to which they need access to.
The data would be like
User1 - tenant1 - administrative role
User1 - tenant2 - data reader role
User1 - tenant 3 - user role
In the jwt, we ensure that the user is authorized. Then we get the list of accessible tenants and see if he has access to the requested tenant data w.r.to the above data and then complete the authorization.
HTH
If I have multiple Atlassian tools integrated with Crowd, i.e Jira, Confluence, Bamboo, etc., is it possible to grant a user access to Jira and not to Confluence or vice versa?
This can be done by the use of Groups. So, for example, you could have a jira-users group and a confluence-users group. Some users maybe members of both but other users may only be members of one and not the other.
The Managing Groups documentation for Crowd should help setting up the groups and adding users to them.
Specifying which Groups can access an Application details how to setup the restrictions you require per application.
Please note, that both these tasks require admin access to the Crowd Administration Console.
I'm exploring the WSO2 Identity server as a possible solution for a requirement we have.
We manage a lot of accounts, and every account has it's own admin users, users & roles.
We have a set of available permissions which is shared between all accounts, and (permissible) users can create new users, roles, attach roles to users etc..
But, the Users / Roles must be separated between the different accounts.
Also, accounts can be created / modified during run time.
What is the best practice to achieve this using the WSO2 IS? Maintaining User store per account? Using multi-tenancy?
I'm all over the WSO2 docs and can't seem to find a recommended solution to this requirement.
Thanks!
AFAIK it is better to go with multi tenancy. There you can create multiple tenants for each group and have an admin user/users/permission/roles specific to that particular group
I have a postgres database and a web app.
The web app allows the existance of users and they do some stuff on the webapp.
I am new to postgres but what we used to do in SQL Server was ActiveDirectory - CreateLogins - CreateRoles etc..
Now in this database is it possible to create a login for each user? or is a table with users (username password) better? or worse?
I was thinking about having 1 login user in the database that can only do specific procedures and see views and just authenticate the user through the table.
Which is better solution?
I think it's better to use the database's built-in role management, as it keeps it DRY. Despite myths, you can still use connection pooling. It makes it much easier to audit, and to use row-level security later if you need it.
Postgres can authenticate users using built-in roles, or using Kerberos, GSSAPI, SSPI or LDAP.
You can sync LDAP users/groups/roles with Postgres:
https://github.com/larskanis/pg-ldap-sync
You can delegate authentication to the web server. Login as the web server role, and then change the user's role, to act as that user, using SET ROLE X. This lets you use connection pooling.
Use one or more roles with specific permissions that access the login tables, along with the rest of the app's tables. You obviously don't want that role to be the database/table owner, to mitigate damage from an attack.
Be sure to use the pgcrypto module to salt and hash user passwords.