I have an user that has all the needed permissions to add users and groups, and edit collection and project level permissions for users and groups according this documentation: Permissions and groups in Azure DevOps and TFS, but when he tries to add an existing user to an existing group in a project he receives "You do not have the required permissions to perform this action".
User's collection level permissions:
User's project level permissions:
What I am missing? which permissions do I need to give him in order he is able to add existing users to existing groups?
"Edit collection-level information" and "Edit project-level information" permissions are not enough.
In order an user is able to add/remove users/groups to/from existing groups under an existing project, the user needs to be part of Project Administrator group at least.
Here you are the Azure DevOps developer community's answer:
https://developercommunity.visualstudio.com/content/problem/335367/cannot-give-right-permissions-for-adding-existing.html
Related
I want to give access of Accounting Settings to an user. The settings app was not accessible at first. So, I created a group for the user, gave menu, view and model access rights. Now The user can see the settings option in the accounting module also in the app list, but still can not access. I can not add the user in the Administrator / Settings group because I don't want the user to give the full permission of Settings. How can I give the user proper access rights. The warning is not enough to understand what permission I am missing. I am attaching some images of access rights.
1. User is added in the group.
2. Menu access rights
3. View access rights
4. Model access rights.
We have lighthouse configured and I am trying to extract azure aks RBAC permissions information for a managing subscription from a managed tenant:
Get-AzRoleAssignment -scope "/subscriptions/0000000-0000-0000-00000000000000/resourcegroups/testrg/providers/Microsoft.ContainerService/managedClusters/testakscluster
Can we extract role assignments for a managing tenant's subscription while logged in a managed tenant cloud shell?
Thanks for your help
When using the Get-AzRoleAssignment command, it will call the Azure AD Graph - getObjectsByObjectIds meanwhile to validate the objects in Azure AD.
To solve the issue, make sure your user account logged in the cloud shell has permission to call the API, if your user account type is member, it will has the permission by default. So I suppose your user account is a guest, if so, there are two ways.
1.Navigate to the Azure Active Directory in the portal -> User settings -> click Manage external collaboration settings -> select the first option like below.
2.Navigate to the Azure Active Directory in the portal -> Roles and administrators -> search for Directory readers -> click it -> Add assignments -> add your user account as a Directory readers role.
Just select any of the options above, then the command will work fine.
For anyone coming to this thread after some searching: I had the same issue with this call across multiple versions of the AZ.Resources module: 2.5.0, 4.1.0 an 5.6.0. All my rights where setup correctly, both for an SPN and a user, both got the same error.
Changing the call to use the Azure CLI and that just works 😠.
az role assignment list -g [resource group name]
Artifactory allows to set Watches on specific repositories to get notification when changes happen.
When you define an internal user, this works properly.
For LDAP Users, there is no option to set a watch on a repository.
Are special settings needed to enable this feature for LDAP Users or is it imposible without any workarounds?
Thanks a lot!
The issue you are describing is not related to the LDAP users but due to one of the below options:
You are not creating the LDAP users locally on Artifactory, meaning that you are validating the user vs the LDAP server on the fly and not creating the user on Artifactory. If this is the case then the reason for you not to be able to set a watcher is that from Artifactory perspective it doesn't have a user with details (email as an example).
If #1 is not the case and you do create the LDAP users (automatically or not ) in Artifactory then check if those users have email defined upon creation in Artifactory.
I'm using Liferay Portal Community Edition 6.2 CE GA3 and the Documents and Media portlet. I created several roles in Liferay, one named "Documents-Admin". What I want is that a user with this role is able to create folders and files etc. and can change the permissions of these so that only specific users/roles have access to them.
So I changed the permissions for this role under Control Panel -> Users -> Roles and granted everything in Site-Administration -> Applications -> Documents and Media.
With this setting, a user with this role is able to open the permissions configurations of folders (even when he's not the owner). But the table only shows the roles "Users" and "Documents-Admin" - but there are 30 more. What do I have to do to see the full list of roles?
In control panel > Roles
Click on Documents-Admin role which you created and select define permissions.
And in that for Role you try giving view permissions or try giving there different permissions.
I have installed SonarQube 5.2 and the LDAP plugin 1.5 a few hours ago. I am really happy about the easy configuration of the LDAP plugin in an Active Directory domain.
But I experience something which looks like a huge problem.
1) An AD user loads the web page of the SonarQube instance
[behind the scenes] a user is being created (starting up from the headers of the HTTP request and the information present in the Active Directory)
2) An administrator of the platform (e.g. admin, default administrator of the platform) gives her some rights (e.g. add her to the sonar-administrators group)
the web interface shows an updated set of rights for this user
3) The user starts a new session
!!! The user has lost all of its rights. She doesn't belong anymore to the sonar-administrators group
(expected behavior) the user gets an updated interface, with the menus reserved to the sonar-administrators group
Am I missing some important part of the documentation?
You have configured SonarQube to use an external system to manage security, in this particular case Active Directory. So the default (and expected) behaviour is to delegate both the authentication and the authorizations to this system.
In your example, if you want the user to belong to some specific group, you have to configure this in your Active Directory. Next time the user logs in, he will be associated to this(those) group(s).
Note that the groups must exist in SonarQube otherwise this won't work (i.e. you have to manually add them in the "Security > Groups" ).
To elaborate on Fabrice's answer, when you have a user or group in the AD that you want to have administration permissions to the SonarQube instance, go to:
<your sq instance>/roles/global
and add the user or the group to the Administer System global permission.