I am trying to fetch the list of services that is allowed by a role. I see the AWS console has the Access Advisor information which fits my needs but I see no API support. Anyone know a way to call policy summary call (or something similar) that can provide that information without having to do this manually on the client side?
You are correct. There is no API call that provides information similar to the Access Advisor.
The closest option is the ability to fetch the IAM policy, but you would then need to interpret the policy into something human-intelligible.
Related
I'd like to create a role that can access only the read-only endpoint.
Constructing the resource arn as described here will allow access to both read and write endpoints.
I tried setting the resource id of the READER instance in the arn in these ways:
arn:aws:neptune-db:region:account-id:reader-instance-resource-id/*
arn:aws:neptune-db:region:account-id:cluster-resource-id/reader-instance-resource-id
arn:aws:neptune-db:region:account-id:cluster-resource-id/reader-instance-resource-id/*
But none of these work. Is there a way to give a role the read access only?
The roles and policies that Amazon Neptune currently supports are listed here. Currently, the NeptuneReadOnlyAccess managed policy applies only to the control plane. It allows you to read but not alter configurations. That policy does not apply to the data plane (running queries).
It is possible that a future Amazon Neptune update may add additional access control policies.
For right now, you will need to manage access to instances and endpoints as part of your application architecture.
we are working on setting up tableau extract refresh through API invocation. We are using Personal access tokens from tableau for authentication. While we are able to establish the communication and are able to retrieve details on tableau site, we get a 401002 response when we try for extract refresh. Is there a need for an additional privilege to the access token to set the extract refresh.
Any pointers on this would be of great help!
Make sure that the user whose PAT you're using is the owner of the workbook (and hence the extraction schedule). If not, the extraction request will fail. Alternatively, if the user cannot be the owner, they must be server administrators or site administrators on your Tableau server.
Also make sure you already have a schedule for the extract refresh. If one doesn't exist, you can create it with the Create Schedule method (with the API this can only be done by server administrators, on the browser the owner of the workbook can do this).
From the Tableau API docs, also note that "A REST request to start a refresh task will fail if the task has been put in the task queue in any of these ways, or is already in progress". This might also be one reason why it fails.
We are using azure ad for authentication for our application and dealing with token expiration of Azure Ad.
We need to fetch the list of users who are currently working (logged in ) into the application.
And the list of users signed out(logged off) from the application.
Its like to track the online and offline users on our application.
which Microsoft graph API we need to use . I went thru the Microsoft documentation but couldn't find the API for this use case.
Please share some code or the way I can achieve without storing user session in my db.
I'm sorry to tell you there is no such graph api command as far as I'm aware. like you said the only way to reliably do it is storing user session information on your own.
the only other thing that I can think of that you could do is try to extrapolate login information from azure audit logs, get get an approximation. you can get a list of sign-ins as per this graph endpoint. https://learn.microsoft.com/en-us/graph/api/signin-list?view=graph-rest-1.0&tabs=http
There is also the endpoint auditLogs/directoryAudits as per here https://learn.microsoft.com/en-us/azure/active-directory-b2c/view-audit-logs
that may show some information about the id tokens being issued.
other than those 2 options, I don't believe there is any better way at the moment.
After discussion with Microsoft team, We get the input that they don't have any graph api to fetch the active /logged in user list on hosted application.
But we can trace the audit logs api which will help us to get the list of users logged in at certain time. But that list is also not a real time it may have delay of 5 to 10 minutes.
We are going with manually handle the user session details.
pasting below audit log api for reference :
https://learn.microsoft.com/en-us/graph/api/signin-list?view=graph-rest-1.0&tabs=http
https://learn.microsoft.com/en-us/graph/api/signin-get?view=graph-rest-1.0&tabs=http
I've been creating an extension for VSTS, and so far i have stored some data in documents in collections (https://learn.microsoft.com/en-us/vsts/extend/develop/data-storage).
The problem I have now, is that I need to GET these documents somehow from an external application. I have looked into: https://github.com/Microsoft/vsts-auth-samples/tree/master/ClientLibraryConsoleAppSample to get the authorization done, but then I am unable to get the documents. If I try to access through the REST API I have issues authorizing myself(without the personal access token provided. The application is supposed to work for every user, and i cannot get and use every user's personal access token. This is not feasible for 350+ people) as well as I am unable to get the REST API working. The documentation on all of this is severely lacking.
Anyone able to help?
The documentation is lacking, because the Data Storage is isolated for the extension and there is no easy way to access the data from outside of the extension. If you need external access, you also need to store your data externally. Azure storage or in a TFVC/Git repo under the VSTS account.
As for per-user storage access, that's also isolated and would indeed require either a account owner token or a user specific Oauth or PAT token.
I have found the solution. The documentation states that there are 2 ways of working with the documents/collections. REST API and their VSS wrappers. The url required to get all documents in a certain collection is as follows:
https://{account}.extmgmt.visualstudio.com/_apis/ExtensionManagement/InstalledExtensions/{publisherName}/{extensionName}/Data/Scopes/Default/Current/Collections/{collectionName}/Documents/{documentName}.
Using this in a browser works just fine. All that needs to be done in order to use this with an external application is authorization.
If you use sdk methods from docs like VSS.getService(VSS.ServiceIds.ExtensionData) you can view (easiest in dev tool in browser) the request.
Its look like:
https://extmgmt.dev.azure.com/{organization}/_apis/ExtensionManagement/InstalledExtensions/{publisher id}/{extension id}/Data/Scopes/Default/Current/Collections/{collections (by default 'MyCollection')}/Documents
I have followed the tutorial for enforcing policies on API calls
http://wso2.com/library/tutorials/2016/02/tutorial-how-to-enable-role-based-access-control-for-wso2-api-manager-using-xacml/
It wasn't easy but I got something up and running. I can change access to different endpoints of an API depending on the user's role.
I have a question. Here's a fictional setup to complete the tutorial:
API EduCollege, with endpoints /student/info and /staff/info (tutorial)
API Prison, with endpoints /prisoner/info and /staff/info (note that it's the same endpoint)
I write a policy EDUCollegePolicy that enables only those with role college_admin to access /staff/info (tutorial).
But there seems to be no way to restrict these college admins from accessing staff info of the prison!
The field resource only contains info about the endpoint.
Is there any way, using this setup, to limit by API?
Or does it maybe require a different JAR add-in, that would send a resource value set to API/version/endpoint instead of just /endpoint?
Oh, by the way: I couldn't set policies according to the endpoints provided in the tutorial. It doesn't seem that it's /staff/info, but I got it to work with regexp .*staff.*info.*. Not nice. I wonder what the actual resource sent from JAR to PDP is, I couldn't find it in any logs, including IDS logs (the IDS acts as PDP)