For AIX (7.1 to be specific): Are there configuration changes that can be made to permit user1 to su to user2 WITHOUT KNOWLEDGE of the user2's password?
user1) su - user2
Due to immutable requirements (grr), (non-root) admins are required by a vendors' procedure to execute scripts as the given user account which has escalated privilege and is deeply embedded into the core of the program.
It is desired to discontinue the use of a shared password. For tracking purposes, current procedure is for the admins to log in with their own account, and then su to the secondary account with the shared password for the account. (The secondary account is disabled for direct login presently).
Your post didn't reference "sudo" but it's a basic configuration for sudo.
Related
I would like to restrict some functions in a user written server add-in for certain users or groups.
Question: Is it possible to get (via an API) the user name who is sending a "Tell" command from a remotely connected server console?
Example:
Tell AddinName Command (issued remotely by Hotline User)
Tell AddinName Command (issued remotely by Admin User)
The remote console (and therefore the "Tell" command) is available to both users, but a subset of commands should only be allowed to authorised users (e.g. Group in Server Document->Security).
Is the user name (entering the "Tell" command) available (e.g. in the MessageQueue)?
I know that internally in Domino there are already some restriction possible to commands issued at the console.
The session.getCommonUserName() always returns the server name (since the add-in runs in context of the server).
Thanks for any pointer or ideas.
Andy
I believe that the answer to this is no, and it would not be advisable to implement tell commands that you can't trust to all authorized administrators.
If you really do need to confirm a user identity for a command, you're going to need to use database to queue the commands. I.e., you could build an application that stores the commands in documents in a database with a restricted ACL. Your addin code can use an Extension Manager hook to monitor the database for changes and read new documents when they appear, or you could have your application use NotesSession.SendConsoleCommand to issue something like 'tell myAddIn process ' to wake up your addin and give it the noteid of the document it just created. If you need to protect against people with full access admin rights overriding the ACL, your application could digitally sign the documents and your addin could verify the signatures.
We're trying to create a very basic role that allows users to query BigQuery tables, but not delete them. The custom role we're experimenting with now has the following permissions:
- bigquery.jobs.create
- bigquery.jobs.get
- bigquery.jobs.list
- bigquery.jobs.listAll
- bigquery.readsessions.create
- bigquery.routines.get
- bigquery.routines.list
- bigquery.savedqueries.get
- bigquery.savedqueries.list
- bigquery.tables.export
- bigquery.tables.getData
- bigquery.tables.list
- bigquery.transfers.get
- resourcemanager.projects.get
We're only focusing on delete at this time, so the permissions list is a work in progress. There is only one custom role assigned to our test user with the above permissions. However, the user can delete tables from our BigQuery dataset. Any idea on the correct combinations of permissions to achieve our objective.
Thanks in advance!
You have listed 14 permissions and seem to be making an assumption these permissions allow BQ table deletion.
This assumption looks odd (because clearly the permission bigquery.tables.delete is not on the list) and in fact is incorrect. Which means the GCP IAM identity (a user or a service account) assigned the role comprised of these 14 permissions will be unable to delete BQ tables. This in turn means the identity you are testing with is assigned additional role(s) and/or permission(s) that are not accounted for.
To prove the assumption is incorrect open BQ Console as a project administrator and click on the Cloud Shell icon to start Cloud Shell VM. Then execute the following commands at the command prompt replacing <project-name>:
# Prove the current user is BQ admin by creating 'ds_test1' dataset,
# 'tbl_test1' table, then deleting and recreating the table
bq mk ds_test1
bq mk -t ds_test1.tbl_test1
bq rm -f -t ds_test1.tbl_test1
bq mk -t ds_test1.tbl_test1
# Create role `role_test1`
gcloud iam roles create role_test1 --project <project-name> --title "Role role_test1" --description "My custom role role_test1" --permissions bigquery.jobs.create,bigquery.jobs.get,bigquery.jobs.list,bigquery.jobs.listAll,bigquery.readsessions.create,bigquery.routines.get,bigquery.routines.list,bigquery.savedqueries.get,bigquery.saved
queries.list,bigquery.tables.export,bigquery.tables.getData,bigquery.tables.list,bigquery.transfers.get,resourcemanager.projects.get --stage GA
# Create service account 'sa-test1'
# It is a good security practice to dispose of it when testing is finished
gcloud iam service-accounts create sa-test1 --display-name "sa-test1" --description "Test SA sa-test1, delete it when not needed anymore" --project <project-name>
# Grant the role (and its permissions) to the service account
gcloud projects add-iam-policy-binding <project-name> --member=serviceAccount:sa-test1#<project-name>.iam.gserviceaccount.com --role projects/<project-name>/roles/role_test1
# Save the credential of the service account (including the security sensitive
# private key) to a disk file
gcloud iam service-accounts keys create ~/key-sa-test1.json --iam-account sa-test1#<project-name>.iam.gserviceaccount.com
# Impersonate the service account. This replaces the current permissions with
# that of the service account
gcloud auth activate-service-account sa-test1#<project-name>.iam.gserviceaccount.com --key-file=./key-sa-test1.json
# Confirm the ability to list tables
bq ls ds_test1
# Confirm inability to delete tables
# The command fails with error: BigQuery error in rm operation: Access Denied: Table <project-name>:ds_test1.tbl_test1: User does not have bigquery.tables.delete permission for table <project-name>:ds_test1.tbl_test1.
bq rm -f -t ds_test1.tbl_test1
# Close SSH connection to the VM and logoff
exit
To see the roles granted to the service account 'sa-test1' created above open Cloud Shell and execute:
gcloud projects get-iam-policy <project-name> --flatten="bindings[].members" --filter="bindings.members:serviceAccount:sa-test1#<project-name>.
iam.gserviceaccount.com"
It should list our role projects/<project-name>/roles/role_test1.
To see the roles granted to the user who can delete tables execute:
gcloud projects get-iam-policy <project-name> --flatten="bindings[].members" --filter="bindings.members:user:<email-of-the-user>"
I did some tests on my end.
When an user has the 14 listed permissions, they are not even able to see the BigQuery Datasets on the UI. To do so, the bigquery.datasets.get permission must be added to the custom role.
Even with the 15 permissions, they are unable to Delete BigQuery tables so you are in the right path.
Being able to delete tables indicates that the user does not have the created Custom role assigned or has more permissions from additional roles. Please:
Check that the Roles have been set correctly (my scenario with the 15 permissions). Be sure to save changes when assigning permissions to your Custom roles.
In your IAM Dashboard please double check that the user has this role linked to their account.
Also check if the user does not have additional roles like Owner, Editor, BigQuery Admin, BigQuery Data Editor, etc. If they have any of those extra roles, their permissions are making them able to delete BigQuery tables.
Finally, double check who is logged into the UI, you can check it by clicking on the photo at the top right corner of your GCP UI. The user should not see an account different to myUser#emaildomain.com like in the following image
Hope this is helpful!
RE: Permissions
Program - Microsoft SQL Server Management Studio v.17.1
When attempting to create a new database through Object Explorer, I get the following error:
Screenshot #1
To fix this, I did the following and got another error:
Screenshot #2
I have searched the internet and all posts and articles say that I need to log in as administrator or SA. I am logged in as administrator and still can not gain permission to create a database.
How do I assign permission to the SA account to create a new database?
Problem here is that you are logged in with the local Windows Administrator account. You have two logins for your SQL Server instance as can be seen in your Image #2. One is SA (SQL Admin). The other is BUILTIN\USERS. That is a default group which every user that logs into the machine will be a part of. But unless you give that group permissions, or create other logins (I recommend this), you will be very limited to what you can do.
As you have found, that user group cannot modify permissions, especially for the SA user. The SA user is special, you cannot modify SA permissions at all. This is why you are receiving errors (partly because you don't have permissions to change them with the user you are logged in as, and partly because SA permissions cannot be modified).
The resolution to your issue is to login with the SA account. You will need to choose "SQL Login" at the login screen, as opposed to Windows login. SSMS will prompt you for a password. This password was configured by the person who installed the SQL instance. If the person who installed SQL Server did not specify a password, it will be most likely be a blank password or "Password123".
Once you are logged into the SA account, you can create new SQL or Windows Authentication logins and and provision them permissions as needed.
I'm trying to connect to a database using Windows Authentication. I believe that my current user does not have access to it.
How can I enable a user to login to SQL Server, and use the database?
You need to use the SQL Server Management Studio program to grant access for the user. You'll need to connect in with a login that has administration privileges for the database. If you have don't have those privileges you'll need to contact someone that does.
If you do have a login with those privileges:
open Management Studio
connect to the database server the database is on and look for the Security node in Object Explorer.
Expand the Security node and look for the name of the user in the list of Logins. The user's name should be the same as the user's Windows login if you are using Windows Authentication DOMAIN\Username format.
If the user is there, you will need to grant that user appropriate permissions to the database (read, execute SPs, etc.).
If the user isn't there you will need to add them.
Permission can also be added by group so you should check for groups that the user belongs to as well.
I had a scenario where I inherited a PC from another developer that left the organization. I couldn't access the default instance using Windows Authentication.
Here was the solution:
Open up SQL Server Configuration Manager
Click on "SQL Server Services"
Locate the Instance in the right pane and double-click for its properties
In the "Log On" tab, notice the "Log on as:" radio button option is set to "Built-in account".
Change the option to "This account" and add your Windows Authentication account with your domain and username and enter your password.
Click "Apply". Click "Yes" when it asks you if you want to restart the instance.
This will automatically add your Windows Authentication user account (Active Directory or local user) to the SQL Server instance. You will now be able to connect right away to the selected instance. As best practice, reset the settings back to the Built-in user account (most likely Network Service).
That's it!
(rephrased...)
How do you manage 'application' database accounts that have to follow the same policy as regular login-capable user accounts.
We have many processes in our system that run, unattended all the time, or part of scheduled jobs that need to access the database (Informix). These have been, up until now, nologin/noexpire accounts. We're now required to treat them as normal user accounts and their password to expire normally.
How do you manage/synchronize applications authenticating against the database when the credentials will at some point change?
We could generate a password based on the month, but since work is getting pushed through the system 24/7, that would likely lockout the account for too many failed attempts.
Two questions:
Are the applications (processes) running on the same machine as IDS?
Are they run by a process with the application account ID, or are they run by some administrative user (such as 'root') and the connection to the database specifies user name and password?
The answers are important because if the process is running on the local machine (the same machine as IDS) and the program is running as the 'application user', then the connection does not require a password at all. So, the expiry/change of the passwords would not affect the database system at all.
If the applications are run on the same machine but are started by 'root', then an option is to modify the code that runs the applications so that where it now does:
run_application
in future it does:
su app_user -c run_application
User 'root', of course, is empowered to run things as other users without bothering with trivial details like passwords. You might have to modify the application to avoid connecting with user name and password, again.
If the applications are not run on the same machines as IDS, the options are trickier. There are ways to achieve this effect; you probably do not want to exercise them.
(Contact me offline if you need details. I will need some more details from you, too. See my profile.)