I'm exploring the WSO2 Identity server as a possible solution for a requirement we have.
We manage a lot of accounts, and every account has it's own admin users, users & roles.
We have a set of available permissions which is shared between all accounts, and (permissible) users can create new users, roles, attach roles to users etc..
But, the Users / Roles must be separated between the different accounts.
Also, accounts can be created / modified during run time.
What is the best practice to achieve this using the WSO2 IS? Maintaining User store per account? Using multi-tenancy?
I'm all over the WSO2 docs and can't seem to find a recommended solution to this requirement.
Thanks!
AFAIK it is better to go with multi tenancy. There you can create multiple tenants for each group and have an admin user/users/permission/roles specific to that particular group
Related
We had a business case where a user needs to have access to a company account with multiple different roles using single email address. We know this could be done by creating a realm with a client and client roles, and then mapping the client roles with the users.
We had a change in the business case where the same user with the same email address needs to have access to multiple company accounts with multiple different roles under each company. We found this could be solved by using the Authorization Services under the realm client.
Is this a valid way to solve this case? Is the use of authorization services considered twisted workaround or is it the right way to handle such case? Is there an easier way?
net core application. I am trying to implement authentication and authorization. I have users they are split into multiple regions. For example I have below regions.
GE GSAS
- user1
- user2
APAC
-user3
-user4
SE&A
-user5
-user6
These users have different permissions or roles. For example, RegionalAdmin,GlobalAdmin,Users etc
These users will be creating some orders in the portal. For example, Regional head can reassign orders within that region only to other users. For global head he/she can reassign orders to anyone. Users can create orders and view delete and users cannot reassign orders. All these users are part of Azure AD tenant. Now I am trying to implement authentication and authorization. I started thinking the design strategy like this, I can create groups as per regions and add users to groups. Based on the groups I can have authentication or authorization. But these users have different permissions like RegionalAdmin,GlobalAdmin etc and these users have some extra functionalities aloowed in web/api permission. Can someone help me regarding this and how to organize groups or roles with respect to above scenario. Any help owuld be greatly appreciated. Thank you
Assuming regional admin you mentioned as a custom role in your application(as there is no such role in AAD), it is always better to use the administrative-units and a suggestable approach would be to create groups separately for regional admin, global admin users and assign roles to these groups accordingly.
A user can be assigned to multiple groups and roles can be assigned to individual users/groups.
Authorize applications based on the role permissions granted by the administrator to groups. Please refer this link for the detailed documentation on how to create/manage roles for an application in Azure AD.
I have a question similiar to LDAP authorization but more specifically to OBIEE and Microsoft AD.
As described in documentation, if I use BI Publisher I only need to create a couple of XMLP_% roles in Active Directory and grant them to users after AD authentication is set up.
My questions are:
Can I use similiar approach to using Analytics?
Am I obligated to use external store for user roles?
Can I use DefaultAthenticator provider for roles and grant them to Active Directory users?
I want to use existing tools only if possible. Which options do I have for storing roles apart from database tables?
You don't need to create anything inside the AD at all. You just map whatever AD groups you want to OBI application roles.
DefaultAuthenticator is the WLS-embedded LDAP. Leave that alone, otherwise you lock out your "weblogic" admin account.
Here is the scenario, I have a service containing many records. My service also has many users, each with the ability to create, read, update and delete records. The ability to perform these operations on each record must be controlled at the record level.
For example, user A can only read and update record 1 but user B can read, update and delete records 1, 2 and 3 and user C can perform all operations on all records.
How if at all, can this be done using Azure AD?
Obviously, using application roles is not sufficient because that gives the user uniform access rights to all records.
The tenant is also not useful because its the same for all users (in this example).
I definitely do not want to define access rights for every record individually, I would like to do something like assigning roles to a user group and then somehow assign records to the group.
Is there a standard way to deal with this type of resource based authorization?
As you correctly mention, role based access or authorization is very generic and using that, a user with specific role gets access (or gets denied access) to all resources. (If your sceanrio permits, you could make it a little better by dividing your resources into a few types and give access for 1 or more types of resources to 1 or more roles).
When trying to control access for each record individually, you will need to implement custom logic for resource based authorization. Typically applications utilize a mix of role-based and resource-based authorization driven by their requirements.
In the end it will boil down to a mapping that you need to maintain between 3 things
Resource (or a collection of resources)
Azure AD object (like role, group, individual user that is being given permission)
Permission that you're giving (understood and enforced by your application e.g. Blogs.Create permission for a Blogs application)
Relevant Documentation available on Microsoft Docs
Role-based and resource-based authorization
This documentation talks about similar concepts and shows a good example which makes use of both role based and resource based. CRUD operations on resources based on roles and then special privileges on specific resource for the owner of that resource (i.e. resource based)
Code Samples
Multi-tenant Survey Application Code
Code base for the documentation link above
Authorization in a web app using Azure AD groups & group claims
This one provides a sample task tracker application where users can share tasks with other users or Azure AD groups. Again you will see a mapping between resources (i.e. tasks in this case) and Azure AD objects (i.e. Users or Groups) is being maintained in sample database.
Assigning Application Roles for groups
Since you mentioned this as part of your question, just letting you know that this is possible from Azure Portal but only if you have Azure AD Premium license (I'm not sure which specific ones support it, but search on Group based assignments feature and you'll find it.)
If I have multiple Atlassian tools integrated with Crowd, i.e Jira, Confluence, Bamboo, etc., is it possible to grant a user access to Jira and not to Confluence or vice versa?
This can be done by the use of Groups. So, for example, you could have a jira-users group and a confluence-users group. Some users maybe members of both but other users may only be members of one and not the other.
The Managing Groups documentation for Crowd should help setting up the groups and adding users to them.
Specifying which Groups can access an Application details how to setup the restrictions you require per application.
Please note, that both these tasks require admin access to the Crowd Administration Console.