I'm studying MembershipReboot for a professional corporate solutions.
The background is:
There are companies
A company has one or more users administrators / owners
User administrator adds users with role administrator, worker
In the multitenant meaning...
Could user group be used as company?
is Each user a tenant?
Could be a role per company and user / tenant assigned?
Related
How to give access to my team mate on IBM Cloud account on the resources, Domain Registration Service and Internet Services resource?
The admin wants add privileges. But when he looks the list, can not find the Domain Registration and internet services. The users are already in the IBM Cloud account.
There are a couple of ways to accomplish that with IBM Cloud IAM (Identity and Access Management), including granting the permissions directly to the users in questions or creating an access group with the privileges first and adding the users to that group (best practice).
DNS Services has the listed roles including Administrator
Cloud Internet Services has a Manager service role
So your admin would
create an access group
add the privileges for DNS Services and CIS to it as policies
would need to make sure that privileges on the resource group to see the service instances are added
add the users to the access group.
Thereafter, you should have access.
I'm developing multitenant app in ASP.NET Core using Azure AD as authentication. I want to allow access to my app only for specific tenants (due to this I added valid issuers list to my app authorization).
Problem is I want to specify custom roles for each tennant. Why? Base scenario looks like this.
I have customer organization (Tenant) A with 3 departments named AB, AC and AD.
Meanwhile I have customer organization (Tenant) B with 5 departments BA, BB, BC, BD, BE.
I want to be able to grant users permissions excatly for their departments. For example grant user from tenant A access only to department AB (or all of them) and in perfect scenario it will be done by admin of company A in their Azure AD.
I was thinking of App roles from Azure AD but it seemed to me a very undesirable to expose in manifest all departments of all my customers.
Please refer this official doc first:
Add app roles to your application and receive them in the token
The permissions function of Azure AD is not yet specific to the departmental permissions of the tenant.
This official document tells me that when we are in App Registration, we can add an App Role to other tenants (Test), and then our application can be accessed by the Test tenant.
However, the specific permissions for each department under each tenant should be controlled at the code level.
some tenants will need their users to login using corporate identities. I would prefer to use a single-user pool for all tenants. Since the same user can be in multiple tenants, how do we identify which corporate identity to use to log the user in
We can setup the authentication type or mode for each tenant in the tenant metadata. Ex: Tenant1:CustomAuthentication. Tenant2: Azure AD, Tenant3: On-Prem LDAP etc.
In this case, when the user enters his email address or chooses a tenant (through a tenant dropdown or tenant specific URL etc...), we pick the right authentication mode and then do the redirection accordingly. On receipt of the valid authentication, we do a cross check in the User pool and then allow the user to access the application based on his rights configured through Roles & Privileges.
This way, our Tenants, Tenant Users are all on a shared / common pool and the application data can be isolated to a different data store as such.
I want to know if it's possible to create an Active Directory user account that confers no access or privileges to that user.. simply to authenticate a set of credentials..
As we are hybridised AD/Azure organisation, I want this 'account' to replicate to Azure through the connector.
The reason for this is that:
We manage all our users through AD so I don't want some accounts managed only in Azure.. it would be very confusing. Centralised managemnent and support is good!
The account would ONLY be used for authenticating users into Zoom via SAML2, or any another cloud service for that matter that can use Azure as an authentication service.
No capacity to access anything within our firewall.
Your ideas would be greatly appreciated.
Gus
It depends how you define "access". By default, the Authenticated Users group is able to read everything in AD, but not write. If you're ok with that, then you're done. Just create a user and don't add any access to it.
If you don't want it to read anything on the domain, then you'll have trouble. The Authenticated Users group is described as:
A group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system.
Since there is no way to not have a user be part of Authenticated Users, then you would have to modify the permissions on your domain to exclude Authenticated Users. But that may cause other issues for other users.
As far as I know, the most basic permissions that any user is created can also view other users or groups in AAD. If you want to turn off this basic permission, just set Restrict access to Azure AD administration portal to Yes, then the user will not have any access rights.
Go to azure portal->click Azure Active Direcotory->User settings
How can I give a new user only Admin Rights to one DNN portal?
Currently, we have two portals but I only want to give the users rights to the one portal on DotNetNuke.
What you've described, is in-fact how the "Admin" role works within DNN.
If you are used to the "Host" role, which does span DNN portals, I can see why you'd be confused.
Setting up an Admin user, or any other security role, will only be honoured on that specific portal.
If you want a user to have admin access over multiple portals - They will have to have separate admin accounts.