Following this documentation I try to make a user following a work item but I receive the following error:
{
"$id": "1",
"innerException": null,
"message": "You are not authorized to create a subscription.",
"typeName": "System.UnauthorizedAccessException, mscorlib",
"typeKey": "UnauthorizedAccessException",
"errorCode": 0,
"eventId": 0
}
The user which tries to create the subscription is an Admin of the project. Both users have access level Basic on organization level. The request uses Basic Auth with PAT with Full Access privileges. The same request succеeds in a different (test) organization but I don't see where is the difference between.
If your users want to set up Global notification, you need to make sure they are members of the Project Collection Administrators group of the organization.
I tested it in the UI, if the user is a project admin but not a member of the PCA group, then he has no permission to perform the operation.
Thanks for providing detail on your user role & licensing, those are usually the first two things to check in cases like these.
Since you're a Project Administrator and have at least a Basic license, I'd recommend checking two things:
If you're using the same PAT when issuing both calls between organizations, make sure that you've chosen "All accessible organizations" when configuring your PAT:
Within your project, head to Project Settings > Service Connections > Security, verify that the user you're attempting to create a service connection with has access. If they don't, add them to the Endpoint Administrators group.
Related
ISSUE: i want to use the same documents ai custom-trained processor from several different projects. the approach i have in mind is to make api calls from each of those projects to the a single service account that has the proper AIM roles. i have not been able to successfully set up a service account to access the ai processor we trained
SUMMARY: I have three different projects
DEV
STAGING
DOCUMENT AI PROCESSING
The** DOCUMENT AI PROCESSING** project contains the document AI processor which was custom-trained and the 2 other environments listed above need to access the same endpoint. I cannot find the right way to configure this, at the moment i am getting the following error: PERMISSION_DENIED: Permission 'documentai.processors.processOnline' )
BACKGROUND:
(1) I created a service account
(2) I grant this service account access to project, but did not grant any users access to the service account (item 3 in the screenshot)
(3) service account created successfully
(4) i add (as a principal) the newly created service account to the DEV project and assign it *EXACTLY* the same roles as what it has in the DOCUMENT AI PROCESSING project
(5) the service account has been granted access to the DEV project
What I expect to happen is to be able to use the Document AI processor which is located in DOCUMENT AI PROCCESSING project from the DEV project**.** However, I am still receiving the same error: PERMISSION_DENIED: Permission 'documentai.processors.processOnline' denied on resource '//documentai.googleapis.com/project...'(or it may not exist)."
After many hours, i am stumped and i am grateful to anyone that can provide an explanation of what i am getting wrong
As mentioned in the comment exchange of #Kolban and #bismar eyner esquivel ortuste, the correct permissions needed must be added to the Authorization Scope.
You may refer to this Document AI IAM roles documentation for the full list of roles for the API and refer to Document AI Processor REST API documentation for more information.
Posting the answer as community wiki for the benefit of the community that might encounter this use case in the future.
Feel free to edit this answer for additional information.
I'm attempting to assign a service account created in a project to the Group Admin role in Workspaces (GSuite) as part of an experiment to set up IAM automation in Terraform.
I'm essentially following this support guide here: https://support.google.com/a/answer/9807615#zippy=%2Cassign-a-role-to-a-service-account
Once I add the service account to be granted Group Admin, pressing "Assign Role" appears to do nothing. The button visually hovers but no action takes place after clicking it. My only option is to back out and discard the request.
I am signed in as a Super Admin. I've also tried Firefox, Safari, and Chrome hoping it was just a UI bug. I contacted Workspace support and while they were extremely helpful they were not able to find any issue on their end or point me in any direction.
I have also tried assigning a dummy user via the 'Assign User' page and I get the same issue. The button/form just doesn't seem to react or produce any error messages.
Is there something I could be missing in my Org setup?
So considering the UI is broken for me, I ended up using the API Explorer to assign the service account to the Group Admin role in Workspaces (GSuite)
Requirements:
Service Account unique ID, found by navigating to your service account from IAM in the console.
Customer ID, this is the customer ID of your Organisation and can be found in Account Settings in Workspaces or running the command:
$ gcloud organizations list
The customer ID is listed under DIRECTORY_CUSTOMER_ID.
You also need to find the roleID of your Group Admin role, I did this via the API Explorer again, requires your Customer ID
https://developers.google.com/admin-sdk/directory/reference/rest/v1/roles/list
Send a request to that and then check the response for:
"roleId": "XXXXXXXXXXXXXXX",
"roleName": "_GROUPS_ADMIN_ROLE",
You then need to use API Explorer to insert your service account using the above details
https://developers.google.com/admin-sdk/directory/reference/rest/v1/roleAssignments/insert
Request body:
{
"assignedTo": "XXXXXXXXXXX",
"roleId": "XXXXXXXXXXX",
"scopeType": "CUSTOMER"
}
Your service account should now be a Group Admin in Workspaces (GSuite)
I'am recently installed Azure DevOps Server 2019 in on-premises server.
However, i'am so confused : How i can set the security and the user permission in the server, such as : Deny user to view author project in the same collection , create custom group not in the azure devops default groups ...
I ask for idea to implement that
Thank you
According to Azure DevOps permission setting, most groups and almost all permissions, Deny trumps Allow. If a user belongs to two groups, and one of them has a specific permission set to Deny, that user will not be able to perform tasks that require that permission even if they belong to a group that has that permission set to Allow.
Deny user to view author project in the same collection.
Assume you were talking about team project. In your scenario, the simplest way is not add that user to your team project. People without team project collection admin permission will not be able to see those projects which they are not added in.
If you already add users in the team project and want the user not be able to see some info such as repo/build/work items in the project .
You need to evidently deny those users for viewing some project repositories/builds/ work items.
As how to create group, you could directly click New Group in the right top corner of the page from Project Settings-- Permission
More details about how are permissions and groups defined, suggest you go through our official doc here-- About permissions and groups
Besides, you could also manage user permission with the help of command line. The tfssecurity command line tool allows us to manage permissions for Azure DevOps groups and users. We could use it in a PowerShell script to grant access to projects that already exists.
I am trying to make request to the Graph API using a service with no UI. I downloaded the following sample code and followed the instructions: https://blog.kloud.com.au/2015/12/14/implementing-application-with-o365-graph-api-in-app-only-mode/
I successfully get an Access Token, but when using it to make a request to get organization information (required Read Directory Data access), I get 403 Unauthorized.
I have registered my app in Azure AD (where I am a co-administrator).
I have specified Microsoft Graph in the 'permissions to other applications' section, and given Read Directory Data access.
Interestingly there is a note below saying 'You are authorized to select only delegated permissions which have personal scope'. Even though I clearly did. Why? I suspect this is the source of my problem.
Likewise I have checked my demo app against these instructions: https://graph.microsoft.io/en-us/docs/authorization/app_only, but it makes no mention of what role in Azure you need to have.
in this SO post's answer, there is mention of still needing to Consent. I haven't found any documentation about this.
You are authorized to select only delegated permissions which have personal scope
This issue is caused that the app is created by none admin and when they visit the portal then will see this message.
To grant the app-only permission to the application, we need to be the administrator of the tenant. It is different with the co-administrator. To user the Client Credential flow, I suggest that you contact the admin of the tenant to create an application for you. And if you were just for testing purpose, you can create a free tenant and register the application yourself.
Update
We need the assign the Global administrator director role as figure below to make the application works for the client credential flow:
I want to get details of Azure Subscription of my client. But I do not want to ask for special permission from client.
What I need is the bare minimum things from my client so that I can login from powershell or rest api and read status of runbook jobs.
If i login from admin account of the subscription than I can easily get those details. But you understand it is not possible to have admin account credential of my client.
Please suggest some workaround.
What you need to do is create a user in Azure Active Directory and grant that user specific rights using either the Azure Portal or PowerShell\Cli\SDK.
Say read all, or read properties of desired automation account. If you would want like a super minumim, you would need to create a custom role first.
https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-custom-roles/
If your client placed specific resources within a Resource Group, they may grant you permissions on just that Resource Group (including read-only permissions). This would allow you to have access to needed resources, without having access to other areas of their subscription.