In our existing customer portal using our own permission system, we can set an account "context" to an user with the permission to only able to action on any resources in certain accounts.
How do I do that in Keycloak?
I am a bit confused reading the roles, resources, policies and permissions, I tried reading this stackoverflow Resources, scopes, permissions and policies in keycloak but it doesn't seem to directly answer my question.
Related
Is there someone who knows the NameSpace, NameSpaceID and/or Token and/or bit value that gives Project Admins in Azure DevOps permissions to add and remove users. I know only Project Admins have that permissions and other Decurity Groups don't have that permissions.
I know you can find all the NameSpaces here.
These are the different level of Namaspace.
Object-level
Project-level
Organization or collection-level
Server-level (on-premises only)
Role-based
Internal only
I cannot point out in "Internal Namespace and Permissions" which particular one prove that access. It is not obvious.
Does anyone know what NameSpace, NameSpaceID and/or Token and/or bit will give permission to Project Admins to add/Remove users.
Does anyone know what NameSpace, NameSpaceID and/or Token and/or bit
will give permission to Project Admins to add/Remove users.
Project Administrators are granted all project-level permissions, have the highest permission of the project. You can't change the permission settings for the Project Administrators group. This is by design.
This is stated in the official document.
If you mean manage permissions to read, write, and delete user account identity information, manage group membership and create and restore identity scopes. Then you can check the Identity namespace.
I am using Keycloak 18.0 for Angular 13 + Spring Boot App. The solution utilizes Microservices architecture pattern for this app so basically Keycloak already guards access to other solution resources. I am using only Keycloak REST API.
The problem is Keycloak security itself:
I want to restrict Keycloak client token only to user creation.
Any user has to be able:
1. Fully access and manage ONLY his own profile.
2. Has restricted access to profiles of other users.
3. Any other operation of viewing other users, adjusting
roles etc. should be enabled only if authenticated user
has some kind of permission to do it.
For example:
Anybody can create user (signup).
After user is verified, some role is assigned to that user.
User logs in and acquire its token that has permissions to fully manage only his own resources including user itself and has restricted access to other users and user resources.
I am not sure I want to integrate Keycloak as resource security manager (i am considering that option but for now, only Spring Boot Adapter was implemented to control corresponding resources security) but at least i would like to prevent e.g. reading full list of users using Keycloak client token.
I have basic understanding of Keycloak Resource/Policy/Permission Feature but I am not sure i understand how can i apply it to Keycloak users itself.
Thanks a lot in advance for your help.
I wish to grant users in a given AD group access to the Development Tools > Console function of the Production environment. I believe this is Kudu permission granted by assigning the Microsoft.Web/sites/publish/Action.
Is this possible without granting a member of the group the ability to publish web sites?
It is not possible to granting a member of the group the ability to publish web sites.
From the microsoft document it stated clear that you required microsoft.web/sites/publish/action resource provider operation.
Ones with Kudu access are ones owning the site - regardless if
read-only or not. To expand, they can deploy any codes (good or
malicious) to and able to read any secret settings of the site (eg.
KeyVault, SQL and Storage credentials, Private Certificates, etc.).
Hence for Azure, only those with Contributor / Owner access (to be
exact, with microsoft.web/sites/publish/action or, for slot,
microsoft.web/sites/slots/publish/action) can access to Kudu (SCM).
Refer this document for more information.
There are 2 commands I am confused for some time:
gcloud iam service-accounts get-iam-policy
gcloud iam service-accounts set-iam-policy
from the --help command, these 2 commands treat service account as a resource, most often I use service account as an identity, for example, in a project, set policy by binding role with service account so this service account can operate on something in that project.
Can someone please point out what is the usage to attach the policy to service account? how does service account act as a resource rather than an identity?
As explained in this below part of the official documentation Managing service accounts
:
When thinking of a service account as a resource, you can grant roles to other users to access or manage that service account.
So, use it as a resource has to goal for you to manage who can use and control the service account. To provide some additional details, as in this example here, with the policies attached to them, you can configure the level of access that different users can have within service accounts - as mentioned there, you can configure that some users have viewer access, while others have editor level.
To summarize, the functinality of attaching policies to a service account is for you to set different levels of access and permissions to users who can access the service account.
I want to get details of Azure Subscription of my client. But I do not want to ask for special permission from client.
What I need is the bare minimum things from my client so that I can login from powershell or rest api and read status of runbook jobs.
If i login from admin account of the subscription than I can easily get those details. But you understand it is not possible to have admin account credential of my client.
Please suggest some workaround.
What you need to do is create a user in Azure Active Directory and grant that user specific rights using either the Azure Portal or PowerShell\Cli\SDK.
Say read all, or read properties of desired automation account. If you would want like a super minumim, you would need to create a custom role first.
https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-custom-roles/
If your client placed specific resources within a Resource Group, they may grant you permissions on just that Resource Group (including read-only permissions). This would allow you to have access to needed resources, without having access to other areas of their subscription.