How to manage Azure DevOps group permissions with REST API - azure-devops

I need to set group permissions by inheriting from another already existing group but it has to be coded. I've managed to create a group but I haven't found a way to edit their permissions, is there any way to do it using either Client libraries or the API resources?
I believe it should be possible to do it using SecurityHttpClient's function SetAccessControlListsAsync() or something similar to it but I'm not sure how to implement it.

It seems you are looking for Access Control Entries - Set Access Control Entries API, which is used to add or update ACEs in the ACL for the provided token.
More details, you can refer to the documentation below:
https://learn.microsoft.com/en-us/rest/api/azure/devops/security/?view=azure-devops-rest-5.0

I don't think it is possible for the APIs at the moment. I also can not find APIs which are used to set the permission for the group.
#Cece Dong - MSFT, in your response, the API is for security namespace of the organization, but it is not for a group. In another word, I can not find any relationship with the security namespace and group. I created a group in my project, but when i use this API to query all the security namespaces, i can not get the relative group info.

Related

Azure Devops API - Can't find a way to get permission groups/membership using API

I am looking for a way to use the Azure DevOps API to get membership of permission groups. The data I am looking for is in the following location on the front end:
I had the same requirement to get team membership within Azure DevOps and was able to do so using the following URI:
https://dev.azure.com/{organization}/_apis/projects/hrs/teams/{teamname}/members?api-version=6.0
I could not find a similar URI to get permission groups and need a way to pull this information using the API.
I've tried many of the API endpoints on the official api documentation (below) focusing on any that seem like they may pull security group related information. In all cases I came up short either because the endpoint did not provide me with what I was looking for, or the documentation for an endpoint wasn't clear on how parameters need to be structured for more advanced use cases.
https://learn.microsoft.com/en-us/rest/api/azure/devops/graph/groups/get?view=azure-devops-rest-7.0&tabs=HTTP
I also tried asking this question to ChatGPT however the endpoints the chatbot provided me with did not work either.
I found a way to get what I am looking for, but I am not a big fan of the approach.
You can use the graph API to list all permission groups
once you have the permission groups, you can write a script to filter for the group object within the API response you want to get the members of.
The group object has the appropriate API endpoint to hit to get the member objects within the _links.memberships property.
Call the API with the memberships link from above. It will return an array of descriptors which can be used in further API calls.
For each descriptor, hit the appropriate API endpoint to resolve the object for that descriptor. If the descriptor starts with aad then it is a user and you can use the user get api. If the descriptor starts with aadgp then it is a group and you use the group get api.
This strategy is rather complicated and requires an API call for each member of the group. I'd hope there is a better solution.

Role Activity & Access Level

I have developed a web application with following architecture:
Frontend : Angular 6
Backend : Java REST APIs with Springboot
I want to add authentication and authorization to it. For that I'm looking for some open source application (e.g. KeyCloak, Gluu etc.). I would like to know in which tool the below scenarios are supported.
There will be predefined set of Activities on UI (e.g. Add, Edit,
Delete etc)
There will be predefined Access Levels (e.g. Read, Write, No Access)
I should be able to create Roles, then assign activities and access levels to those roles and assign those roles to user.
Can you please help me to find out a tool which supports my above scenario?
I tried something for KeyCloak, but i couldn't find a way to add activities, access levels and map roles to it. I think everything there is governed by Role only.
I just realized that I need Activity based authorization and not Role based authorization. Please help me find some tool for that.
I'm not sure what is meant by activity based authorization but i suspect you actually mean permission based authorization, in example: Grant permissions to users to perform certain actions.
Shiro offers you permissions and role based authorization out of the box.
You can create roles, add permissions to these roles and assign them to a user. Supported are implicit and explicit roles, whereas one role can hold any number of permissions. You can even work with wildcards and group the permissions.
For more information you should take a look at the official Shiro entry and especially the web documentation for your project in particular. Shiro offers full support for Spring-Boot applications, you can find a HowTo here.
Shiro fully supports your described scenario.

Adding Users to Groups in Jfrog's Artifactory using REST API

I need to add users to the groups in Artifactory using REST API. I cannot find any REST API methods available for doing this.I am using PERL scripting to automate Artifactory's REST API calls. Could you please suggest me some ways of doing this?
Thanks in Advance!
The REST API you're looking for is here - it uses a json descriptor for operations as specified here.
If you want to see an example of such descriptor use the get group details on the specific group you're after (use get groups for a list of all your groups).
To add users to specific permission targets you can use get permission tragets, get permission target details and create or replace permission target respectively - This is the json it uses.
As for client usage - any simple REST client implementation will do of course, you don't have to use an Artifactory specific client for that.
Admin permissions are required for such operations - ask your system admin for these if you are not the admin - it's always better to use the API key but basic auth will work as well.

Find group owner or administrator using openAM rest API?

I am trying to find rest api which will tell me who is owner or admin of group using openAM restAPI.
Is this scenario valid by openAM? OR it does not support any such API .I am trying to dig documents of openAM till date but no luck yet.
Can anyone suggest if there is any API.
After going through docs in more details of openAM and looking at default openDJ schema i got to know there is attribute named owner. This attribute can be used for groups while creating them. But before i use this attribute i need to add to openAM through openAM console i.e configure the DATA Store in openAM and add the group attribute "owner". Now from my application through rest calls i set this "owner" attribute while creating group. SO i can see now who created the group information.
I have detail steps on this, if still anser is not clear let me know i can help here more.

Alfresco Creating a new user group that permits only creating user and groups

I want to create a new user group.
The members in this user group can create new users and new groups.
I think creating users or groups require admin permission. This user group does not have other admin permission except creating, editing and deleting user,group. Does alfresco provide this kind of group in alfresco community 4.0c? How can I implement it? How to add a new group with specified permission? I really appreciate for help.
You could add a custom role in permissionDefinitions.xml but I don't think that would help in this instance, since the ability to create users and groups plus the other administrative actions are hard-wired to the built-in administrators role.
Instead, you could create a custom web script which performs a check to see if the current user is a member of your custom security group. Since the authenticated user may not be a repository admin (and probably isn't) then you would need to use something like this Sudo tool for Alfresco webscripts to temporarily give them permission to create the objects.
You would need to be competent in Java webscript development in order to implement this. There are some good resources on the Alfresco wiki, documentation and training materials available online.
You cane manage that through Alfresco Share. In your Alfresco installation directory:
/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/model/permissionDefinitions.xml you'll find the permissionDefinitions.xml file. Through that file you can manage your custom roles for Alfresco users and groups.
Here, in this WIKI you can find some hints about what you need to change to accomplish that.
Hope it helps. The wiki helps here, if you need some better explanation please let me know.