Recently, we found the features
when we created the account via API, there is no default Security Groups.
Once we accessed to security groups menu(Security >> Network Security >> Security Groups) on softalyer portal(control.sortlayer.com), default security groups are created.
Default security groups is allow_all, allow_http, allow_https,
allow_outbound, allow_ssh
When creating a account via api, how to enable default security groups ?
additionally, we tried the bellow job
when we created a account, create the same default groups
as a result, there are two same security group about each security groups.
To retrieve the default Security Groups the same that the control portal you have to use the following service and method after the account has been created.
SoftLayer_Network_SecurityGroup::getAllObjects
It seems that you can create any security group, it does not matter if it is one that already exists.
Related
If we scope the Application access Policy to specific mail enabled group and grant access only to the member of the group there are chances for any userid can be added to the group and leverage full access to the mailbox. What level of security controls can be added to prevent this??
Use the New-ApplicationAccessPolicy cmdlet to restrict or deny access to a specific set of mailboxes by an application that uses APIs (Outlook REST, Microsoft Graph, or Exchange Web Services (EWS)). These policies are complementary to the permission scopes that are declared by the application.
While scope-based resource access like Mail.Read or Calendar.Read is effective to ensure that the application can only read email or events within a mailbox and not do anything else, application access policies allow admins to enforce limits that are based on a list of mailboxes. For example, apps developed for one country shouldn't have access to data from other countries. Or, or a CRM integration application should only access calendars in the Sales organization and no other departments.
Reference: New-ApplicationAccessPolicy (ExchangePowerShell) | Microsoft Docs
Scenerio :
Use Groups for multi tenancy (One user working for different organizations) -
Create one group for each org like group_org1, group_org2 etc.
Provide permissions to above groups using group policy (using confidential client authorization tab). Ex :- group_org1 has permission on resource1 and group_org2 has permission on resource2.
Assign above groups to a user , hence user will have 2 groups and, permission on resource1 & resource1.
Now groups fetched for this user will be used as organizations in application.
When selected org1 then application will work according to the permissions attached to group org1 i.e. permission only on resource1.
Question :
As of now if I try to fetch authorization permissions for a user then keycloak will give me combined permissions attached to both the groups i.e. on resource1 and resource2 . I need to fetch permissions attached to single group using keycloak rest-api. (after fetching this specific permissions I can authorize user in the application for given resource)
Hope I made my question a bit clear.
Using the KeyCloak admin console, I am attempting to enact the following use-case.
We have Group X and Group Y.
The role 'Group X Admin' can do the following:
Can create users without a group.
Can assign users without a group to group X.
Can edit and manage users in group X.
Cannot see/edit/manage users in group Y.
It seems that in order to fulfill case 1, I must make 'Group X Admin' a composite role linked to the 'manage-users' role from the realm-management client.
However, upon doing this, the 'Group X Admin' now has permission to view/manage/edit group Y users.
It seems I cannot restrict access to group Y as fine-grained permissions seem to completely overridden by the manage-users role.
Is there a way to grant permissions to Add Users while restricting access to certain groups?
You should have a look at Fine Grain Admin Permissions. It's still in preview (so no support from RedHat) but it's the kind of functionality you are looking for.
I certainly have tested a setup that would fulfill items 3 and 4. The description in chapter 11.3.2 Restrict User Role Mapping should get you sufficiently close to item 2. Item 1 probably needs somewhat more investigation. I can't tell you if it's doable.
Even though Fine Grain Admin Permission is quite powerful, we came to the conclusion that it's not sufficient for our requirements. So we discarded it and went with a different solution (a privileged service in front of Keycloak for delegated user administration).
Update
Some instructions how to set it up:
Enable preview profile (in Keycloak startup script)
Enable permissions on client Realm-management (Clients / Realm-Management / Permissions / Permissions Enabled)
Create a group x-users
Create a group x-admins
Enable permissions on group x-users (Groups / X / Permissions / Permissions Enabled)
Click view-members (on the same page) and add a group policy:
Scopes: view-members
Apply Policy: Create Policy... / Group
Enter name, e.g. x-admin-policy
Enter description
Groups: select group x-admins
Save
Repeat for manage-members
seems like there is no way in current admin console :(.
I also went through documentation (and even through source code ;) ) and did not find a way.
Maybe better create a request in keycloak jira project.
by the way i also was looking to solve exact the same problem.
Actually there is a jira ticket about documenting the fine grained permissions to admin console.
https://issues.jboss.org/browse/KEYCLOAK-3444
maybe you can post your comment there or open new story
I have configured Keycloak with user self-registration. The keycloak instance will hold users of multiple customers which I plan to put into groups (so each customer can have admins that can manage these users through fine-grained permissions).
To map users that are self-registering to appropriate groups (using their email address, e.g.) I'd like to put them in their default group upon registering. Is this possible using either configuration or implementing an SPI? Or are there other possibilities to achieve a similar behavior?
I am working on a project where I would like a developer to have access to read/write to GCS, but not necessarily have access to uploading code in App Engine. I don't see options in the web console for specifying rights access. How can I setup specific privileges that I'd like a user to have? Thanks.
Basically, if you want a team member not to be allowed to deploy the application and modify or configure its resources, him/her must have only "can View" access level for a project.
Then you have to set the respective permission (WRITE) for a bucket scoped to "Google account email address" (email address of your developer) in you case.
As GCS documentation says, there are three ways to specify ACLs to buckets and objects, using:
The acl query string parameter to specify ACLs for certain scopes (here)
The x-goog-acl request header to specify predefined ACLs (here)
The defaultObjectACL query string parameter to change the default object ACL for all objects in a certain bucket (here)