On a Grafana deployment if i create a user with the Editor role it can't perform administrative tasks but it can create a new organization and gain Administrative privileges on that organization. Is there a way to prevent roles from creating new Organizations?
Bellow you can see a snapshot of a user with the Editor role viewing the "New organization" action on the main menu on Grafana 3.1.0
There is a global switch (all users will be affected, but admin) in grafana's config file - allow_org_create, by default it's enabled.
Related
Is it possible to provide a reduced set of permissions to allow a user permission to add other users to a project without being a full blown administrator? Adding a user as a Project Admin provides to more access which is a huge security issue.
You could add user as contributor or Project Valid Users with limited access. Please see Project-level groups
Contributors: Has permissions to contribute fully to the project code base and work item tracking. The main permissions they don't have are those that manage or administer resources.
Project Valid Users: Has permissions to access and view project information.
Besides, you could also create a custom group to grant or restrict permissions in project setting >> permission >> new group. Then, change permission for the group.
Trying to create a Project in the Google cloud platform. However, I am unable to due to not having permission to create projects in this location.
I currently have no projected created. So when I try to add myself or another user to the Google IAM & Admin page, it will not allow me because it says I do not have any projects to select.
Is there another way to enable Organization Administrator and Project Creator for Google IAM?
In order to create a Project you should have the proper permissions, mentioned in Creating a project:
To create a project, you must have the ´resourcemanager.projects.create´ permission. This permission is included in the Project Creator ´roles/resourcemanager.projectCreator´ role, which is granted by default to the entire domain of a new organization and to free trial users. For information on how to grant individuals the role and limit organization-wide access, see the Managing Default Organization Roles page.
Given this, you should ask your Organization administrator to grant your user this Role.
You can create a project through the gCloud SDK:
To create a new project, use the gcloud projects create command:
gcloud projects create PROJECT_ID
Where ´PROJECT_ID´ is the ID for the project you want to create. A project ID must start with a lowercase letter, and can contain only ASCII letters, digits, and hyphens, and must be between 6 and 30 characters.
To create a project with an organization or a folder as parent, use the --organization or --folder flags. As a resource can only have one parent, only one of these flags can be used:
gcloud projects create PROJECT_ID --organization=ORGANIZATION_ID
gcloud projects create PROJECT_ID --folder=FOLDER_ID
I'am recently installed Azure DevOps Server 2019 in on-premises server.
However, i'am so confused : How i can set the security and the user permission in the server, such as : Deny user to view author project in the same collection , create custom group not in the azure devops default groups ...
I ask for idea to implement that
Thank you
According to Azure DevOps permission setting, most groups and almost all permissions, Deny trumps Allow. If a user belongs to two groups, and one of them has a specific permission set to Deny, that user will not be able to perform tasks that require that permission even if they belong to a group that has that permission set to Allow.
Deny user to view author project in the same collection.
Assume you were talking about team project. In your scenario, the simplest way is not add that user to your team project. People without team project collection admin permission will not be able to see those projects which they are not added in.
If you already add users in the team project and want the user not be able to see some info such as repo/build/work items in the project .
You need to evidently deny those users for viewing some project repositories/builds/ work items.
As how to create group, you could directly click New Group in the right top corner of the page from Project Settings-- Permission
More details about how are permissions and groups defined, suggest you go through our official doc here-- About permissions and groups
Besides, you could also manage user permission with the help of command line. The tfssecurity command line tool allows us to manage permissions for Azure DevOps groups and users. We could use it in a PowerShell script to grant access to projects that already exists.
Does anyone know where I can set the permission to manage deployment groups in Azure DevOps.
If i click on "deployment groups" in the menu shown here:
I am receiving this message when i click on a deployment group.
The error message states:
You do not have permissions to register targets. Contact your release
manager to grant permission
I am a member of both project administrators and build administrators groups.
I can reproduce your problem and solve it with the following permission settings.
Click Manage in the Deployment pool
If you get this error you do not have permission to manage this deployment pool's roles to prevent you from modifying permissions in Security. You need to be added to Project Collection Administrators group in organization setting permissions. If you can't be added to the PCA group, you can let the users in the PCA group help you modify it.
Set the user's Role to Administrator in Security, click Save Changes.
After this setting, you will not receive the error message:You do not have permissions to register targets. Contact your release manager to grant permission when you enter the Deployment groups.
This access is not required as I was able to fix this without changing org level access to others and indeed such access is not made to share with all.
Who has access to open pod terminals through the openshift web console? What permissions need to be given for this?
Any user that has edit or admin role in the project which the application is running in, can create a terminal session for pods running in that project.
oc adm policy add-role-to-user edit <collaborator>
The purpose of the different roles you can grant are:
admin - A project manager. The user will have rights to view any resource in the project and modify any resource in the project except for quota. A user with this role for a project will be able to delete the project.
edit - A user that can modify most objects in a project, but does not have the power to view or modify roles or bindings. A user with this role can create and delete applications in the project.
view - A user who cannot make any modifications, but can see most objects in a project.
A user with view role cannot create a terminal session as that would mean they could modify things.