We use Azure with 3 different organization and with 1 project created each and within several teams
The first organization only had one owner and this person in now inactive in our company and therefore doesn't have access. However as we are using this for our projects and 4 different teams, we would like to have one or more active owners assigned to it?
Now the easy question, how can we assign an active member as owner to this organization when the current owner is inactive?
Explanation how to assign active user as an owner to the organization we are using.
Related
I know that this could be a trivial problem but I think is important to do things in the right way.
We have an internal application that is used by 80 users now and we want to migrate our storage to s3.
We have 3 environments: dev, test, prod and I was thinking on s structure like this:
dev
user-1
...
user-n
assets (profile picture, other public data)
generated documents (private)
test
prod
In this part we have 3 user rights (ROLE_USER, ROLE_TEAMLEAD, ROLE_ADMIN). Who has role of user should be able to access only his/she's objects, who has role of teamleader can access also all the documents of his team, and who has ADMIN can access all the documents.
What is the safest way to design this, so that when I make a call after an object and a userId/username to get back all the objects that belong to that person.
Should here be a good idea to create groups (should also be easy to update if a teamlead leaves, or if a user changes his/she's teamlead) and also to have aws accounts for all our users?
Any idea/good material will help, thanks.
If your users are IAM (or cognito) users, the structure you have can't accomplish the access control goals with static policies. If you're able to update the IAM policies when membership changes, then the structure can work.
Your IAM policy condition for regular users or admins would be pretty simple to meet the objectives. Each user accessing their own bucket can be allowed by a bucket policy allowing the S3 actions conditioned on the key prefix being their username (${aws:Username} policy variable). Granting access for admins can be done through a group policy on the admin group.
The problem is you have is with the team lead roles. Here, you have two dimensions of access: user and role, but the file structure contains just one of those pieces of information -- you can't determine which objects should belong to a particular teamlead role by the object structure alone. That is, you can't construct a group/bucket policy that grants access according to the requirements without knowing all the usernames in that group (since directories are organized by user only).
This could be fixed if you organized your structure by nesting users within team directories:
team1
user1
user2
team2
user3
user-N
Then you could apply a group policy for each teamlead group to allow access objects under the team directory for the respective team. The IAM policy would not have to change when teamleads or team members change. This is also consistent with the Controlling access to a bucket with user policies guide.
However, this implies a strictly one-to-one relationship between users and teams, which may not be the case for you. And, if users change teams, they'll need their directory in S3 moved.
Alternatively, using the structure you propose, you could generate IAM policies based on group membership at a moment in time, specifying all the users directories belonging to a particular team in the policy. However, whenever the group membership changes, the policy will have to change, too.
As an aside, you may also want to consider using separate buckets for your different environments instead of top level directories. That way, you can effectively test changes that affect the entire bucket (like applying bucket policies) independently for each environment.
I am looking for advice on a not so particular situation.
I currently have roughly 20000 stores.
All stores have admins, managers and user roles.
An admin can create/manage any roles
A manager can create/manage only user role
A user can login and access custom functionality.
Any persona can be assigned to 1 or multiple store and can have 1 or multiple roles for that particular store.
Ie:
StoreA has userA as Admin and userB as Manager
StoreB has userA as User and userB as Admin
At first, I converted my stores to be groups. But since roles are binded to the group, I would have still have 3 roles for each group (20000 groups and 60000 roles - Group StoreA, Roles: StoreA_Admin, StoreA_Manager, StoreA_User, etc...). Not sure if it is the right decision, And I am not sure about the performance.
Then, I kept the stores as groups, but instead of creating roles, I created custom multivalued attributes that saves the group uid. That worked in carbon, as well as the API, but the console doesn't like the multivalued fields. And if another role is introduced, I would have to create another field.
Any thought on how to approach this situation ?
We can map your story to IS groups and roles as follows.
Please note that groups and roles are treated as two separate resources since IS-5.11.0.
Refer to:
https://is.docs.wso2.com/en/5.11.0/setup/migrating-what-has-changed/#group-and-role-separation
https://medium.com/p/93d42fe2f135
That separation is not clearly visible in the management console. So you can use the console application to create groups and roles.
Group used to represent a collection of users in the user store. One user can belong to zero or more groups.
Role is a collection of permissions. A role can have zero or more permissions.
We can assign a role either to a group/ a user.
Due to this statement:
A user can log in and access custom functionality.
We don't need to assign any role to normal business users specifically.No specific role is required to login into the business application via identity server basic authentication. In case your business application has a role-based access control need to assign a role to business users as well. Otherwise, every user will get login permissions upon successful authentication, it should be enough to do business operations in the application.
In your case, if any store's admin has the same set of permissions and any manager has the same set of permissions, you can't just evaluate the permissions and authorize the requests.
For eg: If user B is the manager of store A and admin of store B, he has inherited both admin and manager roles related permissions. But user B performs a request on store B, you have to authorize the request based on only the roles related to store B.
Is it possible to change the Organisation Ownership of a Google Cloud Account from one organisation to another?
Initially we setup the account under domain.net.au.
Our company was purchased by another company and has setup emails using google under domain.ag.
My boss is now wanting the Google Cloud Account and all its projects to be moved over to domain.ag.
Is this possible without having to re-create them all in the new location?
We have a massive database that is highly important to our company that needs to have almost no downtime.
thanks!
Changing organisational ownership I think you really have to contact support. But if what you meant is moving your resources from the old organisation account to the new one,Yes it is possible to Move resources from one organisation to another. With the right Migration plans and the projectmover roles to the required accounts you can. But note that the resources would not inherit policies from previous organisations hence you have to do accurate setup for your new organisation. Just do an inventory record of what's in the current organisation to know how to prepare the new organisation to avoid issues. If you encounter any error, then you can rollback
To change the organization ownership first you need to contact google support. Also yes, it is possible if you want to move your resources from an old organization account to a new organization account with correct migration plans and roles. Kindly make a note here, the resources would not inherit policies from previous organisations. Hence you need to do the exact setup for your new organization account.
Steps to change Organizational ownership.
Create a list of projects that you’d like to move.
Move all the projects out of any folders in the current organization and into the top level.
Contact Support with a list of projects that you’d like to move from the current organization to another organization.
Support will move the projects out of the current organization so they have no parent (no organization).
Move all the projects into the new organization.
Situation:
I have a project which belongs to a GCP organization
User A is "Organization Administrator" and (Project) "Owner" at organization level
Problem:
As expected, the user A is listed in the IAM page of the project at hand (with both before mentioned roles, inheritance is indicated by an icon in the last column)
But: The user does not see the project nor can access it. This only works when I assign the Owner role again for the project.
Question: Is it possible to inherit the owner role to make users owner of a project by inheritance?
Seems like there were inconsistencies within GCP permission propagation, I removed all roles on organization level and added them again - now it is working.
Question: Is it possible to inherit the owner role to make users owner
of a project by inheritance?
If your Google Cloud Platform account is using Organizations, then Yes, you can add a user via IAM at the Organization level as Project owner. This role filters down thru inheritance to all projects in the organization. The same applies to Project Viewer, Project Editor, etc.
But: The user does not see the project nor can access it. This only
works when I assign the Owner role again for the project.
I have not see this problem before. Remember that changing roles and permissions is not an instant process. It takes time for GCP to sync world wide. Some articles mention up to 7 minutes. Also, with some changes, the browser caches information, so you have to refresh the page to see changes (not always).
We are using Sitecore 8 update 3 with Active Directory integration. I am trying to copy a Role and the respective users tied to it from our Dev environment over to Prod
example:
role: Sitecore/IHaveAccess
users: ad/dk123, ad/dk234, ad/dk345...
I tried two different methods:
Method 1: Generate package:
By creating a package that described on the page 19: https://sdn.sitecore.net/upload/sitecore6/65/package_designer_admin_guide-a4.pdf
When I installed the package on the new environment, the role was added but none of the users was under the Role.
Method 2: Serialization:
I serialize the item, but when viewing in Notepad++ is does not contain any users. When I serialize a user who was in the group, I do see the group.
Any thoughts why we have the issue?
Unfortunately, the membership information is stored against the user and not the role (the same for roles within roles). In this instance, the membership information is stored against the AD user. You are storing that a user is a member of role x and not that role x contains member y.
This means that you would need to package up both the role, and the corresponding users. I'm not sure of how this would work using AD though, since you are essentially trying to sync back user related data via Sitecore. I would ensure at your AD provider is not set as readonly in the connection string or it's setup. Since you only have a one-way sync, there's no way to store that information back in AD and have it persist.
Personally, I would set up my roles differently to allow the management to be easier, but it depends on your exact requirements obviously:
Create a Sitecore role, assign all your permissions and security against this roles (sitecore\IHaveAccess)
Create a matching AD role (ad\IHaveAccess) and add this as a member of your Sitecore role
Add your AD users to your AD Group. They will gain the correct permissions through Role In Role. If you already have AD Groups set up, you simply add existing Groups to the new Group even.
Using this, at most you have to add your AD roles back into your Sitecore roles (this shouldn't be the case you added the AD roles as a member of the Sitecore role so the membership is stored in Sitecore). It also has the advtantage that your users/roles/membership is centrally located within one system.