Restrict access for publishing API to publisher only - wso2

Was following the WSO2 course and landed on this. So far, only the admin account can publish and API. I just want the API creator to create the API and the API publisher to publish it.
I tried to create different roles and give them only the permissions they required like creator > creates and publisher > publishes. That has not worked so far

You can create roles from the management console and do the relevant role mappings from the Admin Portal. For example, if you want a user who can do CRUD operations on an API, you can assign a role which has Internal/creator mapping to that user. Or if you need more fine grained permissions, you can assign the relevant scopes in the Role Permissions section in the Admin Portal.
Please refer https://apim.docs.wso2.com/en/latest/administer/managing-users-and-roles/managing-user-roles/#creating-user-roles for more information. This also explains what are specific permissions (scopes) applied to each of creator, publisher, etc. You can use that to get an idea of each role's capabilities.

Related

Third party admin access in AWS via OAuth

Is there a way to grant admin access to a third party in AWS without manually creating IAM role etc, purely via OAuth flow or similar?
Context: making an app that simplifies AWS account management, and want to make the UX to "connect to my account" as simple as possible. Failed to find anything like that in AWS docs. Want the app to be able to provision and manage resources, run terraform etc.
Check this out: Identity Providers and Federation. You will still have to create pre-defined IAM roles to define what permission users will assume
Yes it's doable. You do need to create IAM roles, if you want to give your users access to everything just create an admin role with permissions of ':' on all resources.
Then you should set up some type of SAML server, active directory federation services comes with everything out of the box. You can look for some open source SAML servers.
Then you have to setup SAML federation between your user account and your SAML backend.

Permissions to create OAuth client ID in Google Cloud

I'd like to create some OAuth client IDs in the GCP but I do not have some permissions for that. I got a warning "You don't have permission to create an OAuth client"
I can simply add me to the role roles/owner and do it, but I'd like to have something like a minimal permission/role to create OAuth client IDs. What permissions/roles from this list should I use?
https://cloud.google.com/iam/docs/understanding-roles#service_account_roles
I tried roles/iam.serviceAccountTokenCreator but it doesn't work.
Besides having at least the Viewer role assigned in order to see the Google Cloud Platform project and navigate the Cloud Console the only relevant permission in order to create an OAuth client should be clientauthconfig.clients.create. But notice that besides creating them, the user would not have the ability to delete or update them.
My suggestion would be to create a custom role that have at least the following permissions:
clientauthconfig.clients.create
clientauthconfig.clients.createSecret
clientauthconfig.clients.delete
clientauthconfig.clients.get
clientauthconfig.clients.getWithSecret
clientauthconfig.clients.list
clientauthconfig.clients.listWithSecrets
clientauthconfig.clients.undelete
clientauthconfig.clients.update
And make sure that the users have at least the Viewer Role as well as this custom role assigned.
You can try to create a custom role which has permissions clientauthconfig.*
Note: As per https://cloud.google.com/iam/docs/custom-roles-permissions-support, these permissions are in testing phase so please try them out thorougly before putting in production.
Hope this helps.

Grant all WSO2 users subscriber role by default?

Our organization has set up WSO2 API Manager 2.1, with a secondary user store binding to our organization's LDAP. We need all users from our organization to have a subscriber role by default.
We would prefer for there to be no need for users to use "Self Sign Up"-- and additionally, "Self Sign Up" appears to create new accounts, however all of our accounts are already in the secondary user store.
How can we configure the system to grant the subscriber role by default?
Is there any common ldap user group for the users? For example users who need to log in to the store belongs to X group. If so, you could assign subscriber related permissions for that group from API manager instead of assigning permissions to the 'everyone' role. (If you have configured the groups related ldap queries correctly you should be able to view them in the API manager carbon console. refer https://docs.wso2.com/display/IS550/Configuring+a+Read-write+LDAP+User+Store)

How can you give someone access to set permissions without making them a project owner on Google Cloud Platform?

We're trying to give a google cloud platform user account permission to change its own permissions and the permissions/roles of service accounts that it creates. Currently, the user account only has the default editor permission for the project it exists on. Essentially, we want to give it every permission that the owner account has except for viewing or modifying billing information. Is this possible?
We have looked at this video but there doesn't exist a role selection dropdown on service accounts anymore. When trying to edit the service account permissions to try and give it the roles/storage.admin permission, I get this notification:
The project owner has also tried to add the storage admin role to the service account, but roles don't show as they do in the video. All that is shown on his screen are these options:
I have two questions:
How can we give my google account permission to mess around with my own roles and permissions as well as the roles for the service accounts?
What is the current process for adding roles to a service account? Neither the docs nor the video from google seem to be up to date.
Your second screenshot shows you attempting to grant roles on the service account (as a resource, i.e. who can access the service account). You're trying to give the service account the storage admin role on the project. To do that, go to the IAM page, click "add" then provide the service account's email address as the member and select the storage admin role.
I'm not certain if this completely answers #1, but Custom Roles (currently in alpha) will give you the ability to create roles with custom sets of permissions. This will allow you to copy the Owner role and remove the billing permissions.
As for #2 - The screenshot shows the policy for the service account, not the project policy. The policy for the service account determines who has permissions to use that service account, not what permissions the service account has. You can find the project policy on the 'IAM & Admin > IAM' tab (instead of the IAM & Admin > Service accounts' tab).

Can i use amazon IAM as loging credentials for my apps users

Is it possible to use the IAM API as a user registration service for my application.
I.e. if i present the user to create an account and password. Can they then log in with the IAM and use my application.
Or is it more for developers who are tinkering around with the actual AWS platform?
Thanks,
Ben
That's not what AWS Identity and Access Management is made for. I guess you don't want your users to have access to your infrastructure … If you want an user registration you should implement it inside your application.