I need to create SharePoint web page so I can through it run power shell scripts to grant permission for groups on SharePoint sites content if I am site collection administrator and I do not have permission on SP farm
If you are a site collection administrator, you could run PowerShell scripts to grant permission for groups on SharePoint site contents.
Which contents do you want to grant permission?
Related
I need to give permission to a developer to edit the "App configuration" and "Store Listing" pages at the Google Workspace Marketplace SDK API on Google Cloud, with the current permissions the "save" button [is not enabled][1].
The only solution i found so far was to add the Editor role to his IAM user, i wish i was able to add the exact permissions to perform this action, but the appmetadata.records.create and appmetadata.records.update permissions GCP suggested do not exist and neither are listed anywhere.
Those are the current permissions they have:
Compute OS Login,
Google Workspace Add-ons Developer,
OAuth Config Editor,
Service Account User,
Viewer,
I'm trying to create a website to make F1 predictions with flask
We started developing in Heroku, and the twitter API is already configured, you can check
https://demoflaskdance.herokuapp.com/
But now we are moving to Cloud Run as Heroku does not support pyodbc. We deployed our project, with the same code, and added to apps.twitter.com the urls, but when trying to log in with the link that google provided https://demo-flask-dance-kjomqyaifq-ew.a.run.app
we get an error and says that the URL is not authorized
Any help? Thanks
If your Cloud Run application does not require authenticated access, enable public access.
Go to the Google Cloud Console.
Select the service you want to make public.
Click Show Info Panel in the top right corner to show the Permissions tab.
In the Add members field, allUsers
Select the Cloud Run Invoker role from the Select a role drop-down menu.
Click Add.
Allowing public (unauthenticated) access
If you require authenticated access see this document:
Authentication overview
I have GCP org set up under a verified domain name (company.tech) with cloud identity enabled to use google cloud project. I am managing access to users through google groups (via admin panel). I've created a group with users from (company.tech, service account, Gmail & company.co.xx) i.e allowing members outside the org, let's call the group >> gcpusers#company.tech
Following are the IAM policies added for the group:
BigQuery Job User
BigQuery Metadata Viewer
Also, ACL access was added to a dataset BigQuery Data Viewer
The issue is, I am able to query from gmail, service account & company.tech domain accounts but the users under company.co.xx (this is not a cloud identity account but google mapped account using sign up with an existing email with Office 365 subscription) can neither select project nor query and end up getting the following error & cannot preview/query the bigquery dataset tables.
Access Denied: Project <<>>: User does not have bigquery.jobs.create permission in project <<>>
I tried the following but I still get the same error for company.co.xx accounts:
Added the custom rule to allow company.co.xx under domain restricted contacts org policy
Added the domain under Allowlisted domains in google admin panel (but unfortunately, as mentioned there the domain is not linked with cloud identity/gws instead the accounts are signed up using existing email)
Google Groups is managed independently from Google Cloud IAM - they are independent services. You can add an identity to Google Groups which is not supported by Google Cloud IAM. In your case, that is what you did. If you want to use Microsoft identities with Google Cloud you will need to set up federation with Active Directory.
I have created a AWS Managed Microsoft AD, and I have a Windows Server 2019 EC2 instance where I am trying to enable AD FS. I have joined the EC2 instance to the domain, installed AD tools, and am able to perform basic AD tasks using the default AD Admin user. So far so good.
However when I try to configure AD FS, I get stuck with this error
"The credential provided is not a domain administrator. Provide a
credential that is a member of the Domain Admins group and try again."
Taking a look at the AWS docs, I found this.
https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_getting_started_admin_account.html
To perform operational management of your directory, AWS has exclusive
control of accounts with Enterprise Administrator and Domain
Administrator privileges. This includes exclusive control of the AD administrator account.
So..... how could I possibly enable AD FS unless I had access to the AD administrator account?
You can't.
When you install ADFS it searches for available DC and writes a number of entries to AD.
To do this, it needs domain admin.
You don't need domain admin. to run ADFS. It can use a service account.
It was a truly sad limitation of AWS Directory Service until, surprisingly, AWS themselves suggested a crafty way to install AD FS on AWS Managed Directory Service in one of their blog posts: https://aws.amazon.com/blogs/security/how-to-enable-your-users-to-access-office-365-with-aws-microsoft-active-directory-credentials/
What the blog post is saying is that you can create a custom container for AD FS and then make the AD FS service use it (instead of the default container, which is unavailable as you do not have full admin rights to the whole domain).
I will not provide the recipe here as it is well described in the article referenced above.
I wanted to implement similar feature for azure as mentioned in below aws url-
https://aws.amazon.com/blogs/desktop-and-application-streaming/enabling-federation-with-azure-ad-single-sign-on-and-amazon-appstream-2-0/
I want to register external user on the fly to access azure portal with limited access and a expiry. Can someone help me figuring out a workaround for same.
You can use RBAC(Role-based access control ) for this.
RBAC allows the flexibility of owning one Azure subscription managed by the administrator account (service administrator role at a subscription level) and have multiple users invited to work under the same subscription but without any administrative rights for it.
There are two common examples when RBAC is used (but not limited to):
Having external users from the organizations (not part of the admin
user's Azure Active Directory tenant) invited to manage certain
resources or the whole subscription.
Working with users inside the organization (they are part of the
user's Azure Active Directory tenant) but part of different teams or
groups that need granular access either to the whole subscription or
to certain resource groups or resource scopes in the environment.
Follow the step by step instruction to Grant access at a subscription level for a user outside of Azure Active Directory.
Hope this will help.
For your requirement :
Consider Add Azure Active Directory B2B collaboration users in the Azure portal
In this a user who is assigned any of the limited administrator directory roles, can use the Azure portal to invite B2B collaboration users. You can invite guest users to the directory, to a group, or to an application.After you add a guest user to the directory, you can either send the guest user a direct link to a shared app, or the guest user can click the redemption URL in the invitation email.
Also consider Add Google as an identity provider for B2B guest users
By setting up federation with Google, you can allow invited users to sign in to your shared apps and resources with their own Google accounts, without having to create Microsoft Accounts (MSAs) or Azure AD accounts.