Would anyone know how to disable the access to create and delete proxy, from a user, in wso2ei?
Thank you.
You can create a particular role which only have permission to access the proxy (Not manage permissions) and assign that role to all the users who just need to access the proxy. You can refer to Admin guide on how to create roles and assign permissions.
https://docs.wso2.com/display/ADMIN44x/Configuring+Roles
Follow print exemplifying what I just did:
Related
I am setting up a service account in GCP in order to call the Directory API.
But I always get permission error: Not Authorized to access this resource/api.
I have setup this role but no luck. How do I know what permission I need to configure in order to call the API?
Google Directory API is not a part of GCP - hence any roles / permissions you assign to your service account will not work.
You have to create a role and assign it to a user in order to be able to work with this API.
Your service account is not a Domain Admin so it doesn't have access. You can however enable domain-wide-delegation and make the service account impersonate domain admin so your requests will be accepted;
This page describes how to allow members and resources to impersonate, or act as, an Identity and Access Management (IAM) service account. It also explains how to see which members are able to impersonate a given IAM service account.
Have a look at this answer which may be usefull to you. One more document that you may find helpful is "Authorising your request".
I would like to use a service account and give it storage.objects.create and storage.objects.delete (basically, so when I use this account, I can upload, re-upload, and delete, but NOT list or read a bucket).
I see pre-configured storage roles, e.g. 'Storage Object Creator', which has the create aspect (and works for create, but can't overwrite or delete).
I assume I need to create a Role. I seemed to be able to do that, but then could not seem to find that 'Custom Role' when trying to add a role to the service account.
So I guess I'm asking 'how do i add a custom role to a service account'?
I was doing all of this through the web ui.
Any help appreciated.
br, Simon
I tested and it works. You can find it in the custom section
I'd like to create some OAuth client IDs in the GCP but I do not have some permissions for that. I got a warning "You don't have permission to create an OAuth client"
I can simply add me to the role roles/owner and do it, but I'd like to have something like a minimal permission/role to create OAuth client IDs. What permissions/roles from this list should I use?
https://cloud.google.com/iam/docs/understanding-roles#service_account_roles
I tried roles/iam.serviceAccountTokenCreator but it doesn't work.
Besides having at least the Viewer role assigned in order to see the Google Cloud Platform project and navigate the Cloud Console the only relevant permission in order to create an OAuth client should be clientauthconfig.clients.create. But notice that besides creating them, the user would not have the ability to delete or update them.
My suggestion would be to create a custom role that have at least the following permissions:
clientauthconfig.clients.create
clientauthconfig.clients.createSecret
clientauthconfig.clients.delete
clientauthconfig.clients.get
clientauthconfig.clients.getWithSecret
clientauthconfig.clients.list
clientauthconfig.clients.listWithSecrets
clientauthconfig.clients.undelete
clientauthconfig.clients.update
And make sure that the users have at least the Viewer Role as well as this custom role assigned.
You can try to create a custom role which has permissions clientauthconfig.*
Note: As per https://cloud.google.com/iam/docs/custom-roles-permissions-support, these permissions are in testing phase so please try them out thorougly before putting in production.
Hope this helps.
I'm an admin user on my AWS account, so I have full access. Working through the console, I get no issues. When I try to work with programmatic access though, I get an access denied error. Does anybody have a clue why?
The code and all is OK, it works fine on my other AWS account on which I have admin access as well. Yes, I did change the AWS configuration to match the access keys to the right account.
If you are 100% sure that your code is correctly assuming your admin role and you admin role is having the admin policy, then you should be facing:
The resource(e.g., S3) you are trying to access has some explicit deny policy or not having an allow policy for you user.
IAM service latency. Say if you just create this user with admin access and you try to test that immediately with your code, it might happen that AWS thought you don't have enough permission. That happen to me when I created a new role, I saw delay can be up to 20 minutes, but that kind of delay is rare. But you cannot assume your update to IAM permissions to take effect immediately just like the EC2 security group.
Have you enabled MFA in the IAM account. If so, you cannot directly access the AWS CLI or API with Access key. You need to create a temporary Access and secret key and use those to access the AWS resource
With the access key that you configured earlier you need to create the temp access key. Refer the below links for procedure.
https://aws.amazon.com/premiumsupport/knowledge-center/mfa-iam-user-aws-cli/
https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/
I need to add custom permission and role to IS .Use case available in here http://venurakahawala.blogspot.in/search/label/custom%20permissions .How to implement this scenario .
Thanks in advance
In WSO2IS 5.0.0 to achieve this.
Create a service provider which represent your application
https://docs.wso2.com/display/IS500/Adding+a+Service+Provider
Define custom permission for service provider
https://docs.wso2.com/display/IS500/Configuring+Roles+and+Permissions+for+a+Service+Provider
Can create new roles and assign permissions for each roles
https://docs.wso2.com/display/IS500/Configuring+Roles