Can I apply a policy (for example to an AWS DynamoDB table) but restrict it based on a specific field of the Cognito user (other than the Cognito id)?
What I'm tring to implement:
I've got multiple Cognito users that belongs to one specific group. Each group can have multiple users. There are a lot of groups > 1000.
Each group should have permissions to read/write rows in a DynamoDB Table that belongs to the group (to do so the table has a field GroupName).
Each user should have the same permissions that the group he belongs to has.
I would like to check in the policy file that MyCognitoUser.GroupName equals the row.GroupName
If you are using Amazon Cognito User Pools then you can use the recently launched Groups functionality to assign roles based on the user groups (you don't need to store this field in DynamoDB, instead it is part of user profile).
Related
I am looking for advice on a not so particular situation.
I currently have roughly 20000 stores.
All stores have admins, managers and user roles.
An admin can create/manage any roles
A manager can create/manage only user role
A user can login and access custom functionality.
Any persona can be assigned to 1 or multiple store and can have 1 or multiple roles for that particular store.
Ie:
StoreA has userA as Admin and userB as Manager
StoreB has userA as User and userB as Admin
At first, I converted my stores to be groups. But since roles are binded to the group, I would have still have 3 roles for each group (20000 groups and 60000 roles - Group StoreA, Roles: StoreA_Admin, StoreA_Manager, StoreA_User, etc...). Not sure if it is the right decision, And I am not sure about the performance.
Then, I kept the stores as groups, but instead of creating roles, I created custom multivalued attributes that saves the group uid. That worked in carbon, as well as the API, but the console doesn't like the multivalued fields. And if another role is introduced, I would have to create another field.
Any thought on how to approach this situation ?
We can map your story to IS groups and roles as follows.
Please note that groups and roles are treated as two separate resources since IS-5.11.0.
Refer to:
https://is.docs.wso2.com/en/5.11.0/setup/migrating-what-has-changed/#group-and-role-separation
https://medium.com/p/93d42fe2f135
That separation is not clearly visible in the management console. So you can use the console application to create groups and roles.
Group used to represent a collection of users in the user store. One user can belong to zero or more groups.
Role is a collection of permissions. A role can have zero or more permissions.
We can assign a role either to a group/ a user.
Due to this statement:
A user can log in and access custom functionality.
We don't need to assign any role to normal business users specifically.No specific role is required to login into the business application via identity server basic authentication. In case your business application has a role-based access control need to assign a role to business users as well. Otherwise, every user will get login permissions upon successful authentication, it should be enough to do business operations in the application.
In your case, if any store's admin has the same set of permissions and any manager has the same set of permissions, you can't just evaluate the permissions and authorize the requests.
For eg: If user B is the manager of store A and admin of store B, he has inherited both admin and manager roles related permissions. But user B performs a request on store B, you have to authorize the request based on only the roles related to store B.
So, I was trying to build IAM service like Amazon IAM, but simpler. Company has users, groups, and policies. As you can imagine users, groups, and policies has many-to-many relation between each other.
Actions:
Policies can be added to groups
User can be added to groups or policies
Now the issue is, if User try to login then I have to make 3 request:
Get group and policies from user partition
Get all policies form group in that list
Get all policies
Then I have to do 3 roundtrip for every login. Is there a better way to do this? or design the relations differently.
I would denormalize this.
The effective policy of the user should be an attribute in the user document.
The effective policy should be recalculated async after the user is added or removed from a group or a policy is attached/detached to/from the user.
I have my enterprise Quicksight in place and with users using our company email to register an account (like john.doe#mycompany.com). We're using Gmail for business.
On the other hand we have developed another application backed by AWS Cognito user pool using Google as an identity provider, and since this is the same user base our intention was to use the same user pool for Quicksight access. In addition we will develop a Lambda that would synchronize Cognito user group association with Quicksight memberships if/when necessary.
I've followed the example described here https://aws.amazon.com/blogs/big-data/use-amazon-quicksight-federated-single-sign-on-with-amazon-cognito-user-pools/, but the problem is that even though I login as different users I get access to Quicksight via same IAM role. The Quicksight user associated with this role has a specific username starting with CognitoQuickSight1-AuthRole-KX4Y16... and email associated with the user I used to login the very first time.
Now I'm wondering if in this setup it's even possible to have different roles associated with different users so they can be differentiated on Quicksight side? Or is there any other way to achieve this?
I don't think you can assign QuickSight user specific permission on Federated users.
Some AWS services allows to use the user identity in the resource base IAM policy. For example S3 (to allow user to access only their 'directory' in a bucket) and DynamoBD (to allow user to only access item where their identity is the primary key).
According to https://docs.aws.amazon.com/quicksight/latest/user/security_iam_service-with-iam.html Quicksight does not support Resource based or Tag based policies.
I am new to AWS...
We have a home grown user authentication and authorization.
We define authorizations(roles) in company terms, role1 allows you to do tasks1 and tasks2. Role2 allows one to perform tasks3 only.
I can see how I can use Cognito for my user/password management.
Unclear if I use cognito for roles verification, i.e authorization.
Thoughts?
In a Cognito User Pool one can define both Users and Groups, which can be leveraged to drive fine-grained RBAC permissioning. You can define a custom attribute in the User model (e.g., "department" or "role") and map this attribute to Groups.
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html
Each group can optionally be associated with an IAM role, so it's possible to restrict access to AWS resources (e.g., certain DynamoDB tables) by group -- as an additional layer of security.
However, if you don't need/want to map users to different IAM roles, maybe just handle authentication completely from within your application.
AWS Cognito Groups offer a pretty powerful means of making user groups and permissions. I need to manage user data access at a row/column level in Athena, Aurora, etc.
Is there a way to use Cognito to manage user data access?
Can we manage parameter access to ApiGateway? For example, restrict users from hitting /data/{company_name} for company names they don't have permissions to.
Please provide links to documentation and examples.
As of today, I have not seen Athena being controlled with Row or Column Level access with IAM or any other policy.
If you want to restrict certain paths in url in API-Gateway you can use custom authorizer.
Custom Authorizer with Example:
http://docs.aws.amazon.com/apigateway/latest/developerguide/use-custom-authorizer.html
Hope it helps.