Is it possible to create a redmine user, who don't have administrator role, but can view all projects and all issues in the system, including not-public projects?
Sure, just add the use to all projects as a member with a role giving them the respective permissions.
All non-admin users follow the permissions applied to them via the roles. Thus, unless a non-admin user is given explicit permissions via a role, they can't see the data. This is one of the basic rules of Redmine's permission system and is required to ensure that permissions apply to normal users.
Related
Within an organization of which I am the sole admin, I am unable to enumerate and therefore manage the organizational policies from within the GCP console. Does anyone know why this might be and/or how I'd go about fixing it? Any guidance as to documentation that was perhaps missed during setup, etc. would be appreciated.
Organization Administrator includes the missing permissions resourcemanager.organizations.get along with orgpolicy.constraints.list and orgpolicy.policies.list.
Do note that this role is not automatically granted for being the sole user on the account, this has to be assigned via the IAM menu.
The Owner role does not have these permissions as the Owner is only limited on a Project level.
I'm pretty sure this is an actual bug with GCP at the moment. I'm the Organization Admin for the GCP organization (I've quadruple checked this, and that I'm signed in with the correct account).
But when I go to Manage Resources, And try to create a new folder, it doesn't let me select the organization as the location, because I "don't have the required resourcemanager.folders.create permission". If I try to create the folder in a project that's in the organization, I get "Unknown error".
I'm the user who created the organization and all projects in the first place, and the only G-Suite user that even exists on this domain.
If you review the permissions that Organization Administrator has, resourcemanager.folders.create is not one of them.
IAM Roles
Org Admin by itself has almost infinite power because it can set IAM policies. This means the Org Admin can grant any IAM permission to any identity.
Grant yourself the required role such as roles/resourcemanager.folderAdmin.
Note: I recommend keeping the Org Admin as a separate identity that you lock away and only use to manage the organization. Create separate identities for day-to-day operations, development, and deployment.
I've created a custom role in GCP, which I'm using to assign limited access to our business users, enabling them to train the chatbot. At the moment they can perform the functions as needed using the Training module, I would also like to give access to the History module, but I keep hitting an error
IAM permission 'dialogflow.conversations.list' on 'projects' denied.
When I try and add this permission, it's not available. I've noticed the second I make a copy of a standard dialogflow permission group, this object goes missing.
Any suggestions on how I can enable access to this module?
Add Permissions Screenshot
According to Google document, Not all permissions can be used for custom IAM role.
Custom IAM role has a limitation that some permissions are not available.
Below is description about limitation of custom IAM from google document page.
Some predefined roles contain permissions that are not permitted in
custom roles. To check whether you can use a specific permission in a
custom role, see Support level for permissions in custom roles.
Also, I checked whether dialogflow.conversations.list permission is permitted or not. But It didn't even exist.
You can also check it here.
I think you can just grant a dialogflow.conversationManager role to group or users for your situation.
That dialogflow.conversationManager role looks perfect, I'll switch to that.
Many thanks!
Yesterday, I signed up for a Google Cloud Account. Since I want to link the user access with our own identity platform, I followed the instructions from this article:
https://cloud.google.com/blog/products/identity-security/using-your-existing-identity-management-system-with-google-cloud-platform
I got as far as the account is created but in the GCP Console, on several screens, I get errors of missing permissions to view things, let alone change things. Here is an example:
I was the one who created the account and in IAM I am listed as the Organization Administrator. How come I am missing so much permissions? Who within Google Cloud Support is listening/reading this and is able to help me?
This is not a bug that needs to be fixed. As the Owner, you can add any roles that you need to your account. Neither the Owner nor the Organization Administrator have all roles assigned. You can, however, add desired roles to grant your identity more permissions. Consult the documentation for permissions assigned to each role. Then add the required roles to your identity (email address).
However, I recommend that you do not use an account with Owner or Organization Admin roles. Lock that identity in your safe after creating several new identities that use the principles of least privilege and have MFA enabled.
I'm attempting to develop an application architecture almost exclusively on top of AWS services.
This application has both User and Organization "entities". As one might except, a User may be an admin, role-x or role-y of one or more organizations. (role-x and role-y are just placeholders for some role with some set of specific permissions. A User may also be standalone (that is, not have a role on any Organization).
Our current thinking is to use DynamoDB to store organization and user specific data. For users this may include some basic information (address, phone number, whatever), and for organizations it may include fields like "mission statement", "business address" and so on.
An admin of an organization would be able to edit all organization fields, whereas a role-x might only be able to update "mission statement" while reading all other fields.
Since I mentioned that a single user may have roles on many different organizations, that might look something like:
user1:
organizations:
123: 'admin'
456: 'role-x'
789: 'admin'
It's also worth noting that these role assignments are modifiable. New or existing users may be invited to take on a specific role for an organization, and an organization may remove a user from a role.
This is a fairly straightforward type of layout, but I wanted to be very clear about the many-to-many nature of the user, org and roles.
I've been reading IAM and Cognito documentation, as well as how it relates to fine-grained control over DynamoDB items or S3 buckets - but many of the examples focus on a single user accessing their own data rather than a many-to-many role style layout.
How might one go about implementing this type of permission system on AWS?
(If policy definitions need to be updated with specific Identities (say, for an Organization), can that reliably be done in a programatic way - or is it ill-advised to modify policies on the fly like that?)
The above answer is outdated.
AWS has added Cognito-Groups recently. That provides more flexibility
You can use technique described in the article to achieve that:
https://aws.amazon.com/blogs/aws/new-amazon-cognito-groups-and-fine-grained-role-based-access-control-2/
Unfortunately the kind of permission system you are trying to implement is not possible with Cognito at the moment. With Cognito you can currently create unique identities for your users in an identity pool. Users can authenticate using any external provider such as Facebook, Amazon, Google, Twitter/Digits or any OpenId Connect Provider. Users can also authenticate through your own backend authentication process. After the user authenticates, Cognito creates a unique identity for that user. There’s a concept of an identity, but there’s no concept of groups. All users/identities within a one identity pool can get credentials from roles associated with that identity pool. Currently you can specify two roles: One role for authenticated identity and one role for unauthenticated identity. There’s no such feature at the moment where you can specify multiple groups for each identity and specify role on that group.
For more information on Cognito, you can refer to
https://aws.amazon.com/cognito/faqs/
http://docs.aws.amazon.com/cognito/devguide/getting-started/