From group setting we can create new custom roles to be add to the built-in ones (OWNER, MANAGER and MEMBER), and we can assign those custom roles to any member of the group.
Using the Directory API, is there any way to add a custom role? and get all roles assigned to a member including those custom roles?
Thank you
The last time I checked, this is still not possible. You can take a look at some pages like the Members: Update info, and you'll see that the role parameter still only accepts the three allowed values you mentioned.
Related
My organization wants to limit the GCP services any user can use. For example we only want to allow the usage of Big Query.
Is there a way to contract GCP in a way that even the top account (or tenant, organization or whatever) can't instantiate anything besides Big Query?
Thanks
I would recommend maybe trying the following. Basically you want to create a group and apply the proper Big Query roles to the group which will then be inherited by all members of the group. Google allows you to create a "company" group that you can have set to auto-add all current/new users of your organization to.
Take the following steps.
Create a "Company" group by following this article. Make sure to set it up so that current and new users of organization will be added. (if you don't want this then just create a group and add in the users necessary)
In GCP, add the corresponding Big Query roles you want to have applied to all your organization's members to the single group.
As suggested by Jack, you can create a group that grants access only to BigQuery, place all users in that group and grant them no extra permissions.
But you must have at least one project owner account that can do anything in that project.
If you want to secure your organization even further, you can do the following:
Limit the amount of services that can be activated using quotas
Monitor actions performed by users with Audit Logs
Set up alerts that will notify you when certain services are activated
I would like to use a service account and give it storage.objects.create and storage.objects.delete (basically, so when I use this account, I can upload, re-upload, and delete, but NOT list or read a bucket).
I see pre-configured storage roles, e.g. 'Storage Object Creator', which has the create aspect (and works for create, but can't overwrite or delete).
I assume I need to create a Role. I seemed to be able to do that, but then could not seem to find that 'Custom Role' when trying to add a role to the service account.
So I guess I'm asking 'how do i add a custom role to a service account'?
I was doing all of this through the web ui.
Any help appreciated.
br, Simon
I tested and it works. You can find it in the custom section
My situation is this:
I'm trying to control access to an S3 bucket using unix-like home directories via AWS Cognito. These home directories should be accessible by groups of users rather than each individual user. i.e.:
s3-bucket/home/group1
s3-bucket/home/group2
s3-bucket/home/group3
When creating roles separately with group information (group name currently used as part of directory name for wildcarding), similar to this link, it works. However, I'd rather not make a separate IAM role for each group.
Before I used the enhanced flow I could restrict the role with a further policy via the assumeRoleWithWebIdentity call with STS. However when using just cognito, it expects only a role to apply.
Instead of directly applying a policy to the subject of the ID token (like ${cognito-identity.amazonaws.com:sub}), I'd rather have it use the group (like from ${cognito-identity.amazonaws.com:cognito:groups}), such that I don't have to create a role for each new group, and the variable itself would help define the resource scope.
Has anyone had much luck with this? Or using string arrays/sets in IAM resource definitions in general? I was trying to do something like
{"Fn::Select": [0, "${cognito-identity.amazonaws.com:cognito:groups}"]}
but cloudformation complains about
Template error: Fn::Select requires a list argument with two elements: an integer index and a list.
Thanks!
P.S. I see this page which states that there are no service-specific keys for cognito for use in policies, but that doesn't seem right as I've seen people use sub aud amr etc in policies in other examples on the web, although a definitive guide doesn't seem well documented.
I saw that there is a Beta available that allows you to add and remove members from a project inside GCP (https://cloud.google.com/compute/docs/access/user-accounts/api/latest/users/insert). I could not however find a sister API that would allow the permission level of that user in relation to the project to be manipulated.
Is this feature in a different section of the API documentation or is it not yet available?
The API you link to is for adding users to a GCE instance. See this instead: https://developers.google.com/admin-sdk/directory/v1/guides/manage-users
For IAM, see https://cloud.google.com/iam/reference/rest/
We are using Sitecore 8 update 3 with Active Directory integration. I am trying to copy a Role and the respective users tied to it from our Dev environment over to Prod
example:
role: Sitecore/IHaveAccess
users: ad/dk123, ad/dk234, ad/dk345...
I tried two different methods:
Method 1: Generate package:
By creating a package that described on the page 19: https://sdn.sitecore.net/upload/sitecore6/65/package_designer_admin_guide-a4.pdf
When I installed the package on the new environment, the role was added but none of the users was under the Role.
Method 2: Serialization:
I serialize the item, but when viewing in Notepad++ is does not contain any users. When I serialize a user who was in the group, I do see the group.
Any thoughts why we have the issue?
Unfortunately, the membership information is stored against the user and not the role (the same for roles within roles). In this instance, the membership information is stored against the AD user. You are storing that a user is a member of role x and not that role x contains member y.
This means that you would need to package up both the role, and the corresponding users. I'm not sure of how this would work using AD though, since you are essentially trying to sync back user related data via Sitecore. I would ensure at your AD provider is not set as readonly in the connection string or it's setup. Since you only have a one-way sync, there's no way to store that information back in AD and have it persist.
Personally, I would set up my roles differently to allow the management to be easier, but it depends on your exact requirements obviously:
Create a Sitecore role, assign all your permissions and security against this roles (sitecore\IHaveAccess)
Create a matching AD role (ad\IHaveAccess) and add this as a member of your Sitecore role
Add your AD users to your AD Group. They will gain the correct permissions through Role In Role. If you already have AD Groups set up, you simply add existing Groups to the new Group even.
Using this, at most you have to add your AD roles back into your Sitecore roles (this shouldn't be the case you added the AD roles as a member of the Sitecore role so the membership is stored in Sitecore). It also has the advtantage that your users/roles/membership is centrally located within one system.