Groups in google apps has access levels, under advanced group settings.
Team, Announcement-Only, Restricted and Custom. Does anyone know how i can set these access levels in the java API for groups? I can't seem to find the available methods.
These access levels are deprecated. You need to use the Group Settings API to manage finer grained access settings for the group.
Related
Is there any way to get the settings data from Google Admin Dashboard. I have a list of policies that need to be satisfied with this.
I've already gone through Google's documentation for Workspace Admin SDK and none of the settings are exposed. Seems as though Google doesn't expose their settings API. I know scraping and then verifying is a possibility but are there any other methods that could be followed to get these settings.
Some examples of the policies include:
Ensure login challenges are enforced
Ensure Google session control is configured
Ensure only authorized third-party applications are allowed
All of these policies are configurable through the UI. But I need a way to programmatically find out whether these settings are configured as they should be.
We are working with a service provider where I constantly need to add a new user in GCP IAM and assign the similar roles which I have assigned to 20 other members.
I was wondering if there is a way that I can create a group, assign some roles to this group and keep adding new users to the group so I don't have to focus on the roles etc.
Posting this Community Wiki for better visibility. Proper documentation link for managing groups was already provided by #Ferregina Pelona
You can create a group for users with the same permissions in GCP. Google also recommends using this approach.
In the documentation Best Practice - Delegate responsibility with groups and service accounts you can find exemple usage of Google Groups.
We recommend collecting users with the same responsibilities into groups and assigning IAM roles to the groups rather than to individual users. For example, you can create a "data scientist" group and assign appropriate roles to enable interaction with BigQuery and Cloud Storage. When a new data scientist joins your team, you can simply add them to the group and they will inherit the defined permissions. You can create and manage groups through the Admin Console.
Regarding creation, removing and managing google groups, you should read the Managing groups in the Cloud Console guide.
Can we managing a pool of users in AWS Cognito by creating sub-groups and manipulating the sub-groups as if we were using a relational (groups)database?
Do you have tips for managing organisations with aws?
Thanks
As for tips on managing organisations with aws:
For Cognito (application user behaviour) you might be able to use groups for this feature. Note that groups are primarily designed for role-based access and not specifically for tenant separation. You probably should create separate groups for tenants, so you might be in the R_Engineering (role) and the V_ACME (tenant) group, optionally allowing rules based on the authentication provider for that tenant to assign the group. Some information on groups and fine-grained access control can be found here: https://aws.amazon.com/blogs/aws/new-amazon-cognito-groups-and-fine-grained-role-based-access-control-2/. Also, check out this post: https://medium.com/#dantasfiles/multi-tenant-aws-amplify-cc3252c4def4 mentioning ways to do grouping.
If you are looking to manage AWS resources access for organizations, this can be accomplished with AWS Organizations.
As for manipulating all users in a certain group I can only suggest you look into the API of Cognito (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-reference.html).
We are attempting to use AzureAD as a IDP for Amazon Web Services and provide the ability for our users to role switch into other accounts / levels of access based on their AD Group memberships.
The following is a link which gives us exactly what we are after using ADFS. Cleverly named AD Groups are transformed into AWS Roles that are passed on as claims.
https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-ad-fs/
Specifically, the part that achieves this with ADFS is the Custom Claim Transformations you can do when adding a Role to a Relying Party Trust.
Unfortunately, we have to use AzureAD and cannot use ADFS, at the moment we cannot find a way to use RegEx transformations to get the outcomes we can with ADFS.
Can anyone advise us of an approach or if this is even possible?
Thanks!
I don't think this is possible.
What you can do however, is assign the groups into roles that you define in the apps' manifests.
That way you aren't dependent on magic strings in group names as well.
Note this does require paid licenses as group-based access management isn't available in Free AAD.
On Free, you have to assign user roles to each user individually and a user can only have one role.
With group-based you can assign multiple roles to a user.
More info: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
As I understand it, Screwturn wiki's permission style is inherently negative--if a user is a member of different groups, negative permissions (deny access) take precedence over positive permissions (allow access). If I have a number of groups and I want to restrict access on some pages or a namespace to just one group, is there any way to do that without specifically denying access to all other groups? That would run into issues because users could belong to a number of groups. (I'm trying to use it for a knowledgebase in a corporate environment.)