As I understand it, Screwturn wiki's permission style is inherently negative--if a user is a member of different groups, negative permissions (deny access) take precedence over positive permissions (allow access). If I have a number of groups and I want to restrict access on some pages or a namespace to just one group, is there any way to do that without specifically denying access to all other groups? That would run into issues because users could belong to a number of groups. (I'm trying to use it for a knowledgebase in a corporate environment.)
Related
My organization wants to limit the GCP services any user can use. For example we only want to allow the usage of Big Query.
Is there a way to contract GCP in a way that even the top account (or tenant, organization or whatever) can't instantiate anything besides Big Query?
Thanks
I would recommend maybe trying the following. Basically you want to create a group and apply the proper Big Query roles to the group which will then be inherited by all members of the group. Google allows you to create a "company" group that you can have set to auto-add all current/new users of your organization to.
Take the following steps.
Create a "Company" group by following this article. Make sure to set it up so that current and new users of organization will be added. (if you don't want this then just create a group and add in the users necessary)
In GCP, add the corresponding Big Query roles you want to have applied to all your organization's members to the single group.
As suggested by Jack, you can create a group that grants access only to BigQuery, place all users in that group and grant them no extra permissions.
But you must have at least one project owner account that can do anything in that project.
If you want to secure your organization even further, you can do the following:
Limit the amount of services that can be activated using quotas
Monitor actions performed by users with Audit Logs
Set up alerts that will notify you when certain services are activated
I have one group in AWS as Incident-Security-operation, this group has only read-only permission to all the AWS account. But I want to give full permission or administrator to one account and read-only permission and to the rest of the accounts. Can you please help me to write permission with the condition for the particular account. I tried ArnLike and ArnEqual but didn't work for me. We integrated with AD for SSO
Regard IAM users and group, best practice for this use case is to implement two IAM groups eg Incident-Security-operation and Incident-Security-operation-admin, and give permissions to each as needed. Then you assign users to each group as needed.
This approach fosters much better security posture than conditioning permissions in a single policy.
From an operational standpoint, its much easier, and more transparent, to move users between the appropriate IAM groups, than to manage conditional logic in the policy syntax. Using IAM groups also means user membership in each group is easily auditable.
We are attempting to use AzureAD as a IDP for Amazon Web Services and provide the ability for our users to role switch into other accounts / levels of access based on their AD Group memberships.
The following is a link which gives us exactly what we are after using ADFS. Cleverly named AD Groups are transformed into AWS Roles that are passed on as claims.
https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-ad-fs/
Specifically, the part that achieves this with ADFS is the Custom Claim Transformations you can do when adding a Role to a Relying Party Trust.
Unfortunately, we have to use AzureAD and cannot use ADFS, at the moment we cannot find a way to use RegEx transformations to get the outcomes we can with ADFS.
Can anyone advise us of an approach or if this is even possible?
Thanks!
I don't think this is possible.
What you can do however, is assign the groups into roles that you define in the apps' manifests.
That way you aren't dependent on magic strings in group names as well.
Note this does require paid licenses as group-based access management isn't available in Free AAD.
On Free, you have to assign user roles to each user individually and a user can only have one role.
With group-based you can assign multiple roles to a user.
More info: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
In the course of working with AWS I quite frequently run into a situation where I would need to confirm that a certain user or a group indeed has the access they should or should not have (or debug a policy that doesn't work correctly). For this purpose, I have created a "myusername-assumable" role whose permissions I can modify, and then assume it to test the given access. However, the problem is that many users have a complex collection of policies comprised of multiple group memberships in addition to some direct-attached policies. Since a role apparently can't be a member of a group, I currently have had to painstakingly rebuild a user's permissions, policy by policy, to match the desired user's or group's permissions I need to validate. To test an IAM user's permissions I could create a temporary set of keys, of course, but I would like to avoid that as a user can choose to rotate their keys at any point, and the presence of an extra key set would be confusing to them.
So my question is, is there any way (a script, a CLI command set..) to extract all the policies attached to an IAM user directly or via a group, and then reattach those policies to a role? I will eventually script this, but if someone happens to have an existing solution, that would be great!
Groups in google apps has access levels, under advanced group settings.
Team, Announcement-Only, Restricted and Custom. Does anyone know how i can set these access levels in the java API for groups? I can't seem to find the available methods.
These access levels are deprecated. You need to use the Group Settings API to manage finer grained access settings for the group.