I'm getting an error trying to set DNS zone permissions. I'm following official instruction for a feature released in GA on Dec 5th 2022 "Cloud DNS per resource IAM permissions". I'm trying to resolve issue described in this post. Unfortunately I always get You don't have permission to edit the permissions of the selected resource despite of the fact my account seem to have suitable roles.
What I did was:
assign "DNS Administrator" role to my account in IAM (see: my IAM roles)
create a public managed zone in Cloud DNS
tick the check-box for the zone and click on "Permissions" button at the top
Result is this permissions warning.
Still I believe my account is granted "DNS Administrator" role as suggested in the official instruction.
Is this something related to IAM roles/permissions or Cloud DNS issue?
Edit: do not know how to get it working with DNS roles but when assigned Owner role I was able to edit DNS zone permissions.
Related
I am running Azure DevOps Server 2019 cu7. When I click on the Access Levels link at the Project Collection level, I get a page not found error for ../_admin/_licenses. I then upgraded my development farm to ADO Server 2020, and still have the same issue.
The app pool accounts are both System and I have added the System account to the iis_iusrs group.
Also, i get a page not found error when trying to hit the/_api/licenses/export api to try to get around the page not found error when using a browser.
It seems that you do not have the permission Edit Instance-level information
Steps:
Open Azure DevOps Server Administration Console->click the option Application Tier->click the button Administer Security->select [Team Foundation]\Team Foundation Valid Users and ensure the permission Edit instance-level information is set the allow. Then we could check the Access Levels page.
Result:
The permission is set to Deny
The permission is set to Allow
I'm trying to update the preferred language of a user using the /me endpoint or the /users/{currentUserID} endpoint but this always throws:
403 "Insufficient privileges to complete the operation."
I have checked the permissions according to the documentation page and added the permissions for User.ReadWrite, User.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All. This does not seem to have any effect. Is the documentation incorrect or are there still permissions missing?
The request works fine if I execute it with an azure ad administrator user.
EDIT: 2019-04-18
I did some more testing:
I have created a new demo tenant using https://demos.microsoft.com
I logged in graph explorer with the tenant admin account and gave admin consent for User.ReadWrite (and other default permissions asked by graph explorer).
I logged in with the Demo User.
I set the preferredlanguage to "en-US" using patch on https://graph.microsoft.com/v1.0/me/. This was successful.
I tried to change the language again to "de-DE". This did not work:
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "d1d30483-a3da-4775-af5b-4a3dd9823f11",
"date": "2019-04-18T07:40:27"
}
Therefore it seems to work when setting the language for the first time. But updating it afterwards is impossible.
Neither documentation issue nor Graph permission missing. You need to check the permission in your azure AD but not just the Graph Exploer. My test based on two account(one MS account and one trial account which is test#xx.onmicrosoft). The trial one works well while the MS account cannot.
Within organizations, the privileges of the signed-in user may be
determined by policy or by membership in one or more administrator
roles. For more information about administrator roles, see Assigning
administrator roles in Azure Active Directory.
Based on the test the documentation, not all users can change all profile data, some data have limitation by organization policy which cannot be ignore by the Grape Scopes settings.
For worked case, Directory.AccessAsUser.All is not essential
Just to close this issue:
I did some testing with Microsoft Support. For some reason updating preferredLanguage is only possible when the app has Directory.AccessAsUser.All.
Quite a heavy permission for just updating the user language...
I am writing a .Net Core 2.0 MVC-like app where users log in and then do such operations on an AAD B2C tenant such as add new user, edit user, delete user etc.
Listing and adding users was pretty easy to do, but now when I try to remove certain users, I get a 403 Forbidden error. I'm assuming it's because I missed permissions somewhere, but I don't really know where.
I have enabled literally ALL possible App permissions in my AAD B2C Tenant b2c-extensions-app and most of the ones that sound right (30 app+30 delegated) in apps.dev.microsoft.com. I added the account I log in to test to owner list, too. Any clues on why I keep getting those errors would be much appreciated. What are the things I could have missed?
// I found out that to delete users, Directory.AccessAsUser.All is required. I already have it in delegated permissions but I keep getting the same error.
// Yes, I did add myself as owner to b2c-extensions-app and I also added literally every possible permission to it. Windows Azure Active Directory has 7+9, Microsoft Graph has 37+78.
// Okay it seems that the same error occurs when I try to edit a user's password (or any contents, really), too.
Did you setup your permissions through Azure portal or PowerShell?
Delete permissions for a B2C application must be created using PowerShell.
You can find instructions on this page of Microsoft Docs, under the section 'Configure delete permissions for your application'.
Let me know if it helped!
I'm having troubles trying to add Azure Resource Manager Service Endpoint in TFS 2017. When i enter the required data and click on "Verify Connection" I can see the verified
when I click OK button , I get the following error
Does anyone have any idea how to fix it?
First double check if you have followed below tutorials to create this service Endpoint:
How to Setup an Azure Resource Manager Endpoint
Creating an Azure Resource Manager Service Endpoint
Such as make sure you have gave the service principal access to create resources in your subscription.
Click Browse and select Subscriptions
Select the subscription you are using
Click the Access button
Click Add
Select Contributor as the roll
Search and select the name of the application you just created
Click OK to grant the service principal access to your subscription
For more troubleshooting, please take a look at this link-- How to: Troubleshoot Azure Resource Manager service endpoints
Update from OP
Issue fixed by Upgrade to TFS2017 update1.
I'm running GitLab on local address http://192.168.0.18/. Upsource is running on http://192.168.0.11/.
I've added Upsource application as admin on GitLab. I've set client id and secret token as GitLab said. Authorization is set to http://192.168.0.18/oauth/authorize, token to http://192.168.0.18/oauth/token and user data to http://192.168.0.18/api/v4/user (according to GitLab documentation). In field mappings, I've set User ID to "id" and both e-mails to "email".
Then, on logging page of Upsource, I've oath authentication icon. After clicking on it, GitLab requires logging and user has to authorize application for its account:
Authorization required
Authorize Upsource to use your account?
You are an admin, which means granting access to Upsource will allow them to interact with GitLab as an admin as well. Proceed with caution.
This application will be able to:
Access your API
Read user information
Hovewer, after clicking authorize button, Upsource displays info: Authentication failed. Check your credentials and try again.. What have I set wrong? Field mappings?
Oh, I've found the answer. As happens often, I was fighting with this a good amount of hours and just after I asked this question, I've got idea to run this on my own. Rubber duck method, I guess...
As I suspected, the problem was in field mappings.
I looked in Network tab in Chrome and there was this response:
http://192.168.0.11/hub/auth/login?response_type=token&client_id=[CLIENT_ID]&redirect_uri=[REDIRECT_URI]&message=hub-auth-failed&developer_message=getValueByPath%28json%2C+aut%E2%80%A6userIdPath%29%21%21.textValue%28%29+must+not+be+null
I've manually went through all Gitlab workflow and then I could log in - and after running http://192.168.0.18/api/v4/user endpoint, I've got user data:
{"name":"username","username":"username","id":3,"state":"active","avatar_url":"http://www.gravatar.com/avatar/94232f2d1f8bb2fe940de439a4df1014?s=80&d=identicon","web_url":"http://debian/username","created_at":"2017-03-25T22:28:21.375Z","is_admin":true,"bio":null,"location":null,"skype":"","linkedin":"","twitter":"","website_url":"","organization":null,"last_sign_in_at":"2017-03-25T22:28:21.487Z","confirmed_at":"2017-03-25T22:28:21.376Z","email":"username#username.username","color_scheme_id":1,"projects_limit":100000,"current_sign_in_at":"2017-03-25T22:36:31.853Z","identities":[],"can_create_group":true,"can_create_project":true,"two_factor_enabled":false,"external":false}
The problem was in setting ID field name. As we can see in above JSON data, id field should be mapped to name/username, not id itself.
After this change I could sucessfully login into Upsource.