Azure Custom Role for Operators and Developers - azure-security

We are currently review our user access permission for Azure. We want to review and further refine the existing/built-in roles that came with Azure. For example, the Contributor access may be a bit too much in some instance. Specifically, below are two roles ware are trying to create:
DEVELOPER: Currently our Developers are assigned Contributor by default. The issue here is that this gives them the ability the create/delete resources as will. Resources are typically pre-created by the Cloud Team. We want to limit that. Ideally, we want to give them the ability to configure resources and start/stop rescues.
OPERATOR: This is for our IT folks who need to review resources and start and restart resources. Similar to the Developer roles above, they don't need to create/delete resources.
Any suggestions or roles examples that can help achieve the above?
Thanks

You can use Azure Custom Roles. Take a look at the Azure Portal Tutorial and the Azure resource provider operations.

Related

Keycloak, sharing resources between clients

We're developing an application with microservice-based architecture where users can be members of organizations, and within each organization, they may have resource-based access restrictions. An example can be a recruiter who's a member of several organizations on the platform; in organization A they may see the list of all job postings and interviewers while in organization B they can only see job-posting that they are directly allowed to see.
Structure wise this becomes something like this:
All this seems easy to do with Keycloak, we create confidential clients(one for each microservice) and enable resource management on them. However, there are quite some cases when different microservices (i.e., Keycloak clients) need to validate user's access scopes to the same resource. An example would be a setup where we have 2 microservices one for posting & managing job announcements the other for managing applications and interviews, so job-manager and application-manager. Now, when a new application is submitted, or an interviewer tries to access an application application-manager has to make sure that the user has access to the job posting(resource) configured in the job-manager Keycloak client. Which, I think, is not something Keycloak supports.
Scale wise, we're speaking about X00k users, 4-5 times that organization users connections, and tens of millions of resources. So to minimize the number of objects we're creating in Keycloak, we've decided to make use of attributes on resources in which we store JSON structures.
So, how one microservice, can verify a user's access to a resource manager by another microservice?
Try to enable fine-grained authorization:
https://www.keycloak.org/docs/latest/authorization_services/#_resource_server_enable_authorization
This allows for resource based authorization. The resource does not have to necessarily be each resource you have, but an abstraction like an org_manager etc...
Alternatively you can take the json you already have and ask an OPA agent with a policy you defined.
https://www.openpolicyagent.org/

Multiple projects with the same Authentication system in (Asp.Net MVC / Web-Api)

I have several projects such as After Sales Service and Product Label Generator that their users are the same, I mean users can register and according to admin's decision can have some roles or claims.
Depending on roles or claims, each user has access to a specific application.
In my opinion I should create a web-api app in order to just serve authentication and authorization services.
It should be noted that we may go further and have some other apps such as android version. also each project has its own database.
What's the problem? I have no idea how I can implement this! any suggestion or article can help.
Thank you
Hooman, I would suggest you to use IdentityServer for authentication, it's Open Source OpenID Connect and OAuth 2.0 framework for .NET. We are also in process of using it,nature of yours and ours products looks same to me. Keeping a single database for users and their rights and also managing access/rights for specific applications. As it's also token based, so if u extend your products to Mobile later on, it would prove to be a better approach as well.
link: https://identityserver.io/
documentation looks self sufficient to me.

How to give access Service Desk Customers to JIRA project?

I have two projects in JIRA: software project and service desk project.
My goal it to enable my service desk customers to access the software project but in a limited way. E.g.:
clients could create stories,
comment on them,
assign priorities
and assist with assigning them to iterations / releases.
But they would not be able to perform and see some actions e.g.:
see the logged time
and ideally to keep some of the ticket / story fields and comments as internal use only so I can have technical discussions with my team without the client seeing them etc.
I can see in documentation that "Service Desk Customers can't log in to JIRA applications":
https://confluence.atlassian.com/servicedeskcloud/setting-up-service-desk-users-732528877.html
But is there any workaround to give Service Desk Customers access to JIRA applications? Is there any simpler method than making a REST API bind? If yes, then how it could be achieved?
The documentation is not clear. Add their accounts to the jira-users group and they will be able to log into JIRA as regular users. The point is that member of jira-users consumes a JIRA user license, while "pure" customer account does not.
As regular regular users they will have permissions just as you configure your project Permission Scheme, so everything is in your hands. Using roles you can restrict issue comments to those roles. There's also nice Comment Security Default plugin to use with that.

Decoupled Web APIs on Azure (Architecture Advise)

I'm working for a non-profit that is trying to create a collection of services that will allow them to do a few things:
Create/Manage Users
Create/Manger Competitions
Create/Manager Events(a Competition is made up of many Events)
Logistics
Etc.
Here are some of the requirements:
Host on Azure
Accounts are created using the user's own email address (can be any domain)
Each service must be independent of each other
System should be accessible from anywhere(browser, mobile app, etc.)
Once a user logs in, access to other systems should be available(if needed or depending on permissions)
-services can talk to each other(we've successfully done a POC on this using Azure Active Directory)
I've spent some time researching the possible ways to tackle this, including looking at articles like this:
http://bitoftech.net/2014/10/27/json-web-token-asp-net-web-api-2-jwt-owin-authorization-server/
It sounds like JWT is the way to go, but I want to make sure that this architecture approach lends itself to flexibility down the road. I'm willing to learn/user any technology as long as it plays along .Net, Web Api, and MVC.
My initial idea was to set each "system" as a Web API, which is pretty straightforward. My concern is authentication/authorization. The million dollar question then becomes:
How can I authenticate a user on a browser/mobile/desktop app and then make use of the other services(APIs), where each service can verify if the user is authenticated independent of other services.
For example, lets say I am using the web app(browser) and register as a user(using User service) in order to register for a competition(Competition service). what kind of technologies/architecture would need to be used for both services to use the same authentication mechanism?
I am not new to MVC or Web API but I am to a scenario like this, so all help or advice is greatly appreciate it. For any that are interested, this is the non-profit: http://worldjumprope.org/
They are doing some cool stuff in terms of outreach and spreading the love for jump rope. Their goal is to be able to help people all around the world and provide a way to for them to come together and compete. They've been doing it for years, growing each year, all for free and out of pure passion for the sport. Help me help them!
Azure Active Directory can help you with your need.
About the security/Auth mechanism, simply put, it is like you get a token from Azure Active Directory to be able to use it to do authentication for a certain Audiences/Tenants.
And in your architecture, when you acquire a Token, you can specify if you are going to use it against a certain audience or it will work for a list of audiences or all audiences in a specific tenant or in a multi tenant scenario.
Here is a link to a video about AAD Single Sign on:
https://azure.microsoft.com/en-us/documentation/videos/overview-of-single-sign-on/
You can download the AAD Solutions arcutecture from here:
http://www.microsoft.com/en-us/download/details.aspx?id=45909
Also maybe worth looking at Identity Server - https://github.com/IdentityServer/IdentityServer3.
Same concept as Azure AD in terms of tokens, but perhaps with greater options for what you choose as a data store for your user information.
There are lots of demos and source code on the site, particularly around the different types of authentication flow \ service to service authentication

How can I get roles from AD with MVC Azure AD Authentication?

I setup and MVC 4 application and added authentication against our Azure AD server as outlined here: http://msdn.microsoft.com/en-us/library/windowsazure/dn151790.aspx
Authentication works as expected. However, I'm not getting any roles back by default. There should be several AD groups created and I would like to use them to role restrict the application via the [Authorize] attribute in MVC.
I can't really find a good place to even start figuring this out. Can anyone give me an outline or point me to a good tutorial?
I should mention that I'm not the administrator for our Azure account, so I need to be able to tell our admin what to do if any setup is required on that side.
First, tokens returned by Azure AD do not currently contain claims for roles or groups, so you need to get them from the Graph API. Second, roles in Azure AD that are returned by the Graph API are not necessarily intended for use in an ISV/LoB app, and in general you should use security groups for authorization instead. To perform authorization, you should use the checkMemberGroups or getMemberGroups operations in the Graph API, which are transitive and valid for this purpose.
If you check out the following resources in order, I think your questions will be answered. You'll learn how to authenticate to the Graph, call it, and configure your application to use the result of the group operations to perform authorization:
Using the Graph API to Query Windows Azure AD -- This is the second walkthrough to complete now that you've done the web SSO one.
Authorization with Windows Azure Active Directory
MVC Sample App for Azure AD Graph
Blog post describing checkMemberGroups and getMemberGroups
How do I get role and group membership claims for users signing in via Windows Azure AD? -- This one is out of date in regards to the methodology for authentication and the UI for managing users/groups, but it's still useful. Pay special attention to the section on the custom ClaimsAuthenticationManager, which gives you an idea of how to inject role/group data into the ClaimsPrincipal object early so that it can be used in the [Authorize] attribute or other authorization logic.
Sean answer is a bit outdated. You can now configure Azure AD so it will include groups or roles inside JWT token so it will be included into ClaimsPrincipal.Current.Claims so standard [Authorize(Roles = "yourRoleName")] attribute will work.
Here is introduction post. Which basically says you have two options:
Use groups claim - you need to change groupMembershipClaims value in app manifest and later in application you can check for ClaimsPrincipal.Current.FindFirst("groups").Value to see in what group user is (you only get group id). You can write you own Authorize attribute that use this. more info
Define roles for you application and then use normal code for testing if user is in role:
[PrincipalPermission(SecurityAction.Demand, Role = “yourRoleName”)]
[Authorize(Roles = “yourRoleName”)]
if (ClaimsPrincipal.Current.IsInRole(“yourRoleName”)) { //do something }
You need to edit roles in you app's manifest.
More info here and here. Values needed to be set in manifest are described here
What is really strange is that you can't assign more than one role to group from Azure web page. You need to use azure graph api for this.
If you can't see Users and Groups tab in Azure portal you probably need Azure AD Basic or Premium edition. If you are working on free azure subscription you can use free Azure AD Premium trial to test stuff.

Resources