A Resource Group (RG) can have individual resources under it that could belong to any of the Azure regions. So then, is there any logical meaning for 'region' for Resource Group? Does it really dictate anything? Or maybe it's just more like satisfying a unified model of Azure that pretty much everything should belong to some region, even if in minority of the cases it may make no logical sense?
A resource group is like a container that holds related resources for an Azure solution and you manage them as a group. A resource group can contain resources that are located in different regions.
"Why does a resource group need a location?" The document gives a detailed explanation.
"If the resources can have different locations
than the resource group, why does the resource group location matter
at all?" The resource group stores metadata about the resources.
Therefore, when you specify a location for the resource group, you're
specifying where that metadata is stored. For compliance reasons, you
may need to ensure that your data is stored in a particular region.
If the resource group's region is temporarily unavailable, you can't
update resources in the resource group because the metadata is
unavailable. The resources in other regions will still function as
expected, but you can't update them. To minimize risk, locate your
resource group and resources in the same region.
Related
I would like to place a delete lock on an Azure resource group so that the resource group itself can't be deleted -- but there should not be restriction on deletion of any resources residing in the group. The problem is that if I place such a delete lock on the resource group , all the resources within that resource group inherit the lock and then they can't be deleted. Is there a workaround ?
So I had this exact problem, I had users using resource groups and did not want them to be able to delete the actual resource group but still be able to delete the resources inside,
I fixed this by using custom roles, I created a custom role and cloned the contributor role and added a deny assignment to the role
Microsoft.Resources/subscriptions/resourceGroups/delete
I found the reference in additional resource provider operations. This will allow the user to still attempt to delete the group, however they will get an error if they try to. You can also find much more role based access control resources there as well. I hope this helped!
When it comes down to good RESTfull setup, what is the best practice for providing results that pertain to the owner as the requestor and results that pertain to a user wanting data owned by another user.
I have read that a resource should have max 2 base URLs so how to handle say,
Get all items for authenticated user
Get a single item for Authenticated user
Get all items for a particular user
Get a single item for a particular user
Although your question is a bit unclear, it seems to me you might mix up "Resources" as in HTTP resources, and Model objects or database rows.
The two do not necessarily have a 1-to-1 relationship, or even 1-to-2 relationship as you seem to imply. You can expose a database row in multiple "forms" as resources, there is no limitation how many times you can aggregate, transform or publish the same information, as long as those are all semantically different things.
So, back to your problem. You can publish resources pertaining to the authenticated user, and just users independently which might also contain the current user. With an URI structure for example like this:
/currentuser
/user/1
/user/2 <- might be the same as /currentuser
/user/3
...
There also could be a list of users recently logged in:
/recentuser/444
/recentuser/445 <- might be again /currentuser
...
That would be a third reference on the same user, but it is ok, because all of those have a different meaning, might even have different representations to offer (one might offer more information than others).
If a user has access to multiple security groups, does TFS take the highest level group, or the lowest level group for access rights?
For example, if user John, belongs to the Read Group (can only read the source control but not edit) and then is added to the Developer Group (can read and edit source control) which group does TFS recognize?
Since he belongs to both groups can he still only Read since that is the lowest level or can he now edit since he is also part of the Developer Group and that is the highest level?
Permissions
It combines the permissions from all the users groups.
If the user is denied access to anything they still can't access it even if they are given access to it elsewhere.
If the user is given access to something in any group they will have access to it (unless of course something else denies them).
If there's no explicit allow or deny in any of the users groups, they will be denied access.
Access Levels
Access levels are done separately from group permissions - access can be set to limited, standard or full in the tfs 2012 admin area.
For TFS 2010 the only group that acted a bit weirdly was the work item only group, which afaik acted as a explicit deny on everything but editing your own work items. This functionality is replaced with access levels in tfs 2012.
I want to make a TFS 2010 project read-only so users can view the info in work items but not add any details or new work items. I think I need to change the security permission on the project but it's not clear which permission I would change from the Contributors list.
In my opinion the right way is to alter the group memberships.
Remove all users from the constributors and higher groups and move them to the Readers group.
Two choices.
Choice 1: If this is a common pattern where the prevailing default is that folks are restricted, but some people have access (i.e. devs cannot change things but Tech Leads can), modify contributors and create a secondary group (for example, 'Tech Leads') that has the additional read rights. In this scenario, the Contributors group would contain tech leads, but only specific individuals with the extra rights would be in the Tech Leads group.
Choice 2: If the prevailing default is normal contributor access, but specific individuals (i.e. external contractors) need to be denied access, and you need to be 100% sure this goes through, regardless of any other group membership, then leave Contributors as is, and add a new group called (in this example) 'Contractors' and DENY specific access as needed.
Like before, everyone is a contrib, but contractors have some absolute limitations imposed on them, and the 'DENY' in the Contractors group overrides the 'Allow' from contrib. A use case for this would be cases where specific code has to be hidden from external vendors or some other sub-group and needs to be 100% rock solid - just be careful with denies as they will trump any number of allows you inherit from other groups.
Hope that helps!
Addendum: For restricting or changing rights on workitems, you need to do two things. First, set up appropriate group mempership (noted above), then in the project, under Team Project Settings -> Areas and Iterations, click the Security button to set this up on a node by node basis (or at the root if you want to do these restrictions project wide).
I'm trying to figure out what the best way to show a list of members (users) that aren't a collection (group).
/users
is my route for listing all of the users in the account
/group/:id/members
is my route for listing all of the users in the group
/users?not_in_group=:id
is my current option for showing a list of users NOT in the group. Is there a more RESTFul way of displaying this?
/group/:id/non_members
seems sort of odd…
Either query parameters or paths can be used to get at the representation you want. But I'd follow Pete's advice and make sure your API is hypertext-driven. Not doing so introduces coupling between client and server that REST was intended to prevent.
The best answer to your question might depend on your application. For example, if your system is small enough, it may suffice to only support a representation consisting of a list of users and their respective groups (the resource found at /users). Then let the client sort out what they want to do with the information. If your system has lots of groups and lots of users, each of which belongs to only a couple of groups, your available_users representation for any group is likely to be only slightly smaller than the entire list of users anyway.
Creative design of media types can go a long way to solving problems like this.
Spoke with my partner. He suggested:
/group/:id/available_members
Seems much more positive.
The main precept of REST is "hypertext as the engine of application state". The form of the URI is irrelevant, what matters is that it is navigable from the representation returned at the application's entry point.