I'm new using Snowflake and I wanted to know if it was possible to create custom roles / users for only viewing and using snowflake dashboards, so no access to the databases, tables and other features.
Some context, I'm building a dashboard showing some logs, stats and metrics regarding running applications I have a role allowing to use all features of snowflake and want to create roles / users to only access the dashboard and it's features.
So I wanted to know if there is already some predefinid roles or privileges for that otherwise the best practices for it.
Thanks
I had an answer on the snowflake community : https://community.snowflake.com/s/question/0D5Do00000CF3gJKAT/create-custom-roles-privileges-for-the-use-of-dashboards
So I created a role in Snowflake:
DashboardAdmin (granted select on the concerned objects)
DashboardAdmin is used to create and share (using the sharing dashboard feature "view only") to other users with the role and can view the dashboard without being able to edit it and the requests.
And only the owner of the dashboard can edit it
Related
I’ve been asked by a customer to find a way to collect all permissions for all app registrations in the customer’s AzureAD tenant. The customer has 1500+ App Registrations, so checking each manually isn’t an option. Most of these are redundant but the customer wants to review all of them to look for Graph API permissions that they’ve deemed sensitive. The problem is, there isn’t a way to export this info in the portal and Get-AzADApplication doesn’t give me actual permissions, just friendly descriptions of them. The customer would like the ACTUAL Graph API, such as Mail.Read.
I’ve attempted to script this with the assistance of a few more senior PFEs, but we’ve been unable to make any progress passing various properties between Get-AzAdApplication, Get-AzADServicePrincipal and Get-AzureADOAuth2PermissionGrant. We reached the point where we were able to get the Graph API permissions from the Service Principals, but the resultant permissions were in an unusable format.
If anyone has any suggestions on how to get this information into a concise format with (preferably) the Graph API permissions as mentioned above, I’d greatly appreciate it. I’d rather not go back to the customer and say it isn’t possible, as this is a new customer and I’d rather not say ‘No’ to my first task. 😊
Use Microsoft Cloud App Security for that purpose. This is tool designed, beside other features, especially for that purpose.
You open https://security.microsoft.com/ as a Global or Security Administrator, then you have quick overview on central place:
This will bring you to the MCAS portal, where you have solicit view on all applications with a rating, according to Microsoft standards for "Highly priviledged" access:
A direct view to applications, which users are using these applications, what permissions are granted. It even has filtering capabilities allowing you filter apps based on access level sevirity or even some Graph permissions - like Access e-mail on behalf of the user.
Your customer should really be using the Microsoft Security Center and monitor their security score: https://learn.microsoft.com/en-us/microsoft-365/security/mtp/overview-security-center
Then looking at MCAS: https://www.microsoft.com/en-us/microsoft-365/enterprise-mobility-security/cloud-app-security
You can use this script to list all delegated permissions and application permissions in Azure AD.
The key of the script is Get-AzureADServicePrincipalOAuth2PermissionGrant -ObjectId.
Based on my test, the permissions in the result is in this format: email offline_access openid profile User.Read.
I think it's what you need.
I'm building a React application, which will end up very big. E-commerce, different users, different permissions, advertisements, lots of sensitive data flowing around, etc.
I plan on using the context Provider to help with my state management. One such facet I'm looking into is User Permissions in general. Examples being, Admin Users has the ability to alter the permissions of a regular user, Admin Users have access to an Admin Dashboard, Admin Users have the ability to refund sales and create products, etc.
Is there a best way to use Context Provider to set up these permissions? What worries me is that through most set-ups, most users with React Dev Tools will be able to open them and alter the state within to achieve whichever permissions they like. Is this unavoidable?
I have and AngularJS application that talks to WebAPI. Both login using Identity Server 3. I have an Admin role, but I want to expand on this so I can hide certain admin functionality in the front end from some admin users. So I need to check user permissions for admin users. What's the best way to do this? Do I just create a table in my database and assign permssions to users there? Or is there something in identity server I should do to assign permissions.
It's my understanding that application permissions would be tracked in your application specific database. In that database, you could track permissions by role (rather than user). Then, you could use the role claim(s) that come back in the token to look up the proper permissions. However, that's just one method...
This is a really great post on the subject written by Dominick Baier, one of the authors of Identity Server: Identity vs. Permissions
I am designing a website on GAE with Firebase tools which will grant access to files and database information.
Through working the Authentication Quick Start, it is clear how to authenticate users and in the Quick Start for Database to use that information to grant access to file storage and database fields.
In addition to that, I want to be able to grant file and database access to GROUPS of users.
I found a nice article by Kapil Sachdeva which solves the problem by storing group data in the firebase database and enforcing access with database rules,
but to be thorough....
Is there an API already built to handle this, or must I roll my own group manager?
The Firebase security rules have no built-in knowledge of groups or roles. The article you linked shows one way to build that. We're currently finalizing a blog post that describes it too. But what these have in common is that they use the Firebase security rules to implement their own security model.
I have a SalesForce.com account that I use for demos. In many cases, I need the users (anyone on the web) to be able to browse the tables without making any changes.
Is there a way to make the tables public or create a guest account?
You can add a new user and create a special permission set to only allow read access. Dev orgs come with two users, but you can deactivate/re-activate users to get around the limit. Or ask SFDC support to add a few more users to your dev org.
There are several places User log-in time and date are logged so you can track them.