I'm trying to set up Identity Server in a multi-tenancy environment but I'm struggling to get the ClientCredentials Grant Type and how I can audit record changes.
If I use the code flow grant type I obviously have a user & roles. I can then create an authorization policy based on the roles and the user. i.e. must be an authenticated user and have role "x".
As I have user data (and tenant data), I can then update my records with which user updated the record. e.g. Customer Bob was updated by user 999.
But how is this possible with an m2m account which I understand should use client credentials?
So Customer Bob is updated by the m2m account but who/what do I say updated the record? I understand that an m2m account doesn't have a user but something has still updated the customer record. I hope that makes sense.
Related
I have an application that manages user role and permission at application level not database level.
Different Tables for explaination :
User Table(Contains User details).
UserRoles Table(Defines UserRoels).
UserRole_Permission Table(Defines permission for each userrole).
User_userrole Table(Contains role of each user).(each user can only have one role)
Branch Table(Contains branch details).
Contract Table(Contains contract details).
I am using EntityFramework currently, So in order to perform any action say for example branch delete(branch_del) I check whether role to which this user is associated has permission to perform such action or not,as for below table Raj has permission but not Jay. This whole process is performed at application level(back-end) for now.
My question is how can I replicate same on database level in order to support back-end so that user should only be able to perform action for which they have permission else it should give error.
Scenario 1: Assume I have angular client with implicit grant type. I am also using asp.net identity to log in with database users. I log in as user Bob. I access my list of cars. For each car I have an option to edit my car. Each row has edit button and id of car.
Example of get url in each row: http://localhost:5000/cars/id/1
Let's say I enter randomly some id of car:
http://localhost:5000/cars/id/345 which is someone else's user car.
How does identity server protects other user data in this situation?
Scenario 2: let's have identity manager set up with identity server openid authentication. Which username and password are we authenticating to gain access identity manager to manage users ? If it is user from aspnet identity database then every user inside there can access identity manager...?
They don’t.
It’s not responsibility of Identity Server.
Identity server main responsibility is to take care of Authentication.
Scenario 1
Authorization is not part of identity server except for basic client/scope based authorization defined in OAuth. Identity server just handles the authentication part. Have a look here for implement authorization on an asp.net core app. https://learn.microsoft.com/en-us/aspnet/core/security/authorization/resourcebased
Basically, Identity server gives the user identity. So you can validate if that user has access to the given resource.
Scenario 2
You can define users with certain role claim(e.g. Role:IdentityManagerAdministrator) in your user store, and validate if the logged in user has that role in identityManager. see
Secure IdentityManager with IdentityServer3
I have a question regarding 1 user belongs to 2 different user group in SQL Server and I am trying to manage object permission in the server.
In our database, there is one view with sensitive permission that only certain people can see it, and most of our user are manage in the group.
such as: Sales Group, Manager Group
Ideally, we want only grant permission to Manager Group and deny permission to all the other user,
Let's say manager John is in Manager group, but he is also in Sales Group since he is the manager in Sales department.
My understanding is, if 1 user in 2 different user group, if you deny permission to any of the group, even the user have granted permission in another, he can still not see the object.
How can I overcome this situation?
Thanks!
Replying my own question, we found the solution,
under database security, we can create database role, in database role we can assign single table permission to different role, then we assign database role to user group. in this case, ex.
there are 3 table in the database,
table A is the one with credential information. only manager can see
Table B and C is just the regular table.
create database role 'Normal Access' and grant permission to table B and C.
Then create another database role 'credential Access' and grant permission to table A.
in your Server level security. all the user group should only belong to 'Public', in Server roles level.
and in Use mapping, select the database and only choose the database role you assign.
in my case, Assign database role, 'Normal Access' and 'Credential Access' to Manager group. so he will have all the access to ABC table
Sales Group should only have 'Normal Access' so it cannot access A table.
thanks
I'm trying to set up security for my application for users. I am not sure about my logic. Is the following possible:
I want to create 1 login for 'all users' in Active Directory. Then I want an admin (in the program self) to choose which user is in which server role (e.g. marketing, sales, ...). Then I want to give those roles permissions to the tables in the database.
Some questions about this:
Is this safe? The admin of the program has to be db owner?
Is it possible to list the users by name, instead of the login 'All users', the admin has to be able to place a user in a role after it is created in Ad.
I use the function SUSER_NAME(), will this return the current user or the groupname 'All Users'
If this isn't the right way to make security, please send me in the right direction.
Thanx!
Part of the best solution already lies in your desire to use the Active Directory to authenticate your users. Let it authorise your users as well. Marketing isn't just a database role that specifies access to your tables. It's a department of your company with file shares, mailing lists as well as a role to play in your application. Get your domain admin to make an AD group called Marketing and let them add and remove people as appropriate. Likewise for the Sales department and other departments who touch your database.
When that is done, add the MYDOMAIN\Marketing group as a login on your server and as a user in your database. It will behave more or less like the roles you've described so you can still go ahead and create the roles, add that domain group to the role and grant to the role or grant to that user directly since it identifies a group of people. This also gives you the chance to reconsider your role definitions. Are they really about Marketing people and Sales people or are they CustomerEditor, CustomerViewer, ProfitAndLossViewer roles?
User and group management is a standard function of AD administration; let them do what they do best. It probably doesn't need to feature too strongly in your solution unless you get very poor service from the domain admins, in which case, why use your AD to manage your users?
This very small change will probably free up a lot of your dev time and release you from reinventing a user management facility that already exists and is easy to use.
Good luck!
here's what i would do:
create two roles on the database, one users, one admin. then create two security groups in ad, SQL.App.Admin, SQL.App.Users (replace app with whatever your app name is). I would then assign those groups to the roles in the database. after that you can drop users and/or security groups into those two groups.
Using Shiro we have a great security framework embedded in our enterprise application running on GF. You define users, roles, permissions and we can control at any fine-grain level if a user can access the application, a certain page or even click a specific button.
Is there a recipe or pattern, that allows on top of that, to restrict a user from seeing certain data ?
Sample: You have a customer table for 3 factories (part of one company). An admin user can see all customer records, but the user at the local factory must not see any customer data of other factories (for whatever reason).
Te security feature should be part of the role definition.
Thanks for any input and ideas
Add one or more security tables to your application that contain UserID and a foreign key to the Primary Key of the table containing the resource to be securitized.
Create records in the new table for each User/Resource combination that you want to grant access.
Then, when the resource is requested from the database, just join the security table to the resource table using the Resource keys, and filter on the UserID of the security table for the user that is currently logged in. This will trim the output, removing any records for which the user does not have access.
It is relatively straightforward to create forms that allow you to set up the new records in the security table granting users access to resources.
NOTE: In the specific case that you mentioned, you just need a field in the User database that holds the value of the Primary Key in the customer database for which the user has access.