I'm new to Azure AD. and trying to create access package.
My requirement is to Create a group 1st then elevate that group for PIM, then create access package, and then assign groups to scope.
I'm not sure, if there is any setting that needs to be enabled for PIM elevation during group creation. I searched the web but didn't get appropriate steps.
Edit
Particularly for assign groups to scope:
I think, this (assign groups to scope) can be done from the subscription -> Access control(IAM) -> "Role assignment" ; where my scope is showing "this resource" where as it should be a resource group name. Anything I am missing here?
For elevate that group for PIM and create access package You should have Azure AD Premium P2 license
Please refer this Microsoft Document for PIM and Access Package.
Once you have above licence you can follow this Document for PIM of a Group
Edit--
I think, this(assign groups to scope) can be done from the
subscription -> Access control(IAM) -> "Role assignment" ; where my
scope is showing "this resource" where as it should be a resource
group name. - Anything Am I missing here?
If you are assiging the group to a scope on subscription level then if you go IAM ->Role Assigment it will show you This Resouce only and if you to your resource it will show subscription[inherited].
Likewise if you are assigning a scope to resource group level then if you go to resourcegroup-> role assigment it will show this resource and if you check inside the resources present in your resource group it will be resource group[Inherited].
This is how it's done.
Go to "Group" and search for "assignment group" that is created. Let's say "xxx_contributor" -> select and click on that -> then click on "Privileged access (Preview) [from left blade] -> Click on "Enable privilege access" -> click on "add assignment" -> select "role" as "member" -> click on "select member" -> search for the member, let's say "xxx_contributor_eligible" -> click " next" and click "assign".
Related
I have made a fake CRUD-based bank account manager that can create new accounts and also destroy them using the terminal. Just to make clear, this is not a Rails application. I've made a 'fake' MVC structure in vanilla Ruby to understand the basic concept.
I'm having difficulty trying to delete a class instance when the 'destroy' criteria has been satisfied. In this case, if a user wants to destroy a bank account, they need to specify the bank account number of the class instance. I'm not sure if my Ruby method is just incorrectly trying to handle the deletion or if what I am doing is not possible.
Here is method so far:
def delete(account_number)
#accounts.each_with_index do |account, index|
account.include?(account_number) ? account.delete_at(index) : "No account found"
end
end
Here is the error message I am being presented:
`block in delete': undefined method `include?' for #<Account:0x00007fe82c8926c0 #name="test", #account_number="12345", #sort_code="040004", #balance="1234.5"> (NoMethodError)
Essentially, my end goal is for my method to scan the class instance, match #account_number with the account_number passed in the terminal and delete the instance completely. I've been able to do this using 'index' i.e. "delete the 1st in the list" (index + 1) but want to try a more advanced way.
N.B: #accounts is an instance variable set as an array to store the instances.
I would use Array#delete_if when I want to delete an account with a certain name for an array of accounts.
def delete(account_number)
#accounts.delete_if { |account| account.number == account_number }
end
If there is no matching account found then this method keeps the #accounds array unchanged.
There is a PublicDataOnly member in the DirectorySynchronizationOptions enum.
On MSDN it says "Do not return private data in the search results".
What does the "private data" here means?
I tried to get all users with DirSync in given domain with and without this PublicDataOnly option and set the PropertiesToLoad as "*". Same set of attributes and users are returned.
Found it from the AD technical spec:
http://msdn.microsoft.com/en-us/library/cc223347.aspx
PublicDataOnly has no effect :).
My AD entry has the property msExchAddressBookPolicyLink with the value CN=ABL_Sub,CN=AddressBook Mailbox Policies,CN=MyExchange,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=intra,DC=contoso,DC=com.
This value I put into variable abpLink (I checked in VisualStudio Debugger), then using
if(abp!=null) {
DirectoryEntry abpEntry = new DirectoryEntry("LDAP://"+abpLink);
At that point, abpEntry has raised a COMException, and when looking into the returned Properties, I find the error "problem 2001: NO_OBJECT".
(The ABL_Sub Address Book Policy does still exist, I did not delete it in Exchange.)
How so?
We've set up a new "visitor group" in EPiServer 6r2, and we want to add a css class to the <body> tag of the site if the user is in that group, so different groups get different site designs. I'm trying to find out if the current visitor is in a matching group in the code-behind of a masterpage file in order to add this extra class and can't get the below code to return anything but false.
I'm not sure if the role name mentioned is the name you enter in the CMS UI when adding a visitor group.
Paul Smith blogged a proposed solution to this but I haven't been able to get it to return anything but false yet, and judging by the only comment on the blog article I'm not alone. Code sample #1 from this link (which is the one I'm using):
using EPiServer.Personalization.VisitorGroups;
...
bool match = EPiServer.Security.PrincipalInfo.CurrentPrincipal
.IsInRole("My Visitor Group", SecurityEntityType.VisitorGroup);
I found the developer guide to membership and role providers which states that replacePrincipal must be set to true for the correct principal to be in place. I checked and this is already the case for my config.
Documentation
EPiServer 7 doc
IPrincipal.IsInRole() extension
SecurityEntityType enum
Oddly I searched the 6r2 documentation from http://sdk.episerver.com/ and can't find the documentation for IPrincipalExtensions at all, even though I see the class in object browser in 6.2. in my sln. Details: Assembly EPiServer.ApplicationModules - C:\Windows\assembly\GAC_MSIL\EPiServer.ApplicationModules\6.2.267.1__8fe83dea738b45b7\EPiServer.ApplicationModules.dll - public static bool IsInRole(this System.Security.Principal.IPrincipal principal, string role, EPiServer.Security.SecurityEntityType type)
Member of EPiServer.Personalization.VisitorGroups.IPrinicipalExtensions
Please comment if you spot errors or I've missed anything as coding for EPiServer is a bit of a fog-of-war affair and I'm a little battle-weary.
Found it by browsing the object model and guessing. So much for documentation.
using EPiServer.Personalization.VisitorGroups;
using EPiServer.Security;
const string visitorGroupName = "Some users";
var groupHelper = new VisitorGroupHelper();
bool isPrincipalInGroup = groupHelper.IsPrincipalInGroup(
PrincipalInfo.CurrentPrincipal, visitorGroupName);
Tested and working in EPiServer 6r2 (aka 6.1).
String visitorGroupName must match the string entered into the "Name" box on the EPiServer admin interface when creating / editing the visitor group. See screenshot below:
A caveat to begin with - I don't actually know if what I want to do is possible, particularly because I'm not well versed with LDAP/Active Directory or JIRA.
I'm trying to integrate my shiny new installation of JIRA with my existing active directory. What I want to do is set up some specific JIRA groups (e.g. in London\Security Groups\JIRA*) and then have JIRA only import the users who have membership of those groups. However, in the directory set up page in JIRA, I don't understand how to do this. It seems to indicate that I can import users and groups, but not users from groups.
What am I missing? (apart from expert level knowledge of AD!)
Update
Under my domain, I have an organisational structure like this:
London\Users
London\Security Groups\JIRA
Under the latter organisational unit, I have a security group called "jira-users". The former contains all users.
So far I've tried the following queries and none of them have worked :
(all prefixed with &(objectCategory=Person)(sAMAccountName=*)")
memberof=CN=jira-users,ou=London,ou=Security Groups,ou=JIRA,dc=mycompany,dc=local
memberof=CN=JIRA,ou=London,ou=Security Groups,dc=mycompany,dc=local
(prefixed with just &(objectCategory=Person)")
memberof=CN=jira-users,ou=London,ou=Security Groups,ou=JIRA,dc=mycompany,dc=local
Completed
The query that works is this :
memberof=CN=jira-users,OU=JIRA,OU=Security Groups,OU=London,DC=mycompany,DC=local
I hadn't realised that for a folder structure that is logically, left to right, London\Security Groups\JIRA, the organisational units need to be listed in reverse order.
Further Update
This only works when using the DirectorySearcher class for some reason, e.g.
DirectoryEntry rootEntry = new DirectoryEntry("LDAP://dc=mycompany,dc=local");
DirectorySearcher srch = new DirectorySearcher(rootEntry);
srch.SearchScope = SearchScope.Subtree;
srch.Filter = "(&(objectCategory=Person)(sAMAccountName=*)(memberof=CN=jira-users,ou=London,ou=Security Groups,ou=JIRA,dc=mycompany,dc=local))";
SearchResultCollection results = srch.FindAll();
This doesn't work in the LDAP explorer tool and subsequently, not in JIRA itself.
Last Update
So...for JIRA, you need to reverse the order AND remove the wildcard. Working query in the end is :
(&(objectCategory=Person)(memberof=CN=jira-users,OU=JIRA,OU=Security Groups,OU=London,DC=mycomapny,DC=local))
When you are setting up the user directory look under the User Schema settings. You should see a "User Object Filter" field. In there you should be able to add something like this:
(memberOf=cn=jira-users,ou=London,dc=mydomain,dc=com)
This will allow you to filter based on a specific LDAP group. Of course you will need to edit the values above to reflect your own environment.