I'd like to create network policies in snowflake with this design
A user called loader can access with some unique 5 IPs
A user called transformer can access with some other unique 5 IPs
All other users can access on any IP - i.e. no network policy
From the docs on snowflake and the approach, it seems I can only add an account-level policy, which is then used inside for users specifically as needed
Can I create directly user-level network policies only for 1, 2 and leave out 3 in some way?
Please check the following page:
https://docs.snowflake.com/en/user-guide/network-policies.html#managing-user-level-network-policies
To activate a network policy for an individual user, set the NETWORK_POLICY parameter for the user using ALTER USER.
https://docs.snowflake.com/en/sql-reference/parameters.html#label-network-policy
Related
You've got this great new feature in Azure AD under Entitlement management: Access Packages.
Packages including groups and what more for specific users and roles.
https://learn.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-access-package-create
The issue I'm struggling with, is how can I add users by dynamic group without them having to request access first?
I feel like I'm overseeing something, but as it looks now you can only add a Dynamic Group & the users in the group can request access to the AccessPackages.
Has anyone else dealt with this already?
Please check the references and if below can be worked around in your case.
According to Create a new access package in entitlement management - Azure AD | Microsoft Docs.
If you want to bypass access requests and allow administrators to directly assign specific users to this access package. click None (administrator direct assignments only) in request section to create a policy where users need not request for access. For this group selection is not there.Users won't have to request the access package.
But if you need to select specific dynamic group for policy .
You can create a access package with dynamic groups selected .
You can create a policy separately for the users for dynamic group with require approval disabled and requests disabled.
Then while assignment requests are bypassed and approved even if the policy has request approval.
Even if require approval and requests are enabled in first step, you can set a separate policy by setting the by pass approval to yes.
Note :Dynamic group is to be given the owner role for access packages.
Reference: active-directory-entitlement-management-request-policy | (github)
I have created network policy to restrict the user by using ALLOWED_IP_LIST only.
CREATE NETWORK POLICY Test ALLOWED_IP_LIST = ('103.136.64.120');
Question is:
I'm using free trial and unable to set network policy through portal
If I can create NETWORK POLICY through command prompt, then how we can check/test policy on Web
3)I tried to execute query on Web, still able to access database(expecting to restrict it for particular IP)
Note: I followed the documents https://docs.snowflake.com/en/sql-reference/sql/create-network-policy.html
After you create a network policy, you need to apply it to either the account or a user. You can use the UI to apply an account-level network policy.
https://docs.snowflake.com/en/user-guide/network-policies.html#modify-an-account-level-network-policy
You can apply a network policy to either the account or a user using SQL to alter the account or user parameter for NETWORK_POLICY:
Account:
https://docs.snowflake.com/en/sql-reference/sql/alter-account.html#alter-account
User:
https://docs.snowflake.com/en/sql-reference/sql/alter-user.html#alter-user
You may consider testing on a user first (creating an additional one if required) to avoid accidentally locking yourself out from the account.
I have implemented a couple User-Level Network Policies, but really don't have a way to check to see which policy has been applied to which user. Is there a way to query Snowflake for this information?
The functionality to access user-level network policies is not yet available through UI or SQL. However, you could use the workaround below.
USE ROLE SECURITYADMIN; -- or ACCOUNTADMIN role
SHOW USERS;
-- For each user listed:
SHOW PARAMETERS LIKE '%NETWORK_POLICY%' IN USER <username>;
We are removing User, User Group and Permission models from our backend in favor of Auth0.
Our first idea was to just delete User, Group and Permission tables from DB and replace related foreign keys with varchar field. In this field we would then enter IDs that we get from Auth0 in JWT (pointing to something not present in our DB).
Is this good approach? I somehow feel that there must be more "relational" way of doing this.
Generally OAuth will not do all of the permission checks for you. Instead it gives you general mechanisms to sign the user in and issue + validate tokens.
In most real world architectures you also need to manage a second level of authorization in your back end - using domain specific user data for roles, permissions etc.
A couple of write ups of mine may help:
User Data Management
API Authorization
Auth0 Community Manager Dan here,
In this scenario you may be able to leverage the RBAC to replace your existing users/groups/permissions setup.
You would register a user's roles and the associated permissions of each role in the Auth0 dashboard or programmatically via the management API. Then you can setup a rule to add user roles to the token.
To connect this user to your existing user data store you can store the Auth0 id, similarly to how you have described.
This allows you to lookup the user when the token is received, and to associate any permissions or roles the user has. You can make roles API-specific by adding a prefix to the role, or have roles be general depending on your needs.
Our current process is BizTalk expose a web service for vendor to call in, where the request header contains pre-assigned user name and password. Upon receiving service call, BizTalk validates the credential against the database, extract and attach some metadata from db record to the inbound message (e.g. city, vendor level etc)
Question,
can we replace this process with Azure Active Directory? Heard it does provide a restful API, but get confused everytime reading the documentation when talk about JWT token... Does it have a straight forward restful endpoint to call to validate and extract user information?
can we customize the metadata within the AAD user?
Thanks for the help!!
1 - sure you can. There is no endpoint to perform validation, but it's easy to validate incoming tokens - we offer components that automate it. See https://github.com/AzureADSamples/NativeClient-DotNet for an example. The same location on guthub has lots of other samples demonstrating different scenarios.
2 - I am not certain I understand what you mean with metadata here. If you are referring to the info you can specify about the user: you can customize the user scheme. See https://msdn.microsoft.com/en-us/library/azure/dn720459.aspx