I was trying to create an Oracle Database instance in AWS using RDS , then I stumbled upon this error
Then I was trying to check my account information , and the same access denied is everywhere . I literally can't do anything . I am currently logged in as root user . I am very new to AWS . So any help is appreciated :)
your account doesnt have full access to all the resources. it has limited rights to create/remove/use resources in AWS. you need to speak to your admin to get the necessary grants. or if its sub account, then you need to switch the role from top right corner of console to proper role.
Related
When using the graph explorer I am able to get results from some of the API's. However not able to get when requesting for reports
For Example, this works perfectly fine;
https://graph.microsoft.com/v1.0/users
However, calling the below report related request results in an error "We do not recognize this tenant ID ... Please double-check the tenant ID and try again." I am facing this issue for any such call for reports.
https://graph.microsoft.com/v1.0/reports/getOffice365ActiveUserDetail(period='D90')
Is there some issue with App Registration which is causing this? The error message for checking the TenantID is totally misleading as the token is same in both the cases and I am not doing anything different between the two calls. Would appreciate any guidance.
Try checking these.
Try the request after giving some time like 48 hrs approximately as
it might take a little time for the tenant id to propagate across all
the instances and reflect in Microsoft graph api.
Check if you have given valid tenant ID
check tenant expiration (as admin account)
Else check if required permissions are set.
Reports.Read.All permission is needed to call this API.Refer Microsoft
Graph permissions
Please add the Delegated permisson /the Application permission and test it again. See Microsoft Graph v1.0 | Microsoft Docs
If that’s done already check if admin consent is provided .
( Reports.Read.All permission allows an app to read all service
usage reports without a signed-in user. Make sure to check if you
granted the permission(by clicking Grant Permissions from admin
account).
See reports-permissions
References:
Similar thread
concept-reporting-api
Update:
This error may occur when the usage report is not ready .Because if
the tenant is new , it might take sometime( upto 48 hours) for
the report service to pick it up and start generating reports.
You must be able to test it manually from O365 Admin
Portal.Portal.office.com -> Admin Tab -> Show all -> Reports ->
Usage
Other wise , you may contact support to raise a request.
As the title says, I have a user "User1" in a group "Techs" and "Techs" is a Role Enabled Azure AD, Cloud Only, Security Group that is assigned both the Exchange Administrator, Helpdesk Administrator and Exchange Recipients Administrator roles.
User1 is able to powershell and use most cmdlets for mailbox management, but is unable to access the EAC. Attempting to access EAC sends User1 to a mailbox management page for their own mailbox, and attempting to Edit Mailbox Properties for a user in the Microsoft 365 Portal greets User1 with a 403 forbidden page.
Direct assignment of exchange admin role works, but defeats the purpose of using a group. Anyone else experience this or know how I can fix it?
Currently, it is possible to switch back to the existing EAC (often called the "classic" EAC), but at a future date, the classic EAC will be retired.
But I suggest not to use "classic" EAC for work because according to my test, the methods listed here cannot allow the exchange admin to manage the mailboxes in the tenant.
It's recommended to access new EAC using these 2 methods.
Sign in to Microsoft 365 or Office 365 using your work or school account.
In the left navigation pane, navigate to Admin centers > Exchange.
You can also get to the new Exchange admin center directly by using
the URL https://admin.exchange.microsoft.com and signing in using your
credentials.
As the document suggests, Be sure to use a private browsing session (not a regular session) to access the Exchange admin center using the direct URL. This will prevent the credential that you are currently logged on with from being used.
In this way, your user which is assigned Exchange Admin role with Group inherit way should be able to access EAC successfully.
I've written a security module for my MVC intranet that allows administrators to grant permissions to users for certain functions like viewing, editing, deleting etc. When an intranet user visits a page, the underlying security module checks the SQL database to see if an administrator has given them access to perform the task and, if they have the required permission, they can click a link or whatever.
What baffles me is that the above system doesn't work unless I republish the website after the administrator has granted the permission. The permission is stored correctly in a permissions table in the database but when the user tries to use the permission it doesn't work. As far as I can tell my security module is completely standalone and is just a case of reading and writing to a database using static methods like this:
if (SecurityManager.HasRole(Request.ServerVariables["AUTH_USER"], "edit")) { }
I'm sure this is just a basic flaw in my understanding but does anyone have any ideas how I can get this to work?
We have the angularjs application where we have different roles associated to the users. For ex: the two roles are Admin and Local. Based on the role, we show some menu items for the Admin and adds more features/screen to the Admin .
The userInfo with the Admin Property is returned from the login response and based on what we decide which all menu and screens to be rendered .
But if we user the developer tool, and the set the break point where the admin property is used, and set the admin property as true the user even he is a local user would be able to access admin privileges .
In short who has some idea about the javascript code can get the admin privileges . Is there any idea other than minification of the code to prevent this kind of security threats
Thanks
As the front-end of your application will run on the client machine there is actually no way to stop a user from debugging or modifying the code. Thus it's impossible to prevent someone from tricking their local instance of the application to think it's signed in as an administrator.
If you simply want to hide the admin interface, one possibility is to have separate (or additional) templates for administrators and restrict access to these based on the user's privilege. If there is anything to be gained from this is up to you. You will still need to validate the rights to execute any privileged action on the server anyway. Obtaining administrative privileges on the client must never be the same as obtaining them on the server side.
I can print
System.Security.Principal.WindowsIdentity.GetCurrent().Name is #System.Security.Principal.WindowsIdentity.GetCurrent().Name
in a razor (.cshtml) file, however, I do not know how to print the app pool or verify that it is indeed accessing the database to login to it (as the login currently fails, that portion is an even tougher question).
This may require creating a string in the controller action trying to access the database, e.g. near something like:
db.myTable // etc
Thanks in advance.
The name you are returning in the code sample is the windows user id that the app pool is using (look in the app pool properties to see what windows username it is using).
This user name, complete with domain name, needs to have access to the db.
You may like to create your own windows user just for the app pool to use something other than local service as it may not be a good idea to give any local service access to your database.
As Will says in his comment, sql profiler should be able to help you find out what's happening if you are not sure.