In our SQL tables we have columns such as UpdatedBy and CreatedBy with a ref key to a User table. This is useful to keep track of who created/updated an business entity.
However we are migrating from this local User table to using Azure AD. We will use Azure AD for authentication and authorization in our client applications.
There should be no need for a local User table (or any other tables related to identity, such as Role etc...), but then how do I reference user ids from Azure AD into my audit columns? Obviously I can no longer have a reference key with constraint.
What is the usual approach to this?
Did you read about System for Cross-Domain Identity Management (SCIM)? You can provide out of the box mechanism for syncing Users and Groups created in the Azure AD.
There is a whole tutorial about how to do that:
https://learn.microsoft.com/en-gb/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#step-4-integrate-your-scim-endpoint-with-the-azure-ad-scim-client
There is a ready to go CRUD and SCIM based application in C# created by Microsoft https://github.com/AzureAD/SCIMReferenceCode
That will give you a solution what to do for example when Azure AD is removing the user, but you want to keep it.
Related
How to use an external SQL database with Keycloak?
I have a sql database that contains my clients from my application.
If you have a pre-existing database with your own custom table structure for identity and access (most likely, you rolled your own user and role tables and probably some other tables as well), you can implement Keycloak's "User Storage SPI" in order to connect your database to Keycloak.
To do this, see the docs.
I am building a multi tenant application with NodeJS and MSSQL on the backend which will have one instance running. I think about using schema based multi tenancy architecture, meaning single database with separate schema for each tenant `[Tenant1].[DataTable1], [Tenant2].[DataTable1]`.
My question is what is the better way to implement this to handle correct "routing" of SQL queries from different tenants?
I came with four solutions:
Use Connection Pools - each tenant user will have a separate SQL connection with a different database user (who has default schema and access to it only).
Use single SQL connection but add EXECUTE AS USER = 'Tenant1' .. REVOKE to each query (database user has default schema and access to it only).
Or have shared database with single schema
Row-Level Security, but it seems that it could have a performance impact.
Add Tenant_table and insert tenant_id into each row.
Now I can use beeline to create role and user, every user have his/her own database using admin role to grant, but I need to create a new database that all users can create tables in the public database, how to create database like that?
Users can not create tables in other databases and can only create tables under their own databases.
You need an authorization provider that supports Hive. Apache Sentry is a popular one.
You will need to create a Sentry role that allows access to certain databases only.
Then assign a (Linux) group to that role.
Any user in above group will get access privileges to certain databases only (because of step 1.)
I am transitioning a project from Advantage Database Server to MS SQL server. In Advantage, you can password protect an individual table, which is also encrypted. As such, you cannot open, view, update, etc. the table without the password. I place my project's registration information in this table, so I don't want any user to be able to look at its contents.
I cannot find a similar function in SQL server. Encrypting the data is insufficient. So my question is: is there a way to password protect a table in SQL Server.
In SQL server you can link various access roles to the users. These roles can be applied to tables, views, stored procedures etc. The best thing to do is to create views on the database, and let the users access specific views, rather than giving permissions on all DB objects.
Alternatively, you can deny permissions on a specific table to a user or a role.
Here are two articles on MSDN that will get you started:
GRANT Object Permissions
DENY Object Permissions
I have designed a database with two tables: Client and Bill
User table has two columns: idUser and password.
Bill table has three columns: idBill, date and description.
User table has an 1:n relationship with Bill table.
¿How can I implement this design in a SQL Server and then access data through Mobile Services from an Android device?
I tried to follow these steps:
Create a Mobile Service
Access admin panel in the new Mobile Service
In the “Data” tab, add Client table and Bill table
But that it’s all. I cannot define a relationship (foreign key) between these tables.
Also, I tried to create the tables by T-SQL sentences but when I created it, it don´t appear in the mobile services admin panel “Data” tab.
Mobile Services doesn't consider or handle any foreign key constraints (i.e. a relationship from User to Bill). However, you can enforce this constraint on your client side and by using the server side scripts to ensure data integrity / perform custom SQL statements. I would recommend creating the User and Bill tables in the mobile Service portal (sounds like you already did that) and then start saving data from your client. Mobile Services uses dynamic schematization to automatically add new columns to the DB for you. You can still connect directly to the SQL database (via SQL Management Studio or the SQL Portal) and create the constraint if you want. If you were to try doing something from the Mobile Service that would violate the constraint, an error will be thrown and you can either handle that in your server scripts or on your client side.