I have 4 subdomains . I am using a shared database . How to set up permissions for all subdomains specifically . Means assign different permissions for subdomain A and B but I need that in my shared Database in Drupal . Please help
For those four subdomains you can create 4 roles such as AdminA, AdminB, AdminC etc. and assign these role to the user of the subdomains.
Then you have to apply a condition using the base url and redirect the user with access denied error if he did not assign that role.
E.g. AdminA has the right to access subdomainA so, when he access the other domain he will saw a access denied error and logout of the site.
Hope that helps.
Related
As the title says, I have a user "User1" in a group "Techs" and "Techs" is a Role Enabled Azure AD, Cloud Only, Security Group that is assigned both the Exchange Administrator, Helpdesk Administrator and Exchange Recipients Administrator roles.
User1 is able to powershell and use most cmdlets for mailbox management, but is unable to access the EAC. Attempting to access EAC sends User1 to a mailbox management page for their own mailbox, and attempting to Edit Mailbox Properties for a user in the Microsoft 365 Portal greets User1 with a 403 forbidden page.
Direct assignment of exchange admin role works, but defeats the purpose of using a group. Anyone else experience this or know how I can fix it?
Currently, it is possible to switch back to the existing EAC (often called the "classic" EAC), but at a future date, the classic EAC will be retired.
But I suggest not to use "classic" EAC for work because according to my test, the methods listed here cannot allow the exchange admin to manage the mailboxes in the tenant.
It's recommended to access new EAC using these 2 methods.
Sign in to Microsoft 365 or Office 365 using your work or school account.
In the left navigation pane, navigate to Admin centers > Exchange.
You can also get to the new Exchange admin center directly by using
the URL https://admin.exchange.microsoft.com and signing in using your
credentials.
As the document suggests, Be sure to use a private browsing session (not a regular session) to access the Exchange admin center using the direct URL. This will prevent the credential that you are currently logged on with from being used.
In this way, your user which is assigned Exchange Admin role with Group inherit way should be able to access EAC successfully.
I was trying to create an Oracle Database instance in AWS using RDS , then I stumbled upon this error
Then I was trying to check my account information , and the same access denied is everywhere . I literally can't do anything . I am currently logged in as root user . I am very new to AWS . So any help is appreciated :)
your account doesnt have full access to all the resources. it has limited rights to create/remove/use resources in AWS. you need to speak to your admin to get the necessary grants. or if its sub account, then you need to switch the role from top right corner of console to proper role.
How can I find out what admin permissions are blocking the user from signing in to an Azure AD app?
I am setting up an App Registration in the Azure AD portal to be used with my Service Fabric cluster. The app registration does basic auth and only has one Required Permission configured: Sign in and read user profile (which does NOT require admin permission).
My tenant has the "Users can consent to apps accessing company data on their behalf" setting to "Yes", so it's not that.
Also, the /authorize request doesn't have any resource parameter, so it's implicitly asking for the permission I configured: Azure AD's Sign in and read user profile.
However when an non-admin user attempts to sign it, I still get the error:
AADSTS90094: The grant requires admin permission
I reproduced the scenario and this is what I observed. Found a workaround, hope it helps.
First I created a Service Fabric (SF) cluster secured with AAD authentication using the steps described here, using an AAD tenant where I am not a global admin.
Then I tried to login to Service Fabric Explorer (SFX) and I got this error:
AADSTS50105: The signed in user is not assigned to a role for the
application 'f8c79129-deb7-4a21-a6e0-ec29e88298ef'
This is expected, because the user must be assigned to a role (Admin or ReadOnly) in the SF application that represents the cluster. So I went to AAD > Enterprise Applications > found my cluster app and under Users and Groups I added myself to the Admin role. Notice that the fact that a regular user can administer the roles of an application that the user owns is something new, it's available since a month or so -- before that, a regular user couldn't administer the roles of an application.
Then I tried to login again to SFX and I got a different error:
AADSTS65005: Invalid resource. The client has requested access to a
resource which is not listed in the requested permissions in the
client's application registration. Client app ID:
f8c79129-deb7-4a21-a6e0-ec29e88298ef. Resource value from request: .
Resource app ID: 00000002-0000-0000-c000-000000000000. List of valid
resources from app registration: .
00000002-0000-0000-c000-000000000000 is Windows Azure Active Directory. For some reason SetupApplications.ps1 doesn't assign the Sign in and Read User Profile permission to the SF cluster application. So I edited the application and I assigned that permission, just like you showed in your print screen. Notice that SetupApplications.ps1 has a parameter AddResourceAccess (not mentioned in the doc) that adds that permission, not sure why it doesn't add it by default. Perhaps it isn't needed when you run SetupApplications.ps1 as a global admin, and the scripts/doc assumes that you are a global admin.
Then I tried to login to SFX again and I got the same error that you observed:
AADSTS90094: The grant requires admin permission.
So I checked the SF application under AAD > Enterprise Applications > found the SF cluster app > Properties. User assignment required is configured "Yes". I changed it to "No" and tried to login to SFX. This time it worked OK, I could consent and access the SFX console. Then I changed User assignment required again to "Yes".
One can argue if the SF app really needs User assignment required > Yes because anyway if a user is not assigned to the Admin or ReadOnly role, SFX will try to fallback to client certificate authentication.
In either way, the AAD behavior is confusing. At least, the error should be more descriptive and point to the User assignment configuration. Perhaps the current behavior has to do with what I mentioned before, that regular users can now administer roles. Perhaps the behavior is being improved.
It was suggested in my earlier question that I should work with multisite. Little background:
Why we chose Multisite?
We have users registered on site1 but wanted them to be able to share their content on site2, so we installed mutisite assuming that our users will be able to access site2 without registering with us again.
Here is what we thought would happen:
If a user is registered at mysite.com then user can just visit mysite/site2 and would just need to login (not create an account again) or be logged in automatically.
Here is what happens:
A test user is able to access both the websites but cant access site2 properly. Meaning, user gets some 404 on some pages in site2.( this user is registered on site1 only)
Things to note:
1. All users are registered on site1 and through dashboard, they are visible in the main site aka site1 and not site2. Site2>Dashboard>users has only those users who registered on this site separately.
Is there anyway that we can replicate users from site1 to site2?
A username like first.last in site1 becomes first-last in site2 URL.
I can be logged in as userA in site1 and userB in site2. Which is something we want to avoid.
Are these limitations normal in the multisite setup or have I missed something in the configuration?
User accounts are shared between sites, however they must be individually granted permission on each site. By default, a user created on Site1 has no privileges on site2 until added by an admin.
An admin can manually add existing users to each site, or if you want to achieve this automatically, you can use the add_user_to_blog() function in your theme or plugin code to automatically add users to site2 if they have appropriate permissions on site1.
On my subdirectory-based multisite installation, sessions are shared between sites. Meaning if userA logs in to site1, then they are automatically also logged in at site2. If you are using subdomain-based multisite, then the behavior might be different but I am not sure. Maybe it can be configured so that session cookies are shared between the subdomains somehow.
I would like to be automatically logged on a website using my password an login that are used on my computer when i open an AD session.
Connection must be granted if i'm in the right AD group .
Any advices ?
The easiest solution would be to use the built-in ASP.NET Membership and Role system and just use the "Active Directory" membership and role providers.
That way, your user is automatically authenticated, and you can use role-based security in ASP.NET to do something like:
[PrincipalPermission(SecurityAction=Demand, Role='MyAppRole')]
Put this on your critical or sensitvie methods to allow or refuse access to your app.
With the same method, you can also add protected subfolders to your application and protect them by specifying who has access (or not) in your web.config (in that folder).
See a few links for additional details:
http://blogs.msdn.com/gduthie/archive/2005/08/17/452905.aspx
http://slalomdev.blogspot.com/2008/08/active-directory-role-provider.html
http://msdn.microsoft.com/en-us/library/system.web.security.activedirectorymembershipprovider.aspx
Hope this helps a bit.
Marc