I have an ADX cluster and it's configured to use a specific user assigned managed identity. i.e. From Azure portal home page for the cluster I went to Identity blade and from "User assigned" tab I specified the managed identity that I had created. After this I created an external table of ADL kind and Parquet as dataformat and specified storage endpoints with the same managed identity's object id. After this any export to the external table is working fine , of course the managed identity does have permission to the storage account.
Now I also have an ADF that executes some commands against this ADX cluster. This worked with the ADF linked service using service principal for authentication to the ADX cluster. But then I thought that since the cluster is already configured to use the Managed Identity , why not use that in reverse fashion to execute commands (run ADX Command activity) against the cluster. Please note that I have not granted any RBAC role against the cluster to the Managed Identity. I was trying to see if merely by granting this identity to the cluster if this would work. But interestingly this didn't work, I got an error that the object id (managed identity) doesn't have permission to the cluster.
So does it mean that when we assign a specific managed identity to an ADX cluster, the ADX cluster can use the managed identity to talk to other entities (such as storage accounts in this example) but when other entities (such as ADF) want to use that very managed identity to 'talk back' to the ADX cluster , it won't work? Why should I be in a situation to grant RBAC role to the Managed Identity , against the ADX? So it's like saying that I trust a certain resource (Managed Identity) to represent me to others , but when others use the same resource to represent themselves to me , I won't trust them.
Related
I want to use the Azure Resource Graph API to get the role assignments of a resource (who are owners, contributors, etc.). That is, I want to create a query that finds the role assignments for a specific resource id that I provide. I've been going through the documentation, but I haven't found any way to get this information.
The only thing I found was this question from a couple of years ago, where it is mentioned as something that could be done somehow ("query the RBAC of each one of those resources").
Could anyone point me to how this could be done? Or is it not possible to do in Resource Graph API, and I need to use the Management API or something else?
I searched through the Azure Resource Graph table and resource type reference and the Advanced Resource Graph query samples, but didn't find an answer
I tried to reproduce the same in my environment and got the results like below:
I created Azure AD Application and added API permissions:
I generated an access token by using below parameters:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:xxxxxx-xxx-xxx-xxxx-xxxxxxxx
client_secret:ClientSecret
scope:https://management.azure.com//.default
grant_type:client_credentials
To list the Role assignments in the subscription scope, I used the below query:
GET https://management.azure.com/subscriptions/subscriptionId/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01
Based on your requirement you can change the scope and add the filter to get the role assignments. Refer the below MsDoc:
List Azure role assignments using the REST API - Azure RBAC
Currently it is not feasible to retrieve the role assignments via Azure Resource Graph. Alternatively, you can make use of Azure PowerShell or Azure CLI.
Get-AzRoleAssignment -Scope "/subscriptions/SubscriptionId/resourcegroups/RGName/providers/Providername/ResourceType/Resource"
I created a kusto cluster and database as one of my accounts on one Azure subscription, but now I want to grant cluster admin permissions to one of my other accounts that is not part of this subscription.
I have to do this via a kql command, or some other way I can manually pass in which users are becoming admins.
Is there such a thing as Cluster Admin permissions?
I added my other account as an admin to one of the databases in my cluster using
.add database DatabaseName admins ('aaduser=username#email.com')
but I cannot seem to do the same on a cluster level. How can I do this?
Cluster admin isn't a role you can add principals to.
You're likely looking for the All databases admin role: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/management/access-control/role-based-authorization
You can add principals to that role via the Azure portal, or programmatically as explained here (note: there's a dropdown for C#, python, and an ARM template): https://learn.microsoft.com/en-us/azure/data-explorer/cluster-principal-python
I'm wondering if I'm going about this wrong... but still....
For security reasons, it would be preferred that an App used integrated security to talk to its database, using the app's Service Principal AAD account.
But how to set this up using ARMs, hopefully with no manual steps?
For example, when creating an ARM that creates an environment from scratch, starting with the App Service... how does one create an App Service Principal (or trigger the creation of one automatically?), in order to use it as a parameter when developing the new sql server and database?
Can one set up a Service Principal account before an app is installed, and then associate it to the newly installed app? That way one could pass the name of the Service Principal as Parameters.
Thank you for any advice on whether:
it's actually possible (maybe ARMs actually can't be pushed that far, and security accounts are considered outside the scope of infrastructure provisioning),
if so, how!?!
Thank you.
IntegratedSecurity is not applicable to Azure SQL.
I'm currently figuring out how to do it with MSI.
https://learn.microsoft.com/en-us/azure/active-directory/managed-service-identity/overview
Usually when a Disconnected Application Instance is provisioned to a user, the manual fulfillment tasks are by default assigned to "SYSTEM ADMINISTRATORS" Role. We can modify it to any other role directly in SOA Composer so that the Fulfillment tasks are assigned to the newly Updated role. We can also have different rules in place for different application instances.
But the scenario is like We have a Role associated with a access policy which will provision a Disconnected Application Instance to the user upon provisioning the role. The Access Policy is also associated with some entitlements which will require manual fulfillment tasks to be assigned to particular fulfillment role which differs for different roles.
How do we dynamically fetch the Fulfillment Role in order to assign the task to them. I understand we should achieve it using the Oracle Business Rules. But How do I get the catalog attributes in the DisconnectedProvisioning composite.
I am a beginner in SOA - Workflow implementation. So please provide some detailed answers.
Thanks,
Srini
You should be able to assign a role to the Fulfillment Roles on the Disconnected App and it's separate entitlements in the catalog.
Then when the Access Policy triggers First a Provision Task should be generated for the Fulfiller role on the application instance, then once that is completed a Grant Entitlement task will be created for the fulfiller roles associated with each entitlement.
How can I route a task based on user attributes in IBM BPM 8.5.6?
In my case I have a list of attributes assigned to each users. For example a user will have an attribute called Region and this can have multiple values. So what we do is keep it as a comma separated string. Like REG1,REG2,REG3. Now when a task is initiated there will be a region associated with it. So I want this task to be routed to only those users who have that region value set.
I've created a team filter service and filter out a list of users. This works fine but the problem here is if we add a new user with appropriate region or add new regions to existing users these tasks are not visible to them. Is there any way to dynamically update the user list?
PS: I can create one group per region or one team retrieval service per region as there will be 100s of regions.
IBM BPM won't update the user repository all the time, there are certain events that will trigger an update:
http://www-01.ibm.com/support/knowledgecenter/SSFPJS_8.5.6/com.ibm.wbpm.admin.doc/topics/sync_users_and_groups.html
Quoting the article (because IBM articles may vanish at some point):
IBM Business Process Manager implicitly synchronizes external users and groups based on the following triggers:
Upon startup of a cluster member or server, all available groups (without members) are synchronized, so that all external groups are available for IBM BPM modeling and execution.
When a user logs in to a IBM BPM web application, such as Process Portal, for the first time, that user is created in the IBM Business Process Manager database.
When a new or existing user logs in to a IBM BPM web application, such as Process Portal, that user's full name and group memberships are updated. The groups the user belongs to are queried from the external user registry, and the IBM Business Process Manager database content is updated to reflect the current state.
When a REST call is triggered because a user that was newly registered in a federated repository (using an LDAP server) is not yet known to IBM Business Process Manager, synchronization of external users and groups with IBM Business Process Manager takes place. This synchronization is done only once.
You can also trigger synchronization via the process admin console or manually with usersSync or usersFullSync commands