I've been added to a RG as owner in a subscription outside på company. Navigating to the Access contol (IAM) of the RG and clicking "View my access". clearly says "Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.":
But I can not create any resources w/o getting:
The client 'mikael.hakansson#xxx.com' with object id 'xxx' does not have authorization to perform action 'Microsoft.Storage/register/action' over scope '/subscriptions/xxx' or the scope is invalid. If access was recently granted, please refresh your credentials. (Code: AuthorizationFailed) (Code: AuthorizationFailed)
Neither can I view Role assignments: "You do not have permissions to read this directory. Contact a Global Administrator and have them assign you the Directory Readers role in Azure Active Directory."
Thank you for any input
As I have mentioned in comments , The Owner Role that you have assigned to is in for the resource Group as its showing This Resource. If it was assigned to Subscription then it would have been seen as Subscription(Inherited) in the resource group level.
Example:
The client 'mikael.hakansson#xxx.com' with object id 'xxx' does not
have authorization to perform action
'Microsoft.Storage/register/action' over scope '/subscriptions/xxx' or
the scope is invalid. If access was recently granted, please refresh
your credentials. (Code: AuthorizationFailed) (Code:
AuthorizationFailed)
Coming to the above error , its because you have permission on only resource group level. You need to have access on Subscription level which may be Owner/Contributor to create resources. As When you are creating resources Azure API registers that resource provider on subscription and gets a token on your user to create a resource for that resource provider in any resource group on the subscription , if you don't have proper permissions on subscription then it fails to register the resource provider and get the token on your name and returns an error.
Every type of resource you should be able to create at the subscription level has to have its resource provider registered. This is done in the subscription level (in the resource providers tab in portal; see https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types)
When the resource provider is registered, Owner or Contributor to a resource group can create that type of resource in the resource group.
However, only the subscription owner can register the resource. It complains about Microsoft.Storage/register/action not being permitted when you try to create a storage account, but the Microsoft.Storage provider is not registered. Once the subscription administrator registers Microsoft.Storage, you should be able to create storage accounts in that resource group with only permissions to that resource group.
Related
I'm unable to setup alerts in my Application Insights instance on Azure from portal.
This is the error I receive:
Failed to create alert rule 'XWRANotification'. The client
'sk#org.com' with object id 'xxx-3525-48c6-97ad-xxx' does not have
authorization to perform action
'microsoft.insights/scheduledqueryrules/write' over scope
'/subscriptions/xxx-d404-4748-a3e8-09afe0bbea49/resourceGroups/RG-XWRA-01/providers/microsoft.insights/scheduledqueryrules/XWRANotification' or the scope is invalid. If access was recently granted, please
refresh your credentials..
I've following access configured for my user on this App Insights instance:
Contributor
Application Insights Component Contributor
Monitoring Contributor
Based on our comments, in addition to the 3 roles you listed, you need another Contributor role for the resource group which you will create your action group in.
If you already have this role, you should be able to setup the alerts. As it suggested: If access was recently granted, please refresh your credentials.
I have created a asp.net application Authenticate with external identity provider (Azure Active Directory)
how can I create relation between users and local database tables ??
You can store the either the user's id or UPN (userPrincipalName) from Active Directory in your own data store. Both of these fields are in the token you get from AD. In Access Tokens - Payload claims you see both the oid field and the upn field are available. My preference would be to use the oid.
id
The unique identifier for the user. Inherited from directoryObject. Key. Not nullable. Read-only.
userPrincipalName
The user principal name (UPN) of the user. The UPN is an Internet-style login name for the user based on the Internet standard RFC 822. By convention, this should map to the user's email name. The general format is alias#domain, where domain must be present in the tenant’s collection of verified domains. This property is required when a user is created. The verified domains for the tenant can be accessed from the verifiedDomains property of organization. Supports $filter and $orderby.
Source: user resource type - Properties
This will enable you to track back to a specific user in AD.
I am setting up an instance of WSO2 API manager, and want to give developers access to the API "store" pages by linking it to my existing OpenID Connect identity server (OpenAM). I've added the OIDC configuration into the store configuration file (wso2am-2.6.0/repository/deployment/server/jaggeryapps/store/site/conf/site.json) with all the details of the authorise, token, userinfo endpoints, etc.
When users click login in the store, it is correctly redirecting them to OpenAM to login, and passing an access token back to the store app. I've also ensured some of the required claims are returned from the userinfo endpoint (like preferred_username). I'm also returning a "groups" claim listing the groups the user should be in "subscriber" for example.
The claims I'm returning from userinfo are:
{
"address":{
"formatted":"My House"
},
"given_name":"Danny",
"family_name":"Developer",
"name":"Danny Developer",
"preferred_username":"Danny Developer",
"groups":[
"subscriber"
],
"email":"adam.hatherly#nhs.net",
"sub":"developer1"
}
However, whatever I try with claims and group names, the store still gives the error message "User is not permitted to log in to the Store.". I assume there's something else I need to add in either the access token or userinfo endpoint
claims list to make the store app accept the user, or some other config in the store or carbon console?
The reason for the user login issue is that the user does not have relevant permissions to log in to the store. User needs to have internal/subscriber role assigned to it. Since the user is coming from OpenAM and APIM does not have any information to authorize it, login fails.
For this either you should share the user OpenAM user store with APIM (say a shared LDAP) and assign users with internal/subscriber role or use a custom code to add the user to the APIM user store and assign the role.
Another easiest option is to create a user in APIM side (add a dummy password) with subscriber role. but this is not a suitable solution if you do not know all the users
My end goal is to register my API to receive notifications of leads generated by LinkedIn for my business's Company Page. The docs here say I need to register at https://api.linkedin.com/v2/leadNotificationUrls using the r_ads_ge_automation permission. I'm trying to acquire this type of access token by using a web browser to hit https://www.linkedin.com/oauth/v2/authorization?response_type=code&client_id=client_id_for_my_application&redirect_uri=https://my.company.net/api/oauth/linkedin&state=Testing12345&scope=r_ads_leadgen_automation, then logging in as a user that is an admin for the respective company page, then acquiring authentication code, and finally requesting an access token.
The problem is that when I try to hit https://www.linkedin.com/oauth/v2/authorization (with the query params above), I get an error response stating "r_ads_leadgen is not authorized for your application". I can't find any kind of application configuration that is supposed to give this permission to my application.
Can anyone help? Thank you
Permissions are offered to select Partners only. Have you applied to a Partner Program https://business.linkedin.com/marketing-solutions/marketing-partners/become-a-partner?
We use the LinkedIn API to list companies that a user admins.
We have our App set to get r_fullprofile and rw_company_admin when the user grants permission.
We're trying to list all of the companies the user has admin access to via:
http://api.linkedin.com/v1/companies:(id,name,square-logo-url)?is-company-admin=true
<error>
<status>403</status>
<timestamp>1432323149224</timestamp>
<request-id>XXXXXXXXXX</request-id>
<error-code>0</error-code>
<message>Member [user id] does not have permission to get companies as admin.</message>
</error>
According to the Manage Company Pages docs, as long as we have the rw_company_admin scope, we should be able to call this endpoint.
I've read through the Developer Program Transition docs (https://developer.linkedin.com/support/developer-program-transition) but it doesn't seem to affect this usage of the API.
ETA: This has been flagged as a possible duplicate of LinkedIn API unable to view _any_ company profile
That question is about fetching details for a single company (which the user may or may not administrate). My question is about listing companies that the user specifically does administrate.
According to new api changes user should be administrator of target company. Read this .
All calls to Companies API endpoints will require the authenticated user to be flagged as an administrator of the LinkedIn Company Page that is the target of the API call. You become the administrator of a page when you create it. If the page already exists, you will have to contact the existing administrator to grant admin access to other LinkedIn members.
I faced the same problem and the problem was with the initial authorization code. You should mention the scope=rw_company_admin while doing the initial redirect URL call. Something like this -
https://www.linkedin.com/oauth/v2/authorization?response_type=code&client_id=your_client_id&redirect_uri=https%3A%2F%2Fwww.google.com/&state=12345&scope=rw_company_admin%20r_emailaddress%20w_share%20r_basicprofile