I've found out that there are differences between current and previous luis portals regarding functionality. I'm talking about eu.luis.ai (current) and previous.eu.luis.ai specifically.
For the scenario we assume the following:
There are multiple Azure Directories/tenants to which I was granted access
There is one authoring resource in a subscription in one of the ADs
There are multiple luis apps that belong to this authoring resource
I'm set as contributor in the authoring resource IAM
There are multiple prediction resources in different Azure Directories which I want to assign to these luis apps
In the current portal I select the Azure Directory via the profile menu. Within the selected AD I now can choose a authoring resource and then access the luis apps.
Now if I try to assign the prediction resources this is possible for prediction resources located in the Azure Directory I've selected. If I switch the AD, I would be able to assign the prediction resources of this AD but I'm not able to select the authoring resource of the other tenant and so I can't see any luis app.
In the previous portal I select the subscription and the authoring resource and then am able to access the luis apps. To assign the prediction resources I click the button "Add prediction resource" under the "Manage" tab of an app. A modal window opens where I can select a tenant, then a subscription of this tenant and then a prediction resource. So I'm able to assign any prediction resource of any tenant to which I was granted access to the luis apps that is registered to one authoring resource.
And the question is
How can I assign any prediction resource of any tenant I was granted access to to a luis app that is linked with an authoring resource of a different tenant in the current luis portal?
#ooorndtski The change in the new luis portal is to ensure the change in tenant is handled in the the same way as Azure portal. If you would like to assign a different prediction resource of different tenant you can use the programmatic API's. This thread details these steps.
Related
I want to use the Azure Resource Graph API to get the role assignments of a resource (who are owners, contributors, etc.). That is, I want to create a query that finds the role assignments for a specific resource id that I provide. I've been going through the documentation, but I haven't found any way to get this information.
The only thing I found was this question from a couple of years ago, where it is mentioned as something that could be done somehow ("query the RBAC of each one of those resources").
Could anyone point me to how this could be done? Or is it not possible to do in Resource Graph API, and I need to use the Management API or something else?
I searched through the Azure Resource Graph table and resource type reference and the Advanced Resource Graph query samples, but didn't find an answer
I tried to reproduce the same in my environment and got the results like below:
I created Azure AD Application and added API permissions:
I generated an access token by using below parameters:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:xxxxxx-xxx-xxx-xxxx-xxxxxxxx
client_secret:ClientSecret
scope:https://management.azure.com//.default
grant_type:client_credentials
To list the Role assignments in the subscription scope, I used the below query:
GET https://management.azure.com/subscriptions/subscriptionId/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01
Based on your requirement you can change the scope and add the filter to get the role assignments. Refer the below MsDoc:
List Azure role assignments using the REST API - Azure RBAC
Currently it is not feasible to retrieve the role assignments via Azure Resource Graph. Alternatively, you can make use of Azure PowerShell or Azure CLI.
Get-AzRoleAssignment -Scope "/subscriptions/SubscriptionId/resourcegroups/RGName/providers/Providername/ResourceType/Resource"
I'm using Microsoft Graph SDK for .NET Core. I'm trying to get a list of all Office 365 plans in all Azure Active Directory groups within my organization.
I have been reading through a lot of questions, but haven't found a clear answer to my problem: As it's stated in the official documentation, you cannot list plans in a group using client credentials (application permissions), which is the exact authentication method I'm using. Given this, how can I achieve my objective?
As per documentation, the only way to list plans in groups is to use Delegated Permissions, but in that case, and according to the Microsoft Graph permissions:
either the user or an administrator consents to the permissions that the app requests and the app can act as the signed-in user when making calls to Microsoft Graph.
If the signed-in user is a regular user then the application will only access the groups that user is a member of. Bear in mind that there may not be a single user that is a member of all groups.
Is there a way to get my application to list all plans in all groups within my organization?
You can now use application permissions.
Outdated Reply:
Planner currently does not support application permissions. Depending
on what your scenario is, you have couple of options. One option is to
create a user account to be used by your app, and add that user to all
the groups. Then you'll be able to query the plans with the
credentials of that user.
I want to give users permission to only add utterances to Intents which owner gave them access.
Author is one who should have full access like adding, removing or modifying Entity, Intent, Etc,..
There is concept called collaborate but that will have all access to author the model, train and publish which doesn't seems to really good.
Is there concept with role based actions in LUIS portal or is Microsoft is coming up with in latest luis portal which is under preview now .
Any help is appreciated. Thanks ...
As of now, there is no such provision to allow the users to just get the permission to add utterances to intents. Role based assignments do not allow you to give access to users just to add utterances and are basically classified as contributors, collaborators, owner and so on. LUIS allows you to collaborate and contribute with Azure AD and RBAC based on Azure Active Directory resource and Azure Active Directory tenant user.
You can request for this feature by posting the idea on the feedback forum for cognitive services.
I have a saas platform I'm building and I'm currently struggling with how to model my auth flow. The system is going to be multiple multi-tenant applications but I would like to unify user authorization & authentication. Basically, each US State will have its own web app/resource server/database and every county in that state will be a separate tenant. I cannot combine all states into one application, so that is not an option.
I would like to throw all users and their information/password into one database connected to my auth service. But each county (tenant) admin within each state (web app) needs to be able to add & manager their users and their roles. So the auth service needs to be aware of all the different tenants across each application. I also need to be able to link items created in each database to the user that created it. If I create object "X" and another user in my county views that item, they can see "Kovaci" created this.
I also do NOT want SSO between states but if possible I would like users to be a part of multiple tenants within one app (not a requirement though). Native iOS/Mobile apps are another client I need to support with this flow.
I used this bitoftech article to base off of: http://bitoftech.net/2014/10/27/json-web-token-asp-net-web-api-2-jwt-owin-authorization-server/comment-page-1/#comments
And here is my paint quick mockup: multi saas design
My question is just generally how do I design this auth part? Can I store all users in one auth db like my goal? If so, how do tenant admins manage them and how do I link tables in my separate app db's to the users' current info in the auth db?
How can I route a task based on user attributes in IBM BPM 8.5.6?
In my case I have a list of attributes assigned to each users. For example a user will have an attribute called Region and this can have multiple values. So what we do is keep it as a comma separated string. Like REG1,REG2,REG3. Now when a task is initiated there will be a region associated with it. So I want this task to be routed to only those users who have that region value set.
I've created a team filter service and filter out a list of users. This works fine but the problem here is if we add a new user with appropriate region or add new regions to existing users these tasks are not visible to them. Is there any way to dynamically update the user list?
PS: I can create one group per region or one team retrieval service per region as there will be 100s of regions.
IBM BPM won't update the user repository all the time, there are certain events that will trigger an update:
http://www-01.ibm.com/support/knowledgecenter/SSFPJS_8.5.6/com.ibm.wbpm.admin.doc/topics/sync_users_and_groups.html
Quoting the article (because IBM articles may vanish at some point):
IBM Business Process Manager implicitly synchronizes external users and groups based on the following triggers:
Upon startup of a cluster member or server, all available groups (without members) are synchronized, so that all external groups are available for IBM BPM modeling and execution.
When a user logs in to a IBM BPM web application, such as Process Portal, for the first time, that user is created in the IBM Business Process Manager database.
When a new or existing user logs in to a IBM BPM web application, such as Process Portal, that user's full name and group memberships are updated. The groups the user belongs to are queried from the external user registry, and the IBM Business Process Manager database content is updated to reflect the current state.
When a REST call is triggered because a user that was newly registered in a federated repository (using an LDAP server) is not yet known to IBM Business Process Manager, synchronization of external users and groups with IBM Business Process Manager takes place. This synchronization is done only once.
You can also trigger synchronization via the process admin console or manually with usersSync or usersFullSync commands