Develop Reference

Azure: I don't have permissions, but I am Owner

I've been added to a RG as owner in a subscription outside på company. Navigating to the Access contol (IAM) of the RG and clicking "View my access". clearly says "Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.":
But I can not create any resources w/o getting:
The client 'mikael.hakansson#xxx.com' with object id 'xxx' does not have authorization to perform action 'Microsoft.Storage/register/action' over scope '/subscriptions/xxx' or the scope is invalid. If access was recently granted, please refresh your credentials. (Code: AuthorizationFailed) (Code: AuthorizationFailed)
Neither can I view Role assignments: "You do not have permissions to read this directory. Contact a Global Administrator and have them assign you the Directory Readers role in Azure Active Directory."
Thank you for any input

As I have mentioned in comments , The Owner Role that you have assigned to is in for the resource Group as its showing This Resource. If it was assigned to Subscription then it would have been seen as Subscription(Inherited) in the resource group level.
Example:
The client 'mikael.hakansson#xxx.com' with object id 'xxx' does not
have authorization to perform action
'Microsoft.Storage/register/action' over scope '/subscriptions/xxx' or
the scope is invalid. If access was recently granted, please refresh
your credentials. (Code: AuthorizationFailed) (Code:
AuthorizationFailed)
Coming to the above error , its because you have permission on only resource group level. You need to have access on Subscription level which may be Owner/Contributor to create resources. As When you are creating resources Azure API registers that resource provider on subscription and gets a token on your user to create a resource for that resource provider in any resource group on the subscription , if you don't have proper permissions on subscription then it fails to register the resource provider and get the token on your name and returns an error.

Every type of resource you should be able to create at the subscription level has to have its resource provider registered. This is done in the subscription level (in the resource providers tab in portal; see https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types)
When the resource provider is registered, Owner or Contributor to a resource group can create that type of resource in the resource group.
However, only the subscription owner can register the resource. It complains about Microsoft.Storage/register/action not being permitted when you try to create a storage account, but the Microsoft.Storage provider is not registered. Once the subscription administrator registers Microsoft.Storage, you should be able to create storage accounts in that resource group with only permissions to that resource group.

Using an external OpenID Connect Identity Provider for WSO2 Store access

I am setting up an instance of WSO2 API manager, and want to give developers access to the API "store" pages by linking it to my existing OpenID Connect identity server (OpenAM). I've added the OIDC configuration into the store configuration file (wso2am-2.6.0/repository/deployment/server/jaggeryapps/store/site/conf/site.json) with all the details of the authorise, token, userinfo endpoints, etc.
When users click login in the store, it is correctly redirecting them to OpenAM to login, and passing an access token back to the store app. I've also ensured some of the required claims are returned from the userinfo endpoint (like preferred_username). I'm also returning a "groups" claim listing the groups the user should be in "subscriber" for example.
The claims I'm returning from userinfo are:
{
"address":{
"formatted":"My House"
},
"given_name":"Danny",
"family_name":"Developer",
"name":"Danny Developer",
"preferred_username":"Danny Developer",
"groups":[
"subscriber"
],
"email":"adam.hatherly#nhs.net",
"sub":"developer1"
}
However, whatever I try with claims and group names, the store still gives the error message "User is not permitted to log in to the Store.". I assume there's something else I need to add in either the access token or userinfo endpoint
claims list to make the store app accept the user, or some other config in the store or carbon console?

The reason for the user login issue is that the user does not have relevant permissions to log in to the store. User needs to have internal/subscriber role assigned to it. Since the user is coming from OpenAM and APIM does not have any information to authorize it, login fails.
For this either you should share the user OpenAM user store with APIM (say a shared LDAP) and assign users with internal/subscriber role or use a custom code to add the user to the APIM user store and assign the role.
Another easiest option is to create a user in APIM side (add a dummy password) with subscriber role. but this is not a suitable solution if you do not know all the users

Active Directory Authentication with Local-Role-Based Authorization

I'm developing an ASP.NET MVC application. I need to support multiple authentication mechanisms (this app is used by multiple customers, each with their own preferred authn provider). One auth provider will be Active Directory. The AD integration for authentication is straightforward and I have no problems with that.
For authorization, roles will be stored in a local database (NOTE: we cannot use Active Directory groups for doing authorization - roles need to be local application roles because we support multiple authn providers and AD admins won't want to create custom groups in AD just for our app). My expectation is that we will need to create "stub" user accounts in our local database in order to do the User-is-assigned-which-Roles mapping. These stub user accounts will also be used to indicate which users are authorized to access the application (not everyone in the AD database should have access).
The anticipated flow of control will be:
User accesses login page > enters credentials > posts credentials to app server.
The app validates the credentials against AD. At this point, we know if the user is authenticated.
The app checks the user's SID to see if a "stub" user account with that SID exists in the local database. If not, the app displays an "not authorized" error message to the user.
The app will look up roles for the user in the local database user-is-assigned-which-roles table.
User identity info including roles will be stored as claims and the app will use typical claims based authorization (i.e. ClaimsAuthorizationManager).
My question is what is the best way to create "stub" user accounts into my local database? My guess is that we should use some sort of AD export script to export AD accounts for those users that should be granted access to the ASP.NET app and then import those users into the local database (NOTE: I expect that the stub account will contain minimal info - perhaps just the user's SID from AD and maybe the username).
A batch export/import is probably OK as an initial deployment process. After the app is up-and-running and new users join the organization, I expect a more user-friendly mechanism will be desired for granting a new user access to our app (other than exporting/importing the new user's account from AD to our local database). My guess is that we'll need some sort of user browser screen so that an admin in our app can browse the AD directory, select a user, click a button and then have that user's "stub" account created automatically in our app.
Has anyone implemented an application with similar requirements? If so, how did you bootstrap the creation of "stub" accounts in your local database? Is there a better way to address these requirements?

Please feel free if this can Help You Custom Annotation Authorization
It's only a workaround, or just an idea, not a solution...
To use it you only need to use Annotation in the controller
e.g.
[ARQAuthorize]
public class BlaBlaController : Controller .....

I am currently implementing a similar solution. Here is how the application works. I'm using ASP.NET MVC 5, ASP.NET Identity 2.2.1.
I am using the Identity framework to manage users and roles within the application. The user goes to a login page, enters their credentials. The application checks against the application DB to see if the user exists. If not it throws an error that the user doesn't exist in the database. If the user exists, it authenticates against AD. If authentication fails they get an error message, if it doesn't fail I create a ClaimIdentity from the user out of the database (not the user in AD) and pass that to my SignIn method.
My user in the application DB has the same username as the AD username and I use that as my stub. I also include the domain of the user in the DB as well in the case that I might have multiple domains I need to support. With Identity, don't forget to also populate the SecurityStamp field with a guid.
The plan is to bulk import the users and permissions from a spreadsheet and I have some standard CRUD actions created to allow creation of individual users and assigning of roles after that.

ASP.net Identity and multi tenant multi user application

I am trying to learn ASP.net MVC -
I have successfully implemented the basic authentication and authorisation.
My application is multi tenant (One DB one Schema) and multi Users.
Each user can be added to any tenant by admin.
A user will be given a list of tenants he can use upon logging in.
Then the user clicks on one tenant and enter in to the tenant's application data and can update, create etc. (invoices for example).
I am using cookie authentication, should I be adding each tenant the user is authorized to use as a claim or check on server side for authorisation when user switch between tenants.
Using cookie claim will save DB queries if I have tenant list for user as claim. But Cookie has 4k limit what if a user can access thousands of tenants such as admin.

You can save user-tanent relation in a table , and put row id in cookie , so you can check that row when user logged in.

Role provider and Role management

When the CacheRolesInCookie property is set to true in the Web.config file, role information for each user is stored in a cookie. When role management checks to see whether a user is in a particular role, the roles cookie is checked before the role provider is called to check the list of roles at the data source. The cookie is dynamically updated to cache the most recently validated role names.
a) As far as I understand the above text, even though role management checks the roles cookie, role provider still checks the list of roles at the data source?
b) Above text talks about role management, which is invoked before role provider is called. What class acts as a role management?
thanx
EDIT:
As far as I understand it, the information cached within the cookie includes all available roles, not just the ones your user is a member of. So I do not believe that the database would be hit each and every time.
From same site as the quote from my previous post:
Roles.CacheRolesInCookie Property Value
true if the current user's roles are cached in a cookie; otherwise, false. The default is true.
This suggests that only roles for current user are stored in a cookie. Besides, if all roles where stored in a cookie, then role manager would still have to check the DB to see which of the roles current user is member of?!
Role management is handled by the System.Web.Security.Roles class.
I thought the text used the term role management to refer to class/module that calls the methods of System.Web.Security.Roles, which in turn check whether user is a member of particular role?

Role management is handled by the System.Web.Security.Roles class. As far as I understand it, the information cached within the cookie includes all available roles, not just the ones your user is a member of. So I do not believe that the database would be hit each and every time.
If you were to change the list of available roles (i.e. by creating a new role), then the provider would invalidate the cache in the cookie on the next round trip.
//Richard.