Can I restrict or block others from pinging my domain thru Stackdriver? I want to use it as owner of the domain but I don't want others to be able to use it.
If you would like to restrict users in your organization from using Stackdriver, use Cloud IAM roles, or rather, ensure they do not have the Cloud IAM role to view Stackdriver. This help you better understand IAM.
This is a list of roles in GCP. You will likely be interested to see Stackdriver debugger, trace, logging, Error reporting, &/or monitoring roles. Ensure any user you wish to not have access to those Stackdriver tools does not have any of the roles listed under their respective tools list of roles. For example, if you wish for a user to not have access to Stackdriver debugging, ensure they do not have the "clouddebugger.agent" or "clouddebugger.user" roles.
If you would like others to not be able to access you website i.e. example.com, use firewall rules to block IP addresses, ports, etc.
Related
We are running an online learning platform on WordPress. We are using MiniOrange to allow SSO to our site for Google (which has worked great). It means our students can sign on using their school email address. However, Azure is proving a bit of a headache.
We have set up app using the instructions that MiniOrange provide and this has allowed personal accounts to sign in without issue.
However, for accounts belonging to a school/other organisation throws an exception asking for admin consent (which we can't logistically get from every organisation we work with).
The app asks for API access to 'email,openid,profile,User.Read' - none of which require admin consent.
We have turned off 'Assignment required?' in our Enterprise settings based on the second option in this post
We have allowed users to consent to any app based on this thread
We are also a verified MPN and have added an MPN ID which is a warning when creating non verified apps
So from our perspective - we have a set of API terms that don't need admin consent and yet users are hitting a wall with it?
Does anyone have any ideas on why this workflow wouldn't be possible? Anything we have skipped over?
There are a lot of tickets with similar issues but none seem to point to anything obvious we have missed?
This could also happen if the Azure AD administrators have turned on "Do not allow user consent" setting in their tenant. This would prevent non-admin users to grant access to 3rd party applications (like yours).
You can learn more about this here: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent?tabs=azure-portal.
I intend to develop an application using firebase authentication.
Companies will be able to sign up and in turn create accounts for their employees.
There will therefore be a "master" account which will be able to manage the operators (add them, modify them, disable them and delete them) and then the "employee" account that can use the platform.
I would like it to be possible that the master account, by entering the client id and the secret key of their oAuth server in a hypothetical administration dashboard, would make it possible for its employees to access with google.
The question is this, would it be possible to manage multiple oAuth servers (from the same provider, e.g. Google) in the same Firebase project?
Thank you in advance.
Background:
In my company, we have one firebase project which is linked to our iOS application and an internal tool(purely for our use and not the consumers). Now since the database is common to both the website and the iOS app, all the users who create an account on the iOS application automatically have access to our internal tool. I wish to allow only a handful of people or one person to have access to the internal tool.
Question:
Is there a way for me to give certain users access to the internal tool? (If it involves manually giving them access from the firebase console?)
Is there a way to make the user authentication check different for the internal tool?
Firebase Custom Claims let you specify custom access to database or tools.
You can specify an admin role to those users who should have access to the admin tool and make sure they have this role in your app's route (or route guard)
I have been working on a server to server google calendar integration, where by it connects, reads and writes to a user's calendar.
This is working perfectly fine, however I have a question regarding permission scope. Using a service account with domain wide delegation, it means that this account has access to calendars for every single users in the organisation from the CEO to me...
Is there a way of limiting this scope from Google's side, so that the service account can only access specific accounts, similarly to how EWS allows delegation rules.
One idea I had was to create a separate organisational unit and create the project under that (not tested this theory, but it also doesn't feel very scaleable).
Any ideas?
Thanks
The service account only has access to whatever is shared with the account, as per Delegating domain-wide authority to the service account:
an administrator of the G Suite domain can authorize an application to access user data on behalf of users in the G Suite domain
This means that the service account only has access to data from the account the application is impersonating.
In your case, using Org Units would not fulfill your requirements.
These controls have to be implemented on the application level. AKA by you.
One of the ways you could do this is, before impersonating any account, use the service account to query which Org Unit that account belongs to, and then based on that allow or deny the impersonation.
Of course, you can also do this type of filtering in multiple ways. You could simply check if the account you wish to impersonate is on a blacklist and abort the impersonation if that's the case, or you could use other criteria.
Hope this helps!
First and foremost: A service account is technically a superadministrator once DWD (domain wide delegation) is enabled and the client ID authorized by any admin in the Admin Console.
That translates to: a service account can impersonate any user including any administrator and performing any action allowed by the declared scopes.
In this case: A service account with allowed scope https://www.googleapis.com/auth/calendar.readonly can read any domains calendar.
Now there's a somewhat nasty workaround:
A service account is basically a gmail account without access to the web UI. So you can indeed share a calendar with a service account if and only if external calendar sharing is enabled. Then you do not use DWD. In this case the service account can only act as the sharing permissions dictate. However this is not how a service account is supposed to be used.
I have a JS API that uses firebase internally for DB operations, API will be used on different website domains.
I need to restrict DB operations calls from authorized domains only.
I cannot restrict by UID as non signed user also need to access website.
I believe i need to figure out some way by anonymous user or else any better way, any suggestions ?
There is no way to restrict traffic to the Firebase Database to a specific domain or list of domains. Using Firebase Authentication is the only way to control access to your data.