In IAM I tried creating the following policy for a user (account id in arn obfuscated):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "dynamodb:*",
"Resource": "arn:aws:dynamodb:us-west-2:999999999999:table/busUsers"
}
]
}
However, it resulted in:
This policy defines some actions, resources, or conditions that do not provide permissions. To grant access, policies must have an action that has an applicable resource or condition. For details, choose Show remaining Learn more
Show remaining shows:
One or more actions do not have an applicable resource.
I looked up the Learn more link and it says to replace the arn in the Resource element with *. I am confused now. What does * mean? I want to grant access to a specific DynamoDB table of mine. How do I specify that?
EDIT: I removed all DyanamoDB actions and just selected one GetItem and it's:
When I deselect GetItem, both error messages go away.
When I select table Any, the first error message goes away.
When I select Resource Any, the second error message goes away.
Its because you are granting permissions for all dynamodb actions to a table resource, but not all of those actions are actually applicable to a table.
For example dynamodb:DescribeStream is not applicable to a table, only to a Stream, but your are granting permission to this resource anyway.
You can safely ignore this warning.
EDIT: You may not have realised you can just click Save Policy and it will work fine.
EDIT: Thanks for posting your screenshot. There are no errors here, just warnings, which might be better called tips in this case.
When you enter the ARN of a resource manually, AWS does not appear to recognise what type of resource it is (i.e. a table). If you add the resource through the table ARN generator, you wont any warnings. In either case you end up with the same policy.
It is possible that you are running into a bug [discussed by Amazon employee rob#AWS] of the IAM Policy Visual editor itself (and therefore not experiencing any actual problem):
https://forums.aws.amazon.com/thread.jspa?threadID=282453
When I alleviated my personal problem (which had me looking at this Question in the first place), my similar warnings still persisted (even after my problem was solved by something else) - that leads me to believe my similar experience per the Visual editor may have indeed been that bug (and not causing/involved in my prior problem at all).
Related
I have a working Azure app that gives me the group names when I call
https://graph.microsoft.com/v1.0/me/transitiveMemberOf/microsoft.graph.group
However, I have tried to recreate the app several times, and checked all settings in App Registrations and Enterprise Applications to match the original app - but can never get the group names in the new apps (created in the last 24 hours, if that is relevant).
API Permissions:
Group.Read.All
GroupMember.Read.All
User.Read
App is created using these steps
App registrations, add, Single tenant
Quickstart, Mobile and desktop applications, Desktop, Make this change for me
Token configuration, Add groups claim, Security groups, set all to sAMAccountName
API Permissions, add Group.Read.All and GroupMember.Read.All
Permission granted using “Grant admin consent for Default Directory”
There must be another setting somewhere else that I am missing, which I thought to post here to uncover, thinking it might help someone else with the same problem.
FYI fragment of group result that I get:
"#odata.id": "https://graph.microsoft.com/v2/5ed71832-327b-4b98-b68a-6c54ff1717c0/directoryObjects/2f95e1d3-c7cf-4796-92a2-df844feb52d0/Microsoft.DirectoryServices.Group",
"id": "12345678-c7cf-4796-92a2-df844feb5eee",
"deletedDateTime": null,
"classification": null,
"createdDateTime": null,
"creationOptions": [],
"description": null,
"displayName": null, <<<<<<<<<< why is this null???
When an application queries a relationship that returns a directoryObject type collection, if it does not have permission to read a certain derived type, members of that type are returned but with limited information. This could potentially be a reason for you seeing a 'null' value.
Also for using the transitive memberOf endpoint, I suggest you use directory level permissions.
Refer Documentation here - https://learn.microsoft.com/en-us/graph/api/user-list-transitivememberof?view=graph-rest-1.0&tabs=http
Hope this helps. Thanks!
First, thanks Hasura for incredible good product! I love it.
I have issue with derive action with Hasura Console. My use case:
I enable anonymous role for subscribe function (everybody can send email to subscribe)
I have configured permission on my subscribe table, everything is fine.
I want to validate the user input on server side, for example, validate email format. I have followed by this guide about derive action. I found no mistake here.
But I got the error "Type query_root must define one or more fields." when I hit "Derive action" at the first time.
According to this question, as I understand, I need to have object type for root query.
Of course, I will have object type for root query eventually. I can work around by giving some dummy queries for anonymous role. But I do not like that cheat anyway.
Any idea on that? Any help will be highly appreciated.
Edited:
My related current version:
Hasura 1.3.2
One click deployment using Docker on Digital Ocean.
I'm working with Watson Virtual Agent (WVA) and a custom conversation workspace (WCS) and was hoping that there was a way that I could go from a custom conversation flow back into a WVA flow.
My specific use case would be when I want to escalate to agent from within WCS. There are already preconfigured flows for this inside WVA which I think calling on would be the easiest way to complete the escalate to agent process.
I know that to force WCS to return to the WVA I need to somehow add
system.dialog_stack[0] == root
to the context, however, the instructions here don't go further than saying add to context. So far I just get errors when I add it to context with and without "" marks. Whilst I don't think that this would solve my issue I have actually been unable to test this.
I would welcome any answers specific to my example, specific to how to actually implement system.dialog_stack[0] == root in WCS or to the general question which I expect will have more uses for other users.
Having done some more research I have discovered that it is possible to call on the specific Escalate to Agent flow type using an action.
The use of actions is explained in the documentation I linked to above although there is no list of preconfigured actions.
Here is an example of a node in WCS that would allow one to connect to agent using the connection that you've set up in WVA:
{
"output": {
"text": "I will connect you with an agent now.",
"action": {
"name": "agent"
}
}
}
Until there is a list of the actions available for use in WVA/WCS I don't know if this is a fix that would work with other flows. I found this using Postman extension in Chrome and using my WVA keys and replicated the action that was called during the Escalate to Agent flows in WVA.
I have created my first Facebook app in R. Its purpose is solely to retrieve marketing data from my Facebook pages. So far I have created this (no authentication problems):
require("Rfacebook")
load("fb_oauth")
## Start retrieving insight from VivaraDE
rawinsightsDE<-getInsights(object_id= "my_id", token = fb_oauth,
metric="page_impressions", period = "days_28", version="2.6")
When running this, R does return:
Error in FUN(X[[1L]], ...) :
No data available. Are you the owner of this page? See ?getInsights.
I have an administrator role in my app (obviously) and an admin role on the page desginated by my_id.
I suspect I will have to alter some config somewhere. What am I missing?
You need read_insights permission from the page admin (you in this case), before you can access these metrics.
Any more common permissions I need to include, so I won't stumble upon some more rejections?
Nah, don’t ask for permissions “just to be on the safe side” – that will only give problems in review (if the app is supposed to be used by the general public at one point?), if they see you asking for permissions without actually using them.
I’d rather suggest you use Graph API Explorer first to test out the request you want to make; its debug feature usually displays a message in such cases as to what permission is missing to get the requested data.
I have "You do not have sufficient permissions to access this page." issue when trying to access Wordpress wp-admin login as an administrator. The login page appears, but when the user details are entered the "You do not have sufficient permissions to access this page." appears.
The strange part is that I have another administrator account that accesses with no error.
I tried to create a new administrator account, but that also cannot access giving the above error message.
I have looked into the database and the users that don't work have wp_capabilities of a:1:{s:13:"administrator";b:1;}
The user that does work has: a:2:{s:13:"administrator";b:1;s:13:"bbp_keymaster";b:1;}
I am also running S2 Member plugin.
The only difference I can see between the account is this beginning section of a:1 and a:2. All of the sites I see say the account should be a:1
I don't think it is a plugin issue, as I assume then I would not be able to access either. I think perhaps something to do with s" Member plugin, but I'm now at a bi of a loss.
All plugins are updated and running Wordpress 4.0 (however this was an issue even before upgrade to 4.0)
All help gratefully received!
The only difference I can see between the account is this beginning section of a:1 and a:2.
Look more carefully. The working example has a whole extra section: s:13:"bbp_keymaster";b:1;
To understand why that matters, it helps to know that that is the format produced by by PHP's serialize() function.
If you unserialize each of those strings, you will find that the first is an array with 1 entry (hence a:1), with the key 'administrator' and a value of true. The longer string is an array with that entry plus another one, with the key 'bbp_keymaster', also set to true.
From this, it's easy to surmise that 'administrator' and 'bbp_keymaster' are the internal names for permissions which can be granted to a user, and the page in question is only available to users with the 'bbp_keymaster' permission.