This is a CRM-style app that can have many different organizations using it.
I don't think I can use OAuth, since these events are supposed to be dynamically created. For example, a user could make a trigger to create an event on the creation of a type of record. A user shouldn't need to be actively logged in for events to be made.
I read about service accounts, but it seems like I'd have to walk each of my users through creating a service account on their Workspace. That seems like it would quickly get out of hand.
I also don't see how I would store these service account secrets. I could switch from ENV secrets to something like AWS's SecretsManager, but is that really the only option?
Related
has anyone done or knows OCI(Oracle cloud infrastructure) user login activity to audit and create a dashboard or report? I know a few built-in audits on OCI but I am looking for user audit like when logged in, current active users so on.
In general, OCI allows access through various modes like Console, CLI, SDK, Rest API, etc... So, It becomes difficult to track them. But if you are looking to track user activity on your application, you may generate application logs for login activity and configure custom dashboards with OCI Observability and Monitoring services.
I am working with Google Firestore in native mode and CRUD'ing data within it using the "cloud.google.com/go/firestore" api in Go. Access to the data is wide open as long as you know the project id and using the Firestore API on a server. I don't want to try the rules until I figure out how to secure the data from server attacks that. Again, all the API requires is the project id to access the data so I need to lock that down firstly before I move any further. Rules are only for mobile/web clients from what I read and Server side clients completely bypass the rules. Please help. I do not want to use the Firebase API because attackers can still use the Firestore api to access the data.
It's unclear from the limited information in your question but, your Firestore database is not open to anyone with the Project ID.
The service is only accessible to any thing (human|machine) that has valid credentials. Either humans with e.g. Gmail accounts or Service Account key holders.
In either case, only identities that you've explicitly added to the project will be able to access its resources and then only those with the appropriate IAM roles|permissions.
Google provides an elegant facility called Application Default Credentials (ADCs) that simplifies authenticating clients.
I suspect that your code is using ADCs to authenticate you to the project|service.
Access to the data is wide open as long as you know the project id and using the Firestore API on a server.
If that is a concern, consider disallowing all access in the Firebase security rules for your Firestore database.
Also have a look at my answer here to understand why sharing your project ID is not a security concern, and in fact is necessary if you want to allow direct access from client-side devices: Is it safe to expose Firebase apiKey to the public?. If you don't want to allow direct client-side access, closing down the security rules (as they are by default, unless you choose test mode when creating the database) is the way to go.
I have a Teams application (Tab). I am an ISV provider, and provide a multi-tenant application that is installed by customers via Teams App Store in their organizations.
How do I save settings for my application organization-wide for the customers? For example, CustomerA has installed the app and then CustomerB. I want some storage that would be unique for CustomerA and CustomerB and the app, and located in customer's environment. The settings I want to save are not per-user, but per-organization (tenant).
Somewhat similar to "App Data" folder you have in Windows Desktop for example.
Does such a storage exist? Does API for this storage exist?
A tab app is a simply a web application that you render inside of Teams. As a result, what the app does, and where and how it does it, is totally up to you. This includes any data storage you choose to have behind the scenes. For example, your tab could be built in PHP and use MySQL, or built in ASP.Net and use SQL Azure or CosmosDB. It's totally up to you, but you need to implement it yourself, as an ISV.
The important piece to differentiate clients, however, is being aware of the TenantId for each user, so you can look up which client's settings you need from the database. The most simple way to do this is simply the tid property on the Teams tab context. You can read more about that here. Unfortunately, because it's just accessed via Javascript, it's not entirely secure - for a more secure mechanism, you should be creating an Azure Application, and generating jwt tokens that you can authenticate against in your backend. It's a much more complex topic, but hopefully this answer at least gives the background you need. For more info on the security aspects (validating the token etc.), please see this question: How to restrict access to Azure Function to only allow requests from a custom Microsoft Teams App?.
We've had a DevOps member leave recently and have had complaints that all of the integrations (incoming webhooks) that they had set up have stopped working... (once the user was disabled).
One suggestion for dealing with this was to notify the affected channels when we deactivate the user, but I can't find in the API methods a way to look up which channels a user might have configured these webhooks for...
Anyone had to do something like this?
To get the apps and internal integrations that have been installed by a specific user use the API method called team.integrationLogs.
This method lists the integration activity logs for a team, including
when integrations are added, modified and removed. This method can
only be called by Admins.
For a programmatic solution you will need to go through all log entries for one user / app to find out its latest status.
However, it might still become difficult to reinstall all that apps / setup all that webhooks again properly after a DevOps member has left depending on how good your documentation is. We have therefore started using a generic admin user (e.g. "slackadmin") as main installer for all important apps / integrations for our workspace.
Does anyone know how to get the information about user device that access the bot deployed in S4B channel and built using MS Bot Framework (C#).
I need to know about the options to detect the user device (Device type and OS) accessing the Skype For Business Bot. If there's a way to know whether user device is desktop or mobile. In bot framework the User-Agent header formatted similar to the string below:
SFBUserAgent (Microsoft-BotFramework/3.1+https://botframework.com/ua)
(The user agent from Connector returns the following:
fxversion/4.7.2563.0 osname/windowsserver2016datacenter osversion/6.3.14393 microsoft.bot.connector.connectorclient/3.14.1.1)
I want to know if UCWA can be used to detect the device type accessing Skype For Business bot.
UCWA is not able to do so, actually no client or client-facing api can provide such information. It's because User-Agent information is not part of the presence so the client doesn't publish it to other clients. The main purpose of this User-Agent information is for monitoring reporting purpose.
However there is still some space from server side to allow us to do something. If you have access to the Skype for Business server, you have several workarounds.
Get-CsConnections.ps1 is a well-known script to pull current logged in user from Lync server side. It was written in 2011 while we only had Lync 2010, but good news is it works fine with new version of Lync like Lync Server 2013, Skype for Business server 2015. This script needs to be run in Lync/Skype management shell or a Powershell session with Lync/Skype modules imported. It needs to run by using an Lync/Skype admin account.
To retrieve user agent for a particular user by using sip uri.
$UserHomePool = (Get-CsUser -Identity [sip address]).RegistrarPool
Get-CsConnections.ps1 -SipAddress [sip address] -Pool $UserHomePool
Connections.ps1 is the prototype script of the above Get-CsConnections.ps1, it's simpler but doesn't provide advanced features. You can look at it and decide which one you need.
Do it yourself. If you don't want to use 3rd party script or just want to do it in a simplest and pure way, it's possible to do it by querying it from server database. Lync/Skype server stores this user agent information in the dynamic database in Front End server. It's in the table dbo.RegistrarEndpoint of the database rtcdyn of the instance rtclocal.
Please notice that there is no public document about the database schema so you need to do a little guess and hacking yourself. Good news is all data in the database is strored in readable format so it shouldn't be a big issue.
In a very rare chance that you are not wanting this information in real-time, the monitoring report and database can be the best approach. It's not real-time data, the data is generated within 10 mins after a conversation is ended.
If you want to get it from monitoring database, you should look at SessionDetails view for P2P conversation and ConferenceSessionDetails for conference conversation. There are straighforward fields in the views called something like UserClientType to point out the user agent information for the certain session.
At last one thing I would like to remind is Skype allows user to logged in multiple clients simultaneously, so no matter how you make it work you still need to face the question which logged in client really matters to you if the user has multiple clients logged in.