I have opensearch running and keycloak as oidc provider and I get this 403 error after login to opensearch:
{"statusCode":403,"error":"Forbidden","message":"no permissions for [indices:data/read/search] and User [name=demo.demo, backend_roles=[kibana_second], requestedTenant=null]: security_exception"}
As default we have "kibana_user" role which has "kibanauser" as backend role. If my oidc user "demo.demo" has "kibanauser" role attached to it, everything works fine and this user has permission to see dashboards, discover and index patterns.
User [name=demo.demo, backend_roles=[kibanauser]..]
But this role is dangerous to assign to every user because the user can delete an index pattern or change the global setting. I want to have the a role only to view dashboard and discover. At the first step, also i duplicated "kibana_user" role with the new name "kibana_user_copy" and mapped it to the new backend role created by me "kibana_second". The backend role was also attached it to my user in oidc provider. Means:
User [name=demo.demo, backend_roles=[kibana_second]..]
So far good, now as you see the error, my "demo.demo" user has new backend role and it has all permissions that "kibana_user" would have. (because "kibana_user_copy" is a duplicate of "kibana_user". What I'm wondering, all permissions are the same, only backend role is not predefined "kibanauser". But It doesn't work and I see only blank pages for dashboard and discover (403).
Has anyone an idea, what is missing here?
Thanks in advance
Issue was solved by adding tenancy to this duplicated role
Related
I wanted to know on which entities does an user have by default a read access initially when no security role is assigned to the user?
I wanted to know because any user who do not have any security role can still access case & accounts entity through advanced find! Is this expected behavior? If yes then is this documented any where?
All users must be assigned to at least one security role in order to have access to Dynamics 365. The security roles can be assigned to the user directly or to the access team he belongs to.
Can you double-check the security roles assigned to the user and verify team's security roles ?
The user has to have a security role assigned to get into CRM. Check existing teams to see if the user is a member of and also he/she will have access to the records shared to him/her. Which entities user can access to are based on the roles/team he/she has been assigned. Check role/team setting for details.
good morning to everyone, I will comment on the situation to see if you can give me an idea ...
I am using Hyn Tenancy (Saas) and Spatie Permissions
Currently I have the whole system working without problems and it is as follows:
Users can log in to domain.com or sub1.domain.com or sub2.domain.com and from either enter their account and the session is shared.
and a general dashboard where it shows a history of your purchases in any subdomain.
so far so good ...
Now create the dashboard for the admins ... which is accessed from sub1.domain.com/admin
the problem I have is that everyone who is admin can enter but I only need admin1 to enter sub1.domain.com/admin
admin2 to sub2.domanin.com/admin
Any can help me plz?
It's look like you can't share any code with community.
So with experience in laravel permission and your senario as I know you want each subdomain wit an admin have only access to his/her subdomain admin area.
you should create a new gate or middleware or in your gate for admins define an if to check if the user is a member of subdomain?
in laravel permission only administrators explited from other users and you should define new gate or middleware and add it to admin route definition.
Solved, i use a uuid from subdomain... and compare with a user uuid... if correct it show the forms, else search the uuid in a subdomain and redirect it to our domain.
Thanks you!
I'm running a Spring app on Kubernetes. App is authenticated via keycloak (also run on k8s).
The problem is that in case when Kubernetes will have configured more than one edge node I can connect only from node which is configured in keycloak.auth-server-url in the Spring app. On other edge nodes I'm getting Invalid token issuer error. Do you know any solution for that problem?
Remember that first, during keycloak configuration you have to create a new client with the name persons-app specific for the application. You can do that under Clients in the left column and then clicking Create.
Then proper redirect URL needs to be configured.
After setting up the proper client, a new role user is added to Keycloak. This role can later be assigned to individual users in order to define appropriate access policies.
The last thing you have to do is creating an actual user and assigning the newly created role to that user. This can be done by clicking Add User under the page Users.
Next, you have to set a password for the user. In this example, it is the standard password for example projects (i.e. password).
Roles of a user can be managed under the tab Role Mappings. You have to add the role user to Assigned Roles.
That's it. Keycloak is now ready to be used and has already a very (very) small user base. Now you can proceed to the actual application, which should be secured.
Remember that in order to store relevant information and configuration, a PostgreSQL database must be set up first.
More information you can find here: spring-keycloak.
We are using Sonhrqube 4.5 that is integrated into Google's oAuth sign-on. There are no issues with logging in (Authentication). Certain users have been provisioned with sonar-administrators role. But for some reason, the admin role keeps dropping for some users (leaves the user with sonar-users role). We have tried granting them admin access again, but it keeps happening. Also tried creating a brand new group and assigning that group to the user, but still same thing happens. Any thoughts? If you need any other information, let me know.
Just additional info, not sure if it matters - We are using the sonar-oauth-plugin from JCERTIFLab for integration with Google's signon/oauth. This plugin automatically creates users with default role - sonar-users.
Thanks in advance!
It turned out to be an issue with the Sonar plugin used for integration with google's Oauth. Every time a user is authenticated, permissions get overwritten. To overcome the problem temporarily, we predefined a list of users with admin access in the properties file.
When I logged in with the user who has non-admin security role the dashboard is not loading and browser will get hanged. But when I logged in with user who had Admin role its working good. So, whats the issue in this scenario..?
It seems a security issue. You will have to check the permissions for the role that the non-admin user has and check if there are limitations on the entity that is being displayed in the dashboard.
maybe this link will help you: http://www.dynamicscrmtrickbag.com/2011/07/15/dynamics-crm-2011-charts-and-dashboards-who-can-see-what/
Hope this will be helpfull
EDIT: Maybe another role conflicts with the one of system admin that might also be possible