I want to implement Azure File share for my network, but I can't find any possibility to set up user specific access permissions. There are some pre-built groups, which are for no use in this scenario, but I found a MS page recommending using Windows ACLs, but how can I proceed with setting user specific permissions, when I want to assign different permissions to different folders/files to different users, who are part of the same Administrator group in AD?
Problem solved! You just need to remove permissions inheritance and remove all inherited security groups/users permissions and add your own users or custom defined groups.
Related
I have been doing some basic application access and privilege management.
And to fully understand the access permissions of UWP applications, I decided to create one on my own and check.
As given in MSDN, the app was able to access the files mentioned here.
Now, I know that UWPs run in a sandboxed environment and they aren't given full access to all files in the system.
But is there any way for the admin user to grant the application rights to access files in the drive, for instance, the system32 file or a random text file that the user saved in C drive?
Yes, your app can declare the "broadFileSystemAccess" capability and then it can access all files in the system that the user has access to, given the user provides consent to this capability.
See documentation here:
https://learn.microsoft.com/en-us/windows/uwp/files/file-access-permissions
I'm using Nexus Repository Manager 3.1.0-04, and I want to create a user to just have deployment permissions. What are the minimal set of privileges required for that?
Right now I created a role nx-deploy with the following privileges:
nx-repository-admin---read
nx-repository-admin---browse
nx-repository-admin---delete
nx-repository-admin---edit
nx-repository-admin---add
Then I created a user deployment with the role nx-deploy. I can deploy artifacts now, however, I believe I am giving too much privileges? The admin part is not what I want the deployment user to be, so that part has me a bit nervous.
Needless to say, there are just too many privileges to choose from under the security section.
The general rule is nx-repository-admin privileges are for administering the repositories and their details; nx-repository-view privileges are for use of the repositories once set up. Assign the latter.
To tweak repository privileges of your Deployment user(s) you should use the nx-repository-view-*-*-* as the assigned privilege, instead of nx-repository-admin. So, remove all the privileges you addressed in your question, and replace the ‘Given’ field with nx-repository-view-*-*-*. Since the privilege is denoted with asterisks, your Deployment users can perform all the above actions (i.e. browse, read, edit, add, and delete).
See the screenshot for reference:
Configuring the nx-deploy Privilege for the Deployment Role
You can read more about Privileges in the Security chapter: https://help.sonatype.com/repomanager3/security/privileges
If you need minimal privileges to just deploy artifacts, nx-repository-view-*-*-edit is enough.
nx-repository-admin is used for administration and configuration
Repository Admin
These are privileges related to the administration and configuration of a specific repository
and edit is enough to modify repository content
edit
This action allows privileges to modify associated scripts, repository content, and repository administration.
BTW, you need nx-component-upload to upload components in web UI.
https://help.sonatype.com/repomanager3/user-interface/uploading-components
Successful deployment by maven 3 with Nexus 3.8.0 the following rights are required
nx-repository-view-*-*-edit
nx-repository-view-*-*-read
nx-repository-view-maven2-maven-snapshots-edit
nx-repository-view-maven2-maven-snapshots-read
"maven2"is recipe,"maven-snapshots" is your repository name.
I am new to SonarQube and trying to setup up a proper access control, with requirements as follows:
We have a few project areas, each area should have someone able to
manage their area, such as creating new projects and manage the
boards, not sure exactly what. This is something like project area
administrators.
A few administrators can do anything.
Integrate to AD
A few questions:
In a few places like this link: http://www.sonarsource.com/products/features/security/, I see this role based method, but I can't find these default roles, "SonarSource products come with three project-specific roles – project administrators, project users and project code viewers" anywhere in the system. Right now, I am using the community edition I guess without a license. Is there any more detailed document on that?
I kind of understand the default Global Permissions and Project Permissions. In my case, shall I create e.g. three groups in AD, sonar-administrators,sonar-project-administrators, sonar-users to map to the default groups?
I notice the following: right now I don't have the above AD groups, when I integrate to AD, I can login with my domain id/password, but once logout/in, the group information I added to the local user gone. I guess it sych with AD. So to use AD, I have to create these groups in AD?
Jirong
Access control in SonarQube is managed through Global Permissions and Project Permissions. Each permission can be granted to user(s) and/or to group(s). The documentation you pointed at is quite outdated, read the Authorization page for the most up to date details.
AD/LDAP integration is a different topic, documented here. With group mapping, group membership stays managed in AD but will be replicated in SonarQube when users log in (the AD groups must first be created in SonarQube with the same name).
To your example: if AD users belonging to group foo deserve to administer your SonarQube, just create group foo in SonarQube, and (in the Global Permissions settings) give Administer System permission to group foo.
There is a way to copy Fusion Table. But it is copied without Share settings. Is there any way either to copy user rights or to assign these Share settings thru API?
You can use the Drive API for this: see https://developers.google.com/drive/web/manage-sharing.
I need to create a temporary folder that will be accessed from the application only.
It means that even current user and system administrator are not able to open it from the Explorer.
While application is running, there'll be some files put into it. Once it's terminated, folder and all its content are deleted (again programmatically, no manual delete ability).
P.S. I found few posts here but there are no proper solution given yet.
Thanks in advance.
Windows security does not work that way. You cannot restrict access by application, only by user. If you want only your app to have access to a given resource then you have to create a new user account, configure the resource to grant access to only that user, and then run your app using that user, or at least have your app impersonate that user when needed. Files/folders are securable objects, and Windows security is based on user accounts.