Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Scope/Role/Group Based Access Control

Tags:

oauth

oauth-2.0

azure

azure-active-directory

access-control

I am using Azure Active Directory and am trying to understand the three types of access control described here. What are the advantages and disadvantages of each approach and when would you use them:

  • Scope based access control using oauth2Permissions section of my manifest where I can add read and write permissions like so:

    {
  "adminConsentDescription": "Allow the application read access to MyApi on behalf of the signed-in user.",
  "adminConsentDisplayName": "Read access to MyApi",
  "id": "56d944c0-f3aa-4f80-9472-9c1414383abf",
  "isEnabled": true,
  "type": "User",
  "userConsentDescription": "Allow the application read access to MyApi on your behalf.",
  "userConsentDisplayName": "Read access to MyApi",
  "value": "read_my_api"
},
{
  "adminConsentDescription": "Allow the application write access to MyApi on behalf of the signed-in user.",
  "adminConsentDisplayName": "Write access to MyApi",
  "id": "6d66a2bd-c8c7-4ee0-aef4-9424b51b4967",
  "isEnabled": true,
  "type": "User",
  "userConsentDescription": "Allow the application write access to MyApi on your behalf.",
  "userConsentDisplayName": "Write access to MyApi",
  "value": "write_my_api"
}

  • Role Based Access Control (RBAC) - Using appRoles section of my manifest.

  • Group based access control using the groupMembershipClaims section of my manifest.
like image 996
Muhammad Rehan Saeed Avatar asked Dec 22 '15 12:12

Muhammad Rehan Saeed

People also ask

Which roles are available with role-based access control?

An organization assigns a role-based access control role to every employee; the role determines which permissions the system grants to the user. For example, you can designate whether a user is an administrator, a specialist, or an end-user, and limit access to specific resources or tasks.

What are two types of role-based access control lists?

Technical – assigned to users that perform technical tasks. Administrative – access for users that perform administrative tasks.

Which of the following scope in role-based access will give you wide access?

The most common scope is organization-wide (org-wide) scope. A custom role can be assigned at org-wide scope, meaning the role member has the role permissions over all resources in the organization.

What is the purpose of role-based access control?

Role-based access control (RBAC) is a method of restricting network access based on the roles of individual users within an enterprise. RBAC ensures employees access only information they need to do their jobs and prevents them from accessing information that doesn't pertain to them.

1 Answers

I think the most significant difference between scopes and roles/groups is who determines what the client is allowed to do.

  • Resource scopes are granted by the resource owner (the user) to an application through the consent screen. For example, the client application can post to my timeline or see my friends list.
  • User roles and groups are assigned by an administrator of the Azure AD directory. For example, the user can submit expense reports or the user can approve expense reports.

Scopes are typically used when an external application wants to gain access to the user's data via an exposed API. They determine what the client application can do.

Role- or group based access is typically used within an application to determine what a user can do.

like image 52
MvdD Avatar answered Sep 28 '22 17:09

MvdD
Sign in to Comment

Related questions

Azure and .json mimeType without web.config
Azure october 2012 sdk - how to delete a table entity without retrieving it first?
Default root (server.js) file for node.js site on windows azure
Azure Storage Emulator 400 Bad Request
How to call Microsoft Graph from console application c#
Reduce Azure SQL Database Size
Azure Mobile App obsolete?
Azure service bus "send" throws Operation is not valid due to the current state of the object
Improving azure blob storage querying speed
How to pass parameters to an implementation of IEventProcessor
Azure is ignoring Scheduling settings for WebJob
C# Azure Blob Storage / Get blob size
Hosting a PCI compliant app on Azure
Download container on Azure Blob Storage
How to run npm command on azure app service after deployment success by VSTS?
"fatal: Authentication failed" with git-credential-manager
Refer Topic and Subscription name from Configuration in an Azure Function with Service Bus Trigger
What is Exactly an AppFabric in Windows Azure?
How does Windows Azure Mobile Services differ from Azure Cloud Services?
Move Azure website between App Service Plans

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!