Warm tip: This article is reproduced from serverfault.com, please click
asp.net-core authentication azure-active-directory jwt-auth

how to do authentication and authorization for the users for the specific regions in azure AD?

发布于 2020-12-01 02:41:32

net core application. I am trying to implement authentication and authorization. I have users they are split into multiple regions. For example I have below regions.

GE GSAS
 - user1
 - user2
APAC
 -user3
 -user4
SE&A
 -user5
 -user6

These users have different permissions or roles. For example, RegionalAdmin,GlobalAdmin,Users etc These users will be creating some orders in the portal. For example, Regional head can reassign orders within that region only to other users. For global head he/she can reassign orders to anyone. Users can create orders and view delete and users cannot reassign orders. All these users are part of Azure AD tenant. Now I am trying to implement authentication and authorization. I started thinking the design strategy like this, I can create groups as per regions and add users to groups. Based on the groups I can have authentication or authorization. But these users have different permissions like RegionalAdmin,GlobalAdmin etc and these users have some extra functionalities aloowed in web/api permission. Can someone help me regarding this and how to organize groups or roles with respect to above scenario. Any help owuld be greatly appreciated. Thank you

Questioner
Niranjan Godbole Hosmar
Viewed
0
分享
Dinakar J 2020-12-02 03:32:33

Assuming regional admin you mentioned as a custom role in your application(as there is no such role in AAD), it is always better to use the administrative-units and a suggestable approach would be to create groups separately for regional admin, global admin users and assign roles to these groups accordingly.

A user can be assigned to multiple groups and roles can be assigned to individual users/groups.

Authorize applications based on the role permissions granted by the administrator to groups. Please refer this link for the detailed documentation on how to create/manage roles for an application in Azure AD.

Niranjan Godbole Hosmar 2020-12-02 03:49:14

Thanks dinakr. So first I should create groups for each regionsand add all the users. Then create again groups for regional admin and global admin in each region and add required users to it. Then for each group I should assign roles. This is the approach right?

Dinakar J 2020-12-02 13:21:53

Yes. This approach suits the above requirement.

Niranjan Godbole Hosmar 2020-12-02 13:25:23

So for example, in region1 if there was 10 users then I will create group region1 and add all the 10 users and add user role to this group. Then for example out of the 10 users 2 are global admin then I will create group region1globaladmin and add those 2 users and assign this group to reggion1globaladmin role. For region2 also same will be carried out. This is the approach right? But small question is we will end up with creating lot of groups right?

Dinakar J 2020-12-02 18:17:46

In AAD, Global administrator role can read and modify every administrative setting in your Azure AD organization. So, this will be at tenant level. Refer the below link for more details on Roles and permissions. It will be helpful if you can you elaborate what you mean by regions in the above example? docs.microsoft.com/en-us/azure/active-directory/roles/…

Dinakar J 2020-12-02 18:20:08

Assuming the global admin in the above scenario is a group of users with custom roles and regions as the segregation criteria for groups, are the roles and permissions different for global admin of different regions? If not, then you can just create one group for both/multiple the regions else you might have to create separate groups. With respect to increasing number of groups, it is always suggestable to follow the administrative units(link below) for an effective segregation for users/group management. docs.microsoft.com/en-us/azure/active-directory/roles/…

热门帖子

1
出一些有意思的域名-明盘
2
为什么我的 TG 始终收不到提醒通知?
3
求助一个排查了半年没解决的 MySQL order by 子句导致索引失效的问题, 500 多万条记录的小表要查快两分钟
4
Android 开发方向:传统 View 开发 or 拥抱 Jetpack Compose
5
浙江 ISP 会屏蔽 Wireguard UDP 端口
6
高级 Java 岗位一定需要有管理经验吗
7
兄弟们,老是倒在大厂二面的怎么办?
8
最近很多小伙伴弄港卡,分享一下个人开卡经历
9
vercel 免费版 3 个指标都超了,好像我的网站已经获得了基础流量。还好套了 cloudflare 不然流量也超了。
10
最近换了真我手机,发现这系统连应用的数据都无法备份

热门github

1
Implementation of paper - YOLOv9: Learning What You Want to Learn Using Programmable Gradient Information
2
A Windows and Office activator using HWID / Ohook / KMS38 / Online KMS activation methods, with a focus on open-source code and fewer antivirus detections.
3
Get up and running with Llama 2, Mistral, Gemma, and other large language models.
4
该项目可以让你通过订阅的方式使用Cloudflare WARP+,自动获取流量。This project enables you to use Cloudflare WARP+ through subscription, automatically acquiring traffic.
5
Multi functional app to find duplicates, empty folders, similar images etc.
6
Xray panel supporting multi-protocol multi-user expire day & traffic & ip limit (Vmess & Vless & Trojan & ShadowSocks & Wireguard)
7
The Free Software Media System
8
lightweight, standalone C++ inference engine for Google's Gemma models.
9
📚 Freely available programming books
10
A collective list of free APIs
11
1️⃣🐝🏎️ The One Billion Row Challenge -- A fun exploration of how quickly 1B rows from a text file can be aggregated with Java
12
🎓 Path to a free self-taught education in Computer Science!
13
Curso para aprender el lenguaje de programación Python desde cero y para principiantes. 75 clases, 37 horas en vídeo, código, proyectos y grupo de chat. Fundamentos, frontend, backend, testing, IA...
14
This repository contains System Design resources which are useful while preparing for interviews and learning Distributed Systems
15
Mamba is a new state space model architecture showing promising performance on information-dense data such as language modeling, where previous subquadratic models fall short of Transformers. It is based on the line of progress on structured state space models, with an efficient hardware-aware design and implementation in the spirit of FlashAttention.