Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Setting new User default SecurityGroup assignment (in Database mode)
#1
Hi community,

I was searching for a way on how to set the default security group assignment in ASG2019.
The default as I can tell from tying is 'Administrators' which has access to pretty much anything, so we'd like to change that to a less privileged group eg. 'Ops' (as shown in screenshot)[Image: pcuxEX.jpg]
The way I did think of it could be by using an SP in SQL, but I guess that should be easier? 

Regards,
Fabian
Reply
#2
I do not really understand what are you looking for - you can create as many Security Groups as you want - and then assign your users or User Groups. There are some "global security assignments" that you can set directly in the dialog from your screenshot (Button Details). And then you can assign security right in the Navigation view - just goto "Permissions"-category of any object and add your security groups and assign what ever you want to allow… The Permissions will be inherited to all child objects until you set some new one.
Regards/Gruss
Oliver
Reply
#3
Hi Oliver,

Thanks for your reply.

I do get the concept of the Security Groups themselves. My question is mainly about, how to change where new users per default are getting added.
If the users would be part of an AD, they could be selected from the ad group and would get their sec group assignments accordingly. In our case, users are in Azure AD and therefore can't be 'selected' (or can they?).
If we could change where newly logged in users are being created, eg. in a least- privileges group and manually being moved by an admin to a more privileged group would be very nice. As it looks to me, they aren't able to connect at all (User has no access: User with name 'xyz' and SID 'S-1-12-1-xyz' has no access login).

Let me know if there is a need for further clarification.

Regards,
Fabian
Reply
#4
New users aren't assigned to any Security Group - Administrator needs to add a AD-Group or the users themselves to any of the existing Security Groups - else they won't be able to login.


Goto Settings=>Domains and try to add your AZURE-AD - I think it should be no problem to use the ASZURE-AD - but currently I think it is not possible to use the AZURE-Account for Windows Authentication against a database server (or only AZURE DB?) - just give it a try :-)
Regards/Gruss
Oliver
Reply
#5
Oh, okay. That makes that point clear so far.

In that case, I will have to modify our AzureAD a bit since as of today it doesn't support 'Azure AD Domain Services' which would, in my understanding, be required to connect it in the mentioned settings dialog.
The Authentification towards the Azure Database with Azure AD joined devices and 'Windows Authentification' works fine by the way; you just have to use the connection string mentioned in the Azure portal looking something like this: 'Server=tcp:[yourazuresqlserver].database.windows.net,1433;Initial Catalog=[databsename];Persist Security Info=False;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;Authentication="Active Directory Integrated";'
Reply
#6
Is it possible that adding a domain over  'Settings -> Environment -> Domains' doesn't support the use of LDAPS (SSL over the port 636)?
I added the Azure AD accordingly but got the following error:
[Image: O2vn9Z.jpg]
Reply
#7
Can you check your error log for details?
Regards/Gruss
Oliver
Reply
#8
Sorry, sure:
[Image: ENWm37.jpg]

Stacktrace (text):
Error on connecting domain

Connecting to the Non-Trusted-Domain 'ldaps.example.com' caused an error.
Domain: rootDSE
 Failed to connect to server:
 - ldaps.example.com (The server is not operational.)
---------------------------
   at CommonHelper.Directory.DirProviderLDAP.initProvider(StringCollection ldapServer, StringCollection ldapServerFailover, Boolean loadBalanced, Int32 badServerTimeOut, DirAuthType authType, Int32 maxPwdAge, String ldapRoot, String ldapUser, SecureString ldapPwd, ArrayList globalDirList, String displayName, String netbiosName, String dirMappingField, XmlNode dirConfiguration, DirProvInit_Struct initData)
   at CommonHelper.Directory.DirProviderLDAP..ctor(String ldapServer, String ldapUser, SecureString ldapPwd)
   at CloudAdminCommon.Dialogs.BrowseAD.DialogUsersAndGroups.InitializeDialog(SecurityListView listViewAssigned, ADBrowseType adBrowseType, Boolean includeLocalMachine, DirectoryView[] givenDomains, SecurityObjectDisplayType displayType)
Reply
#9
Currently I have no AZURE test environment - so could you please try to add the port to the server name? like server:636 - is that working - else I have to check that in detail...
Regards/Gruss
Oliver
Reply




Users browsing this thread: 1 Guest(s)