Solved

What rights are needed to be able to create roles in the ODX Server to define access

  • 24 October 2023
  • 16 replies
  • 211 views

Userlevel 6
Badge +7

 

I am trying to set up access to some tables in the ODX. when I try to add a role and search for an Azure AD user I get the error: 

Service request failed: Code: Authorization_RequestDenied ...
Module: TimeXtender.ODX.Engine
TimeXtender.ODX.Engine.ODXFaultException
   at TimeXtender.ODX.Engine.ODXEngine.SendServiceRequest[C,T](WcfServerSettings serverSettings, Func`3 func)
   at TimeXtender.DataManager.AddODXSecurityRoleWizard_MemberSelectStep.<>c__DisplayClass11_0.<SearchClicked>b__0()
   at TimeXtender.DataManager.ConnectingThread.ExecuteConnectingThread(Object dummy)

Service request failed: Code: Authorization_RequestDenied ...
Module: timeXtender
TXModelInterface.ExceptionWrapperException
   at TimeXtender.DataManager.ConnectingThread.HandleError()
   at TimeXtender.DataManager.ConnectingThread.Execute(String title, Int32 progressSteps, List`1 actions)
   at TimeXtender.DataManager.AddODXSecurityRoleWizard_MemberSelectStep.SearchClicked(Object sender, EventArgs e)
 

This setup is a VM in Azure with ODX storage in ADLS. The Storage Account App Registration is owner of the storage account. Is a role like User Access Administrator on the App Registration enough, or are other rights involved?

icon

Best answer by Christian Hauggaard 4 December 2023, 10:58

View original

16 replies

Userlevel 6
Badge +5

Hi @rory.smith 

Based on previous tickets, it seems that you need to setup the following Graph API permissions for the app registration. Please note that these require admin consent. It can also take a while before these take effect.

 

Userlevel 6
Badge +7

Hi @Christian Hauggaard ,

 

thanks - I will check based on this and let you know.

Userlevel 6
Badge +7

I have added exactly those rights, with the difference that I have granted the admin consent and waited, but still the same error.

Userlevel 6
Badge +5

Hi @rory.smith 

Sorry for the delay. If you still have the issue I have an suggestion.

The issue happens when you deploy the security rights to the container. I am not sure the rights of the app makes much of a difference.

I seem to remember testing this once. These are my settings in my storage account.

While I am an owner and was before I added the Storage Blob Data Owner right, I still thought I needed to add it.

So maybe see if it works if you add this right for the App.

Userlevel 6
Badge +7

Hi @Thomas Lind ,

my app registration is both storage blob owner and contributor so that isn't enough either. Could it be that this happens because this VM is not domain-joined and the ODX Server service is running as a local account?

Userlevel 6
Badge +5

Hi @rory.smith 

I tried to remove all rights on an app, so it only got the default.

I got these rights on mine.

 

Userlevel 6
Badge +5

Hi @rory.smith 

Could you please try to join the VM to the domain and see if this resolves the issue?

Userlevel 6
Badge +7

Hi Christian,

 

the point of this server is that it is not part of our domain but lives in an isolated network. It looks like instead of querying Azure through an App registration, it asks through the VM.

Userlevel 6
Badge +5

Hi @rory.smith can you please send a screenshot of your current API permissions for your app registration?

Userlevel 6
Badge +7

Hi Christian,

 

currently:

 

Userlevel 6
Badge +5

Hi @rory.smith 

I have tested with the following app registration setup on a VM that is not domain-joined and the creating a role and searching for members works.

Similar to your setup, my app reg has the storage blob data contributor and the storage blob data owner role for the data lake (without any conditions).

 

I am wondering if the reason it is not working for you is because of some other settings in the App Registration. Please see the settings for my app registration below for comparison. Do you notice any differences compared to yours?

 

 

Userlevel 6
Badge +5

Hi @rory.smith 

Can you please let us know if there are any differences in your setup compared to the working setup I outlined above?

Userlevel 6
Badge +5

@rory.smith could you please provide an update on this? Thanks

Userlevel 6
Badge +7

Hi @Christian Hauggaard ,

 

I have changed the permissions to reflect the ones you are using, I have also upgraded to the newest release. One or both of these things seems to have solved it for me - at least I now can add roles and grant/deny access and those seem to reflect on the ACLs. I am assuming a DENY is equivalent to specifying the group or user and specifying no rights (i.e. 0)?

 

There are quite some differences between settings. I do not have a redirect URI set up as the default of localhost:33333 should be fine. This app is a single tenant one, yours is multi-tenant. Your Authentication blade is quite different due to the redirect URI and multitenant setup you have, mine looks like this:

 

Userlevel 6
Badge +5

Hi @rory.smith 

Yes that is correct, with deny permissions it creates a record with no permissions, please see below.

I tested this with Frank and it denies access for an individual, if an AD group is added to one role with grant permissions and athe specific individual (who is part of the AD group) is added to another role with deny permissions 

 

Userlevel 6
Badge +7

Hi @Christian Hauggaard ,

thanks - hopefully this thread will be able to give other users with issues some hints as to where the problems may lie.

Reply