To homepage To homepage
Solved

What rights are needed to be able to create roles in the ODX Server to define access

  • 24 October 2023
  • 16 replies
  • 205 views
rory.smith
Rank
Userlevel 5
Badge +7

 

I am trying to set up access to some tables in the ODX. when I try to add a role and search for an Azure AD user I get the error: 

Service request failed: Code: Authorization_RequestDenied ...
Module: TimeXtender.ODX.Engine
TimeXtender.ODX.Engine.ODXFaultException
   at TimeXtender.ODX.Engine.ODXEngine.SendServiceRequest[C,T](WcfServerSettings serverSettings, Func`3 func)
   at TimeXtender.DataManager.AddODXSecurityRoleWizard_MemberSelectStep.<>c__DisplayClass11_0.<SearchClicked>b__0()
   at TimeXtender.DataManager.ConnectingThread.ExecuteConnectingThread(Object dummy)

Service request failed: Code: Authorization_RequestDenied ...
Module: timeXtender
TXModelInterface.ExceptionWrapperException
   at TimeXtender.DataManager.ConnectingThread.HandleError()
   at TimeXtender.DataManager.ConnectingThread.Execute(String title, Int32 progressSteps, List`1 actions)
   at TimeXtender.DataManager.AddODXSecurityRoleWizard_MemberSelectStep.SearchClicked(Object sender, EventArgs e)
 

This setup is a VM in Azure with ODX storage in ADLS. The Storage Account App Registration is owner of the storage account. Is a role like User Access Administrator on the App Registration enough, or are other rights involved?

icon

Best answer by Christian Hauggaard 4 December 2023, 10:58

View original

16 replies

Christian Hauggaard
Rank
Userlevel 6
Badge +5

Hi @rory.smith 

Based on previous tickets, it seems that you need to setup the following Graph API permissions for the app registration. Please note that these require admin consent. It can also take a while before these take effect.

 

rory.smith
Rank
Userlevel 5
Badge +7

Hi @Christian Hauggaard ,

 

thanks - I will check based on this and let you know.

rory.smith
Rank
Userlevel 5
Badge +7

I have added exactly those rights, with the difference that I have granted the admin consent and waited, but still the same error.

Thomas Lind
Rank
Userlevel 6
Badge +5

Hi @rory.smith 

Sorry for the delay. If you still have the issue I have an suggestion.

The issue happens when you deploy the security rights to the container. I am not sure the rights of the app makes much of a difference.

I seem to remember testing this once. These are my settings in my storage account.

While I am an owner and was before I added the Storage Blob Data Owner right, I still thought I needed to add it.

So maybe see if it works if you add this right for the App.

rory.smith
Rank
Userlevel 5
Badge +7

Hi @Thomas Lind ,

my app registration is both storage blob owner and contributor so that isn't enough either. Could it be that this happens because this VM is not domain-joined and the ODX Server service is running as a local account?

Thomas Lind
Rank
Userlevel 6
Badge +5

Hi @rory.smith 

I tried to remove all rights on an app, so it only got the default.

I got these rights on mine.

 

Christian Hauggaard
Rank
Userlevel 6
Badge +5

Hi @rory.smith 

Could you please try to join the VM to the domain and see if this resolves the issue?

rory.smith
Rank
Userlevel 5
Badge +7

Hi Christian,

 

the point of this server is that it is not part of our domain but lives in an isolated network. It looks like instead of querying Azure through an App registration, it asks through the VM.

Christian Hauggaard
Rank
Userlevel 6
Badge +5

Hi @rory.smith can you please send a screenshot of your current API permissions for your app registration?

rory.smith
Rank
Userlevel 5
Badge +7

Hi Christian,

 

currently:

 

Christian Hauggaard
Rank
Userlevel 6
Badge +5

Hi @rory.smith 

I have tested with the following app registration setup on a VM that is not domain-joined and the creating a role and searching for members works.

Similar to your setup, my app reg has the storage blob data contributor and the storage blob data owner role for the data lake (without any conditions).

 

I am wondering if the reason it is not working for you is because of some other settings in the App Registration. Please see the settings for my app registration below for comparison. Do you notice any differences compared to yours?

 

 

Christian Hauggaard
Rank
Userlevel 6
Badge +5

Hi @rory.smith 

Can you please let us know if there are any differences in your setup compared to the working setup I outlined above?

Christian Hauggaard
Rank
Userlevel 6
Badge +5

@rory.smith could you please provide an update on this? Thanks

rory.smith
Rank
Userlevel 5
Badge +7

Hi @Christian Hauggaard ,

 

I have changed the permissions to reflect the ones you are using, I have also upgraded to the newest release. One or both of these things seems to have solved it for me - at least I now can add roles and grant/deny access and those seem to reflect on the ACLs. I am assuming a DENY is equivalent to specifying the group or user and specifying no rights (i.e. 0)?

 

There are quite some differences between settings. I do not have a redirect URI set up as the default of localhost:33333 should be fine. This app is a single tenant one, yours is multi-tenant. Your Authentication blade is quite different due to the redirect URI and multitenant setup you have, mine looks like this:

 

Christian Hauggaard
Rank
Userlevel 6
Badge +5

Hi @rory.smith 

Yes that is correct, with deny permissions it creates a record with no permissions, please see below.

I tested this with Frank and it denies access for an individual, if an AD group is added to one role with grant permissions and athe specific individual (who is part of the AD group) is added to another role with deny permissions 

 

rory.smith
Rank
Userlevel 5
Badge +7

Hi @Christian Hauggaard ,

thanks - hopefully this thread will be able to give other users with issues some hints as to where the problems may lie.

Reply


Terms and ConditionsCookie settings