Skip to main content
To homepage To homepage
Solved

What rights are needed to be able to create roles in the ODX Server to define access

rory.smith
TimeXtender Xpert
Forum|alt.badge.img+7

 

I am trying to set up access to some tables in the ODX. when I try to add a role and search for an Azure AD user I get the error: 

Service request failed: Code: Authorization_RequestDenied ...
Module: TimeXtender.ODX.Engine
TimeXtender.ODX.Engine.ODXFaultException
   at TimeXtender.ODX.Engine.ODXEngine.SendServiceRequest[C,T](WcfServerSettings serverSettings, Func`3 func)
   at TimeXtender.DataManager.AddODXSecurityRoleWizard_MemberSelectStep.<>c__DisplayClass11_0.<SearchClicked>b__0()
   at TimeXtender.DataManager.ConnectingThread.ExecuteConnectingThread(Object dummy)

Service request failed: Code: Authorization_RequestDenied ...
Module: timeXtender
TXModelInterface.ExceptionWrapperException
   at TimeXtender.DataManager.ConnectingThread.HandleError()
   at TimeXtender.DataManager.ConnectingThread.Execute(String title, Int32 progressSteps, List`1 actions)
   at TimeXtender.DataManager.AddODXSecurityRoleWizard_MemberSelectStep.SearchClicked(Object sender, EventArgs e)
 

This setup is a VM in Azure with ODX storage in ADLS. The Storage Account App Registration is owner of the storage account. Is a role like User Access Administrator on the App Registration enough, or are other rights involved?

Best answer by Christian Hauggaard

Hi @rory.smith 

I have tested with the following app registration setup on a VM that is not domain-joined and the creating a role and searching for members works.

Similar to your setup, my app reg has the storage blob data contributor and the storage blob data owner role for the data lake (without any conditions).

 

I am wondering if the reason it is not working for you is because of some other settings in the App Registration. Please see the settings for my app registration below for comparison. Do you notice any differences compared to yours?

 

 

View original
Did this topic help you find an answer to your question?

16 replies

Christian Hauggaard
Community Manager
Forum|alt.badge.img+5

Hi @rory.smith 

Based on previous tickets, it seems that you need to setup the following Graph API permissions for the app registration. Please note that these require admin consent. It can also take a while before these take effect.

 

rory.smith
TimeXtender Xpert
Forum|alt.badge.img+7
  • rory.smith
  • Author
  • TimeXtender Xpert
  • 687 replies
  • November 1, 2023

Hi @Christian Hauggaard ,

 

thanks - I will check based on this and let you know.

rory.smith
TimeXtender Xpert
Forum|alt.badge.img+7
  • rory.smith
  • Author
  • TimeXtender Xpert
  • 687 replies
  • November 1, 2023

I have added exactly those rights, with the difference that I have granted the admin consent and waited, but still the same error.

Thomas Lind
Community Manager
Forum|alt.badge.img+5
  • Thomas Lind
  • Community Manager
  • 1070 replies
  • November 20, 2023

Hi @rory.smith 

Sorry for the delay. If you still have the issue I have an suggestion.

The issue happens when you deploy the security rights to the container. I am not sure the rights of the app makes much of a difference.

I seem to remember testing this once. These are my settings in my storage account.

While I am an owner and was before I added the Storage Blob Data Owner right, I still thought I needed to add it.

So maybe see if it works if you add this right for the App.

rory.smith
TimeXtender Xpert
Forum|alt.badge.img+7
  • rory.smith
  • Author
  • TimeXtender Xpert
  • 687 replies
  • November 20, 2023

Hi @Thomas Lind ,

my app registration is both storage blob owner and contributor so that isn't enough either. Could it be that this happens because this VM is not domain-joined and the ODX Server service is running as a local account?

Thomas Lind
Community Manager
Forum|alt.badge.img+5
  • Thomas Lind
  • Community Manager
  • 1070 replies
  • November 20, 2023

Hi @rory.smith 

I tried to remove all rights on an app, so it only got the default.

I got these rights on mine.

 

Christian Hauggaard
Community Manager
Forum|alt.badge.img+5

Hi @rory.smith 

Could you please try to join the VM to the domain and see if this resolves the issue?

rory.smith
TimeXtender Xpert
Forum|alt.badge.img+7
  • rory.smith
  • Author
  • TimeXtender Xpert
  • 687 replies
  • November 29, 2023

Hi Christian,

 

the point of this server is that it is not part of our domain but lives in an isolated network. It looks like instead of querying Azure through an App registration, it asks through the VM.

Christian Hauggaard
Community Manager
Forum|alt.badge.img+5

Hi @rory.smith can you please send a screenshot of your current API permissions for your app registration?

rory.smith
TimeXtender Xpert
Forum|alt.badge.img+7
  • rory.smith
  • Author
  • TimeXtender Xpert
  • 687 replies
  • November 30, 2023

Hi Christian,

 

currently:

 

Christian Hauggaard
Community Manager
Forum|alt.badge.img+5

Hi @rory.smith 

I have tested with the following app registration setup on a VM that is not domain-joined and the creating a role and searching for members works.

Similar to your setup, my app reg has the storage blob data contributor and the storage blob data owner role for the data lake (without any conditions).

 

I am wondering if the reason it is not working for you is because of some other settings in the App Registration. Please see the settings for my app registration below for comparison. Do you notice any differences compared to yours?

 

 

Christian Hauggaard
Community Manager
Forum|alt.badge.img+5

Hi @rory.smith 

Can you please let us know if there are any differences in your setup compared to the working setup I outlined above?

Christian Hauggaard
Community Manager
Forum|alt.badge.img+5

@rory.smith could you please provide an update on this? Thanks

rory.smith
TimeXtender Xpert
Forum|alt.badge.img+7
  • rory.smith
  • Author
  • TimeXtender Xpert
  • 687 replies
  • January 9, 2024

Hi @Christian Hauggaard ,

 

I have changed the permissions to reflect the ones you are using, I have also upgraded to the newest release. One or both of these things seems to have solved it for me - at least I now can add roles and grant/deny access and those seem to reflect on the ACLs. I am assuming a DENY is equivalent to specifying the group or user and specifying no rights (i.e. 0)?

 

There are quite some differences between settings. I do not have a redirect URI set up as the default of localhost:33333 should be fine. This app is a single tenant one, yours is multi-tenant. Your Authentication blade is quite different due to the redirect URI and multitenant setup you have, mine looks like this:

 

Christian Hauggaard
Community Manager
Forum|alt.badge.img+5

Hi @rory.smith 

Yes that is correct, with deny permissions it creates a record with no permissions, please see below.

I tested this with Frank and it denies access for an individual, if an AD group is added to one role with grant permissions and athe specific individual (who is part of the AD group) is added to another role with deny permissions 

 

rory.smith
TimeXtender Xpert
Forum|alt.badge.img+7
  • rory.smith
  • Author
  • TimeXtender Xpert
  • 687 replies
  • February 7, 2024

Hi @Christian Hauggaard ,

thanks - hopefully this thread will be able to give other users with issues some hints as to where the problems may lie.

Christian Hauggaard
1 person likes this
  • Christian Hauggaard
    Christian Hauggaard

Reply


Most helpful members this week

Terms and ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings