I wrote below code for blocking user from group dev, from using an api operation. I would like to know if there is a method for blocking users in a group from accessing a particular method like put, delete and only allow user from a group to use get method?
<choose>
<when condition="@(context.User.Groups.Any(g => g.Name == "dev"))">
<return-response>
<set-status code="403" reason="Unauthorized" />
<set-body>Users in group dev do not have access to this method.</set-body>
</return-response>
</when>
</choose>
CodePudding user response:
Role-based access control helps that, please see the below:
The following are the high-level steps that Azure RBAC uses to determine if you have access to a resource. These steps apply to Azure Resource Manager or data plane services integrated with Azure RBAC. This is helpful to understand if you are trying to troubleshoot an access issue.
- A user (or service principal) acquires a token for Azure Resource Manager.
The token includes the user's group memberships (including transitive group memberships).
The user makes a REST API call to Azure Resource Manager with the token attached.
Azure Resource Manager retrieves all the role assignments and deny assignments that apply to the resource upon which the action is being taken.
If a deny assignment applies, access is blocked. Otherwise, evaluation continues.
Azure Resource Manager narrows the role assignments that apply to this user or their group and determines what roles the user has for this resource.
Azure Resource Manager determines if the action in the API call is included in the roles the user has for this resource. If the roles include Actions that have a wildcard (*), the effective permissions are computed by subtracting the NotActions from the allowed Actions. Similarly, the same subtraction is done for any data actions.
Actions - NotActions = Effective management permissions
DataActions - NotDataActions = Effective data permissions
If the user doesn't have a role with the action at the requested scope, access is not allowed. Otherwise, any conditions are evaluated.
If the role assignment includes conditions, they are evaluated. Otherwise access is allowed.
If conditions are met, access is allowed. Otherwise access is not allowed.
CodePudding user response:
You can use 'validate-jwt' policy and Allow/restrict the access based on method called. Users will present the JWT token while calling the API, you can use operation level policy or API level policy(based on method check) and verify the JWT token claim.
You can refer microsoft documentation here for use of policy: https://docs.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies#ValidateJWT