Skip to content

Instantly share code, notes, and snippets.

@jimsander

jimsander/Azure Identity Governance Discussion.ipynb

Created July 11, 2019 17:33
Show Gist options
  • Save jimsander/dc6e62a17e5c34f4caf87c37bb175eb9 to your computer and use it in GitHub Desktop.
Save jimsander/dc6e62a17e5c34f4caf87c37bb175eb9 to your computer and use it in GitHub Desktop.
Download ZIP
Display the source blob
Display the rendered blob
Raw
Azure Identity Governance Discussion.ipynb
{"cells":[{"metadata":{"toc":true},"cell_type":"markdown","source":"<h1>Table of Contents<span class=\"tocSkip\"></span></h1>\n<div class=\"toc\"><ul class=\"toc-item\"><li><span><a href=\"#Requirements\" data-toc-modified-id=\"Requirements-1\"><span class=\"toc-item-num\">1&nbsp;&nbsp;</span>Requirements</a></span></li><li><span><a href=\"#Our-current-approach\" data-toc-modified-id=\"Our-current-approach-2\"><span class=\"toc-item-num\">2&nbsp;&nbsp;</span>Our current approach</a></span><ul class=\"toc-item\"><li><span><a href=\"#Scoped-Groups\" data-toc-modified-id=\"Scoped-Groups-2.1\"><span class=\"toc-item-num\">2.1&nbsp;&nbsp;</span>Scoped Groups</a></span></li><li><span><a href=\"#Entitlements\" data-toc-modified-id=\"Entitlements-2.2\"><span class=\"toc-item-num\">2.2&nbsp;&nbsp;</span>Entitlements</a></span></li><li><span><a href=\"#Options-for-Activation\" data-toc-modified-id=\"Options-for-Activation-2.3\"><span class=\"toc-item-num\">2.3&nbsp;&nbsp;</span>Options for <em>Activation</em></a></span><ul class=\"toc-item\"><li><span><a href=\"#1.-Upon-request-:-manually\" data-toc-modified-id=\"1.-Upon-request-:-manually-2.3.1\"><span class=\"toc-item-num\">2.3.1&nbsp;&nbsp;</span>1. Upon request : manually</a></span></li><li><span><a href=\"#2.-Access-Package-work-flow\" data-toc-modified-id=\"2.-Access-Package-work-flow-2.3.2\"><span class=\"toc-item-num\">2.3.2&nbsp;&nbsp;</span>2. Access Package work flow</a></span></li><li><span><a href=\"#3.-Self-Help:-Enterprise-App-with-Group-assignment\" data-toc-modified-id=\"3.-Self-Help:-Enterprise-App-with-Group-assignment-2.3.3\"><span class=\"toc-item-num\">2.3.3&nbsp;&nbsp;</span>3. Self-Help: Enterprise App with Group assignment</a></span></li><li><span><a href=\"#4.-Join-Group-(where-user-is-an-owner)\" data-toc-modified-id=\"4.-Join-Group-(where-user-is-an-owner)-2.3.4\"><span class=\"toc-item-num\">2.3.4&nbsp;&nbsp;</span>4. Join Group (where user is an owner)</a></span></li><li><span><a href=\"#5.-Management-Groups\" data-toc-modified-id=\"5.-Management-Groups-2.3.5\"><span class=\"toc-item-num\">2.3.5&nbsp;&nbsp;</span>5. Management Groups</a></span></li></ul></li></ul></li></ul></div>"},{"metadata":{"scrolled":true,"trusted":true},"cell_type":"code","source":"P = input(\"Enter Prefix: \").upper()\nprint('Prefix: {}'.format(P))","execution_count":48,"outputs":[{"output_type":"stream","name":"stdout","text":"Enter Prefix: ond.dev.pac\nPrefix: OND.DEV.PAC\n"}]},{"metadata":{"scrolled":false,"trusted":true},"cell_type":"code","source":"G = input(\"Enter Group||Project: \").lower().capitalize()\nprint('Group: {}'.format(G))","execution_count":49,"outputs":[{"output_type":"stream","name":"stdout","text":"Enter Group||Project: FooGrp1\nGroup: Foogrp1\n"}]},{"metadata":{"trusted":true},"cell_type":"code","source":"R = input(\"Enter Resource: \").lower().capitalize()\nprint('Resource: {}'.format(R))","execution_count":50,"outputs":[{"output_type":"stream","name":"stdout","text":"Enter Resource: KV1\nResource: Kv1\n"}]},{"metadata":{"code_folding":[],"scrolled":true,"trusted":true},"cell_type":"code","source":"def setDefault(dVar,dVal=0):\n if dVar is None:\n return dVal\n else:\n return dVar\nP = setDefault(P,'QBU-PM.PAC')\nG = setDefault(G,'FooGroup2')\nR = setDefault(R,'ResGrp1') \n\nscopeGroupName = f'{P}.{G}'\nscopeGroupResource = f'{P}.{G}.{R}'\nprint (\"Scope Group\",scopeGroupName)\nprint (\"Scope Group Resource\",scopeGroupResource)","execution_count":53,"outputs":[{"output_type":"stream","text":"Scope Group OND.DEV.PAC.Foogrp1\nScope Group Resource OND.DEV.PAC.Foogrp1.Kv1\n","name":"stdout"}]},{"metadata":{"variables":{"P":"OND.DEV.PAC","G":"Foogrp1","R":"Kv1","scopeGroupName":"OND.DEV.PAC.Foogrp1","scopeGroupResource":"OND.DEV.PAC.Foogrp1.Kv1"}},"cell_type":"markdown","source":"# Privileged Access Management\n\nWe want to be able to accommodate a workflow where\n\n- entitlements are pre-authorized eligibilities to resources via RBAC\n- approvers/mgmt designate users for entitlements\n- users are eligible to enable roles they are entitled\n- users have self-help ability to enable such entitlements\n- activated roles have a limited duration\n\n## Requirements\n- RBAC Managed Access to resources\n- Limited Access / Expiration\n- Self-Help / User initiated\n- Auditability\n\nAAD Tenant Configuration\nOur primary tenant is company wide while our production tenants are dedicated to production \n\n## Our current approach\n### Scoped Groups\nUse AAD Security Groups to \"scope\" RBAC to resources \n\nGroup naming format: `<Prefix>.<Group>.[<Resource>.]<Role>` is assigned to `<Group>`, to `<Resource>` resource if specified, of Role `<Role>`\n \n- Prefix: is unique descriptor for tenant or other convention\n- Group: is an arbitrary description denoting a Teams subscription or management group\n- Resource: [optional] granular designation to specific resource[s]\n- Role: Azure Role :)\n \n e.g.\n Prefix = {{P}}\n Group = {{G}}\n Resource = {{R}}\n Role = Reader\n \n Scope Group \n - top level: **{{scopeGroupName}}**\n - approver level: **{{scopeGroupName}}**.Approver\n - eligibile level(s): **{{scopeGroupName}}**.Eligible || **{{scopeGroupResource}}**.Eligible\n - resource level: **{{scopeGroupResource}}**.Contributor\n \n### Entitlements \nEntitlement is a mapping of user to group.\n\n\ne.g. `Any member user of ` **{{scopeGroupResource}}.**Eligible ` is entitled access to scope ` **{{scopeGroupResource}}.**Contributor\n\n\n### Options for *Activation*\nActivation of role is simply the user being granted membership to a entitled/**Eligible** group.\n\n\n#### 1. Upon request : manually\nOperations add user a member to a group\n- options: cli, wrapper api or portal\n\nNegatives:\n- As a manual effort, there will be a delay between the time requested and fulfillment\n- Need a reminder, or other method, to automatically remove member from group\n \n#### 2. Access Package work flow \nCan accommodate the workflows with policies very well, where 2 policies manage\n- ad-hoc: requesting access (ad-hoc) requiring approval from **Approver** group\n- eligible: those already eligible (per **Eligible**) group \n\nUsers can request to join via access-packages URL: e.g. https://myaccess.microsoft.com/@auth.xcloud.ninja#/access-packages \n \nThe setup would require 2-3 groups for every 1 scoped group depending on the configuration\n- Approvers Group : **{{scopeGroupName}}.**Approver\n- Eligible/Entitled Group : **{{scopeGroupName}}.**Eligible OR **{{scopeGroupResource}}.**Eligible\n- Scoped Group : **{{scopeGroupName}}.**Reader\n \n \nNegatives:\n- Would need an API or programatic method to create consistent Access Packages in bulk\n \n#### 3. Self-Help: Enterprise App with Group assignment\n \n\n#### 4. Join Group (where user is an owner)\nOwners of groups can join via https://account.activedirectory.windowsazure.com/r#/joinGroups\nPolicy must be set to \n \nPotential Scenario much like Access Package workflow\n- Would require an **Approver** \n- Would require **Eligible** group for top level scope **{{scopeGroupName}}** OR granular per each scoped group **{{scopeGroupResource}}**\n \nNegatives:\n- Group Owners can modify ownership (e.g. remove all others); not a trust issue , but human error\n- No configuration for expiry; would need to externally track (but that's the most viable)\n- Needs an API method for \n - users to join\n - to modify *policy* \n\n#### 5. Management Groups\n\nHave not dug in yet, but can't help but suspect that regardless of which method or combination of methods above we use, that management groups would \n \nTracking activated roles could be tracked as we do entitlements, but may be duplicating something inherent in Azure **PIM, IG** or something else.\n \n\n\n# Issues: \n- Token refresh delays - impacts JIT access or sometimes users have to logout/in to pick up authorization(s)\n- Portal/UI: some columns/fields not resizeable and trunacte longer group names\n\n\nhttps://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Announcing-a-new-Azure-AD-identity-governance-preview/ba-p/480864"},{"metadata":{"trusted":true},"cell_type":"code","source":"","execution_count":null,"outputs":[]},{"metadata":{"trusted":true},"cell_type":"code","source":"","execution_count":null,"outputs":[]},{"metadata":{"trusted":true},"cell_type":"code","source":"","execution_count":null,"outputs":[]}],"metadata":{"kernelspec":{"name":"python3","display_name":"Python 3","language":"python"},"language_info":{"name":"python","version":"3.7.2","mimetype":"text/x-python","codemirror_mode":{"name":"ipython","version":3},"pygments_lexer":"ipython3","nbconvert_exporter":"python","file_extension":".py"},"toc":{"nav_menu":{},"number_sections":true,"sideBar":false,"skip_h1_title":true,"base_numbering":1,"title_cell":"Table of Contents","title_sidebar":"Contents","toc_cell":true,"toc_position":{"height":"100px","left":"10px","top":"150px","width":"165px"},"toc_section_display":true,"toc_window_display":false}},"nbformat":4,"nbformat_minor":2}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment