Which permissions are absolutely required for Azure AD?

thomas.cherryhomes · August 26, 2019, 7:03pm

Which permissions are ABSOLUTELY required for Rancher Azure AD auth to work correctly?

According to the documentation, it needs:

Access the directory as the signed-in user
Read directory data
Read all groups
Read all users’ full profiles
Read all users’ basic profiles
Sign in and read user profile

However my AD team is having a significant conniption over:

Read all groups
Read all users full profiles

Which permissions does Rancher AD auth absolutely require?

-Thom

JasonvanBrackel · August 27, 2019, 6:06pm

Read all groups is necessary so an operator can assign RBAC to specific AD groups.

As for users full profiles, I’ve asked the engineering team to look into whether basic profiles will suffice, or is there a specific component we need that only comes with access to users’ full profiles.

JasonvanBrackel · August 27, 2019, 6:11pm

@thomas.cherryhomes, the link of that discussion is here.

Topic		Replies	Views
"Unable to fetch User Info" when authenticating against Azure AD Rancher 2.x	0	1558	October 22, 2019
Azure AD authentication Rancher 1.x	1	929	March 21, 2018
Rancher 2.5 with Azure Ad Rancher 2.x	0	326	May 18, 2021
Auth issue with Azure AD - Rancher 2.8.0 Rancher 2.x	0	97	February 6, 2024
Azure AD groups can't log in Rancher 2.x	0	411	October 24, 2019

Which permissions are absolutely required for Azure AD?

Related Topics