Solved: App Portal Roles

agrawalakshay1 · ‎May 08, 2019

When using App Portal/App Broker, I want to include and exclude certain parts of the organization. For example, there might be certain parts of the organization being divested. What is the best way to segregate user access in App Portal by groups of people so that we can either include all and then exclude by exception, or exclude all and include by exception. The domain name is the same for all users - what is the best way to separate them out in AD?

Akshay

jdempsey · ‎May 09, 2019

Permissions in App Portal are broken into two areas: Admin Security and Catalog Security. If no permissions are configured under Admin Security, everyone that can authenticate (either domain users or SSO users, depending on how you have authentication configured) will have full admin rights to the site. As soon as you add any user or group to Admin Security, only that user or group will have admin rights, and only the specified permissions you have granted. Everyone else will be excluded automatically. The same holds true for Catalog Security. If no permissions are configured, everyone will have access to browse the catalog, request on behalf of others, manage other people's requests, etc. As soon as you add a user or group to Catalog Security, only that user or group will have the designated permissions, and all other users will have no catalog access.

Within North America Services, our standard practice is to create a set of AD groups that represent common roles (e.g. App Portal Administrator, Support Technician, Catalog Administrator, License Manager, Report Viewer, Catalog User). We then add those AD groups into Admin Security and Catalog Security with the desired permissions. From that point, you can simply manage permissions by adding/removing users and groups to/from those AD groups. As described above, anyone that isn't in one or more of those groups will have no permissions to App Portal.

Anything expressed here is my own view and not necessarily that of my employer, Flexera. If my reply answers a question you have raised, please click "ACCEPT AS SOLUTION".

View solution in original post

CharlesW · ‎May 09, 2019

I'm thinking that you might be able to use ".NET Authorization rules" in IIS to deny access to a particular group, or even add a "location" element to web.config to deny a particular group.. I've used the location element before to allow access to a part of the site for only a particular AD group.. I'd expect that you could also deny access to a particular group.

View solution in original post

jdempsey · ‎May 09, 2019

Permissions in App Portal are broken into two areas: Admin Security and Catalog Security. If no permissions are configured under Admin Security, everyone that can authenticate (either domain users or SSO users, depending on how you have authentication configured) will have full admin rights to the site. As soon as you add any user or group to Admin Security, only that user or group will have admin rights, and only the specified permissions you have granted. Everyone else will be excluded automatically. The same holds true for Catalog Security. If no permissions are configured, everyone will have access to browse the catalog, request on behalf of others, manage other people's requests, etc. As soon as you add a user or group to Catalog Security, only that user or group will have the designated permissions, and all other users will have no catalog access.

Within North America Services, our standard practice is to create a set of AD groups that represent common roles (e.g. App Portal Administrator, Support Technician, Catalog Administrator, License Manager, Report Viewer, Catalog User). We then add those AD groups into Admin Security and Catalog Security with the desired permissions. From that point, you can simply manage permissions by adding/removing users and groups to/from those AD groups. As described above, anyone that isn't in one or more of those groups will have no permissions to App Portal.

Anything expressed here is my own view and not necessarily that of my employer, Flexera. If my reply answers a question you have raised, please click "ACCEPT AS SOLUTION".

CharlesW · ‎May 09, 2019

I'm thinking that you might be able to use ".NET Authorization rules" in IIS to deny access to a particular group, or even add a "location" element to web.config to deny a particular group.. I've used the location element before to allow access to a part of the site for only a particular AD group.. I'd expect that you could also deny access to a particular group.