service APIs are modified to restrict their access based on their operation.
Common authorization functionality
hasPermissions is added with extra parameter from
PartitionOperations containing indication to the API operation for authorization.
The check is made dependent on flag
enable.crud.based.authorization . It can be set to true and verified in the provided implementation.
If the above flag is enabled by Azure, the Create/Patch/Delete calls will be forbidden on security-token generated using all the non-customer apps. Only the tokens with customer appid's are allowed to perform CRUD operations.
For non-azure CSP same check will work as before with or without the flag is set.
Testing for partition changes
Trusted pipeline run succeeded:
Using non MSI token: GET allowed:
- For Non MSI/Admin Token:
CREATE not allowed:
PATCH not allowed:
DELETE not allowed
- With Admin/MSI Token: