Hide directory objects from users

The default permission settings in Adaxes allow all users to view all objects in all managed domains. In this tutorial, you will learn how to configure the rights that determine what objects users can see. For example, you can allow users to only see members of specific groups, hide disabled user accounts and objects that don't match certain criteria.

If your directory hosts multiple tenants, you may want to restrict users to see objects only from their organizational unit, and hide the rest of the structure.

The rights to view directory objects, like any other rights in Adaxes, are granted with the help of security roles. Out of the box, the permission to view all objects in all managed domains is granted by the Domain user security role.

To granularly control the objects visible to users, you need to delete the default assignment of the Domain user security role.

After the assignment is deleted, users will not be able to see any objects, except for their own account and the objects they manage. By default, the permission to view own account is granted by a built-in security role, User self-service. The Computer manager and Group manager roles allow object owners to see the computers and groups they manage.

Now you can grant rights to view objects in your managed domains.

Permissions granted by security roles are effective only within Adaxes.

Example 1 – Allow everyone to see objects in a specific organizational unit.

To grant the permission, assign the Domain user role to Authenticated Users over the organizational unit you want users to see.

 Step by step {id=stepbystep_objects_ou}
  • In the Assignments section, click Add.

  • Click Authenticated Users and then click Next.

  • Type the name of the organizational unit and then click it.

  • In the Assignment Options dialog, select whether you want users to see only objects located directly in the organizational unit or the whole subtree.

    If you want users to see the organizational unit itself, select The Organizational Unit object.

  • Click OK and then click Finish.

  • Click Save changes.

Example 2 – Allow everyone to see members of a specific group.

To grant the permission, assign the Domain user role to Authenticated Users over members of the group you want users to see.

 Step by step {id=stepbystep_group_members}
  • In the Assignments section, click Add.

  • Click Authenticated Users and then click Next.

  • Type the name of the group and then click it.

  • In the Assignment Options dialog, select whether you want users to see only direct members of the group, or all members, including the members of the nested groups.

    If you want users to see the group object itself, select The group object.

  • Click OK and then click Finish.

  • Click Save changes.

Example 3 – Allow users to see the objects that have the word Sales in their name.

To grant the permission, create a business unit that will contain objects with the word Sales in their name. Then assign the Domain user role to users over members of the business unit.

 Step by step {id=stepbystep_bu_static_members}
  • Create a business unit that includes objects that match the following criteria: Name contains Sales

    For instructions, see Create business unit.

  • Select the Domain user role.

  • In the Assignments section, click Add.

  • Type the name of the group or user you want to assign the role to, and then click it.

  • Click Next.

  • In the Look in drop-down, select Business Units.

  • Click the business unit.

  • In the Assignment Options dialog, select The business unit object if you want users to also see the business unit itself.

  • Click OK and then click Finish.

  • Click Save changes.

Example 4 – Allow everyone to see objects located in their own organizational unit.

To grant the permission, create a business unit that will contain objects located in the organizational unit of the logged in user. Then assign the Domain user role to Authenticated Users over members of the business unit.

 Step by step {id=stepbystep_bu_dynamic_members}
  • Create a business unit that contains objects located in the organizational unit of the logged in user.

    For instructions, see Create dynamic business unit.

  • Select the Domain user role.

  • In the Assignments section, click Add.

  • Click Authenticated Users and then click Next.

  • In the Look in drop-down, select Business Units.

  • Click the business unit.

  • In the Assignment Options dialog, select The business unit object if you want users to also see the business unit itself.

  • Click OK and then click Finish.

  • Click Save changes.

Example 5 – Allow managers to see their direct reports.

To grant the permission, assign the Domain user role to the Manager security principal over All Objects.

 Step by step {id=stepbystep_managers_subordinates}
  • In the Assignments section, click Add.

  • Click Manager and then click Next.

  • Click All Objects.

    If, for example, you want managers to see only their direct reports located in a specific organizational unit, select the organizational unit instead of selecting All Objects.

  • Click OK and then click Finish.

  • Click Save changes.

All built-in security roles in Adaxes contain the Allow - Read - All object types permission. It means that when you assign built-in security roles to users, they will have the right to see the objects included into the scope of assignment.

If you modify the default assignments of the Domain user role, it is recommended to include the Allow - Read - All object types permission to all your security roles. The rule is simple: if you delegate rights to manage objects, you also need to grant the right to view those objects.

Blind user role

Adaxes includes built-in security role Blind user that can also be used to hide directory objects.

The Blind user role contains only one permission Deny - Read - All object types and is very simple to use. To hide a directory object from a user, you just need to assign the Blind user role to a user and include the object you want to hide to the assignment scope. This way you can hide objects located in an organizational unit, group members, objects that belong to a business unit, specific directory objects, etc.

If you want to hide directory objects of a specific type only, you need to create a security role that will contain the Deny Read permission applied to the object type you need.

For example, to hide an organizational unit from a user, you need to assign the Blind user role to the user and include the organizational unit and its subtree into the assignment scope.

Since Deny permissions always override Allow permissions, users will not see the hidden directory objects even if other security roles grant them such rights.

See also