0 votes

Hi,

I did not find how to delegate configuration tasks, for instance, modifying a business rule (a specific one or a set), property patterns, and so on.
It seems to me that we can only manage access to the whole configuration. I'm organizing rules/patterns in folders (containers) and the underlying idea would be to delegate only these containers (and associated objects) to specific users.

Maybe i'm wrong, in that case i will be more than happy to get the answer :-)

Thanks !

Stephen

by (800 points)

1 Answer

0 votes
by (18.0k points)

Hello,

It is possible to allow users or groups to manage Adaxes configuration objects (Business Rules, Property Patterns, Scheduled Tasks, etc.).

To create a Security Role that will allow users to manage Business Rules:

  1. Launch Adaxes Administration Console.
  2. Start the Security Role Creation wizard.
  3. On the 2nd step of the wizard, open submenu of the Add button.
  4. Select Manage Business Rules. This will add all the necessary permissions to manage Business Rules.
  5. Assign the Security Role to a user or group over Configuration Objects.

Using Adaxes Administration Console it is impossible to assign a Security Role over a specific Business Rule or a container of Business Rules. However, it is possible to do this via a script. We can implement such a script for you.

0

Yes, i saw that but our requirement is exactly what you described at the end of your message. I believe your script will modify permssions on LDDS backend. What would be the conditions to have that kind of script ?
Thanks for your help

0

The following script assigns group My Group to a Security Role called My Role over a Business Rules container called My Container:

 [Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$adaxesHost = "localhost"
$trusteeDN = "CN=My Group,CN=Users,DC=company,DC=com" # TODO: modify me
$businessRuleContainerName = "My Container" # TODO: modify me
$securityRoleName = "My Role" # TODO: modify me

# Connect to the Adaxes service
$admNS = New-Object("Softerra.Adaxes.Adsi.AdmNamespace")
$admService = $admNS.GetServiceDirectly($adaxesHost)

# Bind to the trustee object
$trustee = $admService.OpenObject("Adaxes://$trusteeDN", $NULL, $NULL, 0)

# Bind to the root container of Business Rules
$businessRulesPath = $admService.Backend.GetConfigurationContainerPath([Softerra.Adaxes.Adsi.WellKnownBackendContainer]::BusinessRules)
$businessRulesPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" $businessRulesPath
$businessRulesContainerAdsPath = $businessRulesPathObj.CreateChildPath("CN=$businessRuleContainerName")
$businessRulesContainer = $admService.OpenObject($businessRulesContainerAdsPath.ToString(), $NULL, $NULL, 0)

# The following function assigns a Security Role to a given trustee over specified activity scope
function AssignRole($roleName, $trustee, $baseObject, $scopeType, $scopeInheritance)
{
    $securityRolesContainerPath = $admService.Backend.GetConfigurationContainerPath([Softerra.Adaxes.Adsi.WellKnownBackendContainer]::AccessControlRoles)
    $securityRolesContainerAdsPath = New-Object "Softerra.Adaxes.Adsi.AdsPath" $securityRolesContainerPath
    $roleAdsPath = $securityRolesContainerAdsPath.CreateChildPath("CN=$roleName")
    $admRole = $admService.OpenObject($roleAdsPath.ToString(), $NULL, $NULL, 0)
    $admAssignment = $admRole.Assignments.Create()
    $trusteeSidBytes = $trustee.Get("objectSid")
    $trusteeSid = New-Object "Softerra.Adaxes.Adsi.Sid" @($trusteeSidBytes, 0)
    $admAssignment.Trustee = $trusteeSid.ToString()
    $admAssignment.SetInfo()
    $admRole.Assignments.Add($admAssignment)
    $admScopeItem = $admAssignment.ActivityScopeItems.Create()
    $admScopeItem.Put("adm-ScopeBaseObjectGuid", $baseObject.Get("objectGUID"))
    $admScopeItem.Exclude = $False
    $admScopeItem.Type = $scopeType
    $admScopeItem.Inheritance = $scopeInheritance
    $admScopeItem.SetInfo()
    $admAssignment.ActivityScopeItems.Add($admScopeItem)
}

# Assign the Security Role over the specified container of Business Rules
AssignRole $securityRoleName $trustee $businessRulesContainer "ADM_SCOPEBASEOBJECTTYPE_CONTAINER" "ADS_SCOPE_SUBTREE"

BTW, if you assign your Security Role like that, it may contain only one permission - Allow Full Control -> All Objects.

Related questions

0 votes
1 answer

the script repo examples are almost entirely written in ADSI, however powershell is now far more widely used, is it possible to have all scripts written in both ADSI and powershell.

asked Jan 5 by i*windows (140 points)
0 votes
1 answer

Shared mailboxes are treated as standard users, however they really should have a separate view. I would like to request that a new view is made avaiilable for Shared ... office location, data from HR systems, windows profile, etc are not really relevant.

asked Jun 23, 2023 by i*windows (140 points)
0 votes
1 answer

Hello, Using the "Inactive user allowed to log in" report in Adaxes, I want to be able to select specific OUs to exclude out of the scope in this report, or have the option to filter based on a user property such as Department.

asked Nov 8, 2022 by GronTron (270 points)
0 votes
1 answer

On scheduled tasks, business rules, and custom commands, inside an if statement, you have the option for it to be "AND" or "OR" in the condition. Can there be a ... a bunch of computer accounts to be deleted. We think this would be a good safety measure.

asked Mar 22, 2021 by mark.it.admin (2.3k points)
+1 vote
1 answer

HI, It would be very nice if one could add a description for an action set that then will display on top of the action set as a header. I find myself inspecting actions/ ... be very helpful to be able to see this in the header at first glance. Thank you

asked Feb 8, 2021 by digimortal (240 points)
3,326 questions
3,026 answers
7,727 comments
544,678 users