Adaxes

Permissions Error

0 votes

Hi,

I seem to have hit a permissions error. For the life of me I'm sure this has been working fine, now we appear to have a very strange situation.

I noticed today that a particular Custom Command that users should only have permission to run on their own entry was showing up for all entries:-


I've been trying to find out why this is, and now I'm even more confused. I've changed things round to try and find the cause, and I've given rights to this command to one role only (that I'm not a member of):


Yet, I can still execute this command (against anyone) - which is one problem - but the really strange thing is, when I look at the role assignments of the command it says no-one has rights to it, when we know from the above that at least one role has?


I'm also digging around other permissions issues, and it looks like there may be other 'over-permissive' access via the web interface. I'm 100% sure this has all been OK up to the last few days, so athis must be something to do with a change we've made recently - but I cannot think of any permissions that have been changed.

Rgds

by (1.6k points)

1 Answer

0 votes
by (1.6k points)

...

I managed to find the root cause - mainly my fault but still a little confused about something.

We had temporarily added 'Full User Object' rights to a specific role (that my account was a member of but I hadn't realised, and it was just 'off the bottom of the page' in the trustee scroll box), and removing this fixed the underlying permissions issue:-


However, I'm confused as to i) why this role wasn't being reflected in the 'Effective Security Roles' for the custom command if it granted me the right to run the custom command, how ii) granting Full Control over 'User' objects also gave the right to run a Custom Command, that I thought were permissioned explicitly (or via the 'All Custom Commands' right).

Rgds

0

Through trial and error I seem to have confirmed that, for i), the 'Effective Roles' details those roles that have the right to manage`configure a Custom Command, not run it - is that correct?

Still not sure about ii) - though to be honest I may have created more problems by trying to fix the original one, and then lost track a bit of what was working when.

Either way - I have everything permissioned again as I expected, so you can ignore this thread!

RGds

by (1.6k points)
0

Hello,

...
i) why this role wasn't being reflected in the 'Effective Security Roles' for the custom command if it granted me the right to run the custom command

The Effective Security Roles section only shows the Security Roles that grant the permissions to manage the Custom Command, not execute it.

...how ii) granting Full Control over 'User' objects also gave the right to run a Custom Command, that I thought were permissioned explicitly (or via the 'All Custom Commands' right).

No. The Full Access permission grants the right to perform any operations on the object, that is write all properties, execute all Custom Commands etc, and the Execute all Custom Commands is a partial permission that grants only the rights to execute Custom Commands on the object.

As you mentioned in your initial post, you would like to grant users to execute this Custom Command on their own accounts only. To do this, you need to create a Security Role that grants the right to execute the Custom Command and assign it to Self and include All Objects in the Assignment Scope. To do this:

  1. Create a new Security Role.
  2. On the 2nd step, add the permission that allows to execute the Custom Command you need.
  3. On the 3rd step, assign the Role to Self and include All Objects in the Assignment Scope.
by (216k points)
0

Many thanks. The very granular permissions model is both a curse and a god send!

by (1.6k points)

Related questions

0 votes
1 answer
permissions to read properties of your account error

The following error is displayed on the top of the screen, after one of my users logs into Adaxes... "You don't have any permissions to read properties of your account. ... entire domain. Can someone tell me what is triggering this error and how to resolve it?

asked Feb 8, 2013 by rmedeiros (380 points)
0 votes
1 answer
Least Privileged Permissions Adaxes service account

Dear Reader, Currently we have Adaxes installed to manage mostly the on-premises user base. However some activities are extended to Office 365. Here we notice that Adaxes installed ... and when we do so how will this affect Adaxes? Thanks in advance, Maarten

asked Jan 8 by Maarten5150 (20 points)
0 votes
1 answer
User has insufficient permissions/Access rights to perform the operation

User is trying to amend the account expiry date on another user account. User has done this many times in the past - only difference is this is a new OU. Adaxes service account has the necessary permissions to the OU so I can't see why this is happening

asked Jan 3 by NeilM (20 points)
0 votes
1 answer
Minimum Required Trustee Permissions over Managed Object to make it Visible

What permissions does a Trustee (Specifically a Manager or Owner) need over a Managed Object to make it visible in their My managed objects? The Trustee can view their ... missing read permissions of specific attributes, which are the minimum I need to allow?

asked Nov 2, 2023 by Viajaz (210 points)
0 votes
1 answer
How can we minimize permissions of Domain Service Account and still retain Adaxes functionality?

Hello, We have recently begun setting up Adaxes and are trying to exercise least privilege on both of the accounts we have created to manage the service. ... account is also given the appropriate Security Role within the Adaxes administrative console.

asked Sep 12, 2023 by just.kon (20 points)
3,346 questions
3,047 answers
7,772 comments
544,971 users