0 votes

We are running the lastest version 2013.1 of Adaxes and are having an issue with permissions. I am using the builtin security role Domain Users and have denied access to two attributes called Private data Write and Read listed below. I have created a new security role called AD Support Dispatch and granted the Read " Private Data" Property permissions but it looks as if the global deny rules are being applied and the read private data property in the AD Support Dispatch Security role does not work. Is there a way to override an Deny rule that is set in the domain user builtin security role? If I deny a attribute in a global security role using the Authenticated Users Trustee on All objects, how can I override or grant read access to this deny attribute in another security role that is designed for a small group of users to see this private data? Any ideas…

by (80 points)

1 Answer

0 votes
by (215k points)

Hello Rodney,

You should always remember that ​Deny​ permissions always have a higher priority than ​Allow ​permissions, so there is no way how you can override the ​Deny​ permissions that you defined.

Basing on your letter and screenshots that you've sent us by email, what we can suggest is that you modify modify the Assignments of the Domain User Security Role that you currently have by assigning it to the users/groups who need to gain access to the Private Data property and exclude All Objects from the Assignment Scope of the Role. Thus, the permissions of the Role will no longer be delegated to those users/groups. Because of this, you also need to modify the permissions of the AD Support Dispatch Security Role and grant the right to ​Read​ All object types to that Role for the users to be able to browse your AD. Then, you need to assign the Role to the users/groups who need to gain access to the Private Data property and include ​All Objects​ in the Assignment Scope. To implement such a solution:
I. Modify the assignments of the Domain User Security Role

  1. Open Adaxes Administration Console.

  2. Locate and select the Domain User Security Role.

  3. Right-click in the ​Assignments​ section and click ​Add​ Assignment.

  4. In the dialog box that appears, double-click a user/group who needs to access to the Private Data property.

  5. In the dialog box that appears, add ​All Objects​ to the Assignment Scope of the Role.

  6. In the Assignment Options dialog, select the ​Exclude this selection​ option.

  7. Click ​OK​ 2 times

  8. If necessary, repeat steps ​3-5​ for as many users/groups as you need.

  9. Save the Security Role.

II. Modify the permissions of the AD Support Dispatch Security Role and assign it to the necessary users/groups

  1. Open Adaxes Administration Console.
  2. Locate and select the AD Support Dispatch Security Role.
  3. Click the Add button above the Permissions list.
  4. In the dialog that appears, select the ​Read​ permission in the Allow​ column and click ​OK​.
  5. Right-click in the ​Assignments​ section and click ​Add​ Assignment.
  6. In the dialog box that appears, double-click a user/group who needs to access to the Private Data property.
  7. In the dialog box that appears, add ​All Objects​ to the Assignment Scope of the Role.
  8. Save the Security Role.

P.S. Rodney, please check your PM inbox!

0

Adaxes Support,

This fix will work for use, thank you for your assistance.

Rodney

Related questions

0 votes
1 answer

receive the email click deny but keep getting emails to approve or deny the request

asked Apr 15 by Derek.Axe (400 points)
0 votes
1 answer

I turned on the option to have "Approve" and "Deny" links sent in the approval request email. It seems to not be working through. Here is a screenshot of what it ... the link. I also tried using incognito mode in chrome. Same look. Appreciate the assistance!

asked Mar 29 by mark.it.admin (1.5k points)
0 votes
1 answer

I am having this same issue, and I do think the Microsoft Support article will help, but I noticed in the Permissions that Exchange Trusted Subsystem is defaulted to Deny ... is, Should I remove the Deny Permission first before adding the Allow to Modify?

asked Dec 30, 2019 by svecchione3 (50 points)
0 votes
1 answer

Hi there When new users are created and the email is send out to the Administrator to Approve or deny, the link in the email takes you to the Web to Approve or deny. ... : Can I change the mail Subject to include the Username that needs to be Approved/Denied?

asked Jan 24, 2013 by Wally (210 points)
0 votes
1 answer

Hi, I need a script that will retrospectively create a sub-folder on file server's shared folder with following permissions: employee his/hers manager (taken from AD) specific ... for more pre-existing users that don't have them. Thanks for any feedback.

asked Nov 3, 2020 by roberttryba (70 points)
2,491 questions
2,238 answers
6,010 comments
401,432 users