0 votes

Is there a way to enable custom commands for one domain ONLY? So that the command doesnt even show when viewing a user in a domain that doesnt have that custom command?

Example:

You have one webinterface for all your managed domains
Users in domain A is on a Citrix plattform, and you should be able to run Citrix Custom Commands against users in this domain. You should also just see the Citrix commands.

Users in domain B is on a VDI plattform, and you should be able to run VDI Custom Commands against users in this domain, and NOT Citrix Custom Commands. You should also just see the VDI commands.

by (960 points)

1 Answer

0 votes
by (216k points)

Hello,

Yes, you can do this with the help of Security Roles. You can create a set of Security Roles, one Role per 'environment'. In that Role, you need to add the Deny permission to execute all Custom Commands that belong to a particular 'environment', assign the Role to Authenticated Users, and include the domains where the Command must not be executed in the Assignment Scope of the Role. So, for example, for Citrix Custom Commands, you need to create a Security Role that denies the right to execute all Citrix commands, and include all domains that are not running the Citrix platform in the Assignment Scope.

To create such a Security Role:

  1. Create a new Security Role.
  2. On the 2nd step of the Create Security Role wizard, click Add.
  3. Select the object type on which the Custom Commands can be executed (e.g. User).
  4. In the General permissions section, check the necessary Custom Commands in the Deny column.
  5. Click OK.
  6. If necessary, repeat steps 2-5 for as many object types as you need.
  7. On the 3rd step, assign the Role to Authenticated Users, including the domains where the commands must not be executed in the Assignment Scope of the Role.
0

I've tested this solution, but i still see the commands in the web interface. When i click it though, i get "Access is denied".

I've also done a iisreset after applying these rights.

0

Hello,

It is a bug in Adaxes that will be fixed by the next release. Custom Commands that a user doesn't have the right to execute on a specific object shouldn't be shown in the Web interface on the page that displays properties of the object.

For now, until the workaround is available, you can create the following workaround:

  1. You can disable all Custom Commands on the Web interface. For information on how to do this, see step 4 in Disallow Certain Operations on Active Directory Objects.
  2. Then, you can create a series of Home Page Actions, one for each Custom Command. For information on how to do this, see section Custom Command in Configure Home Page Actions. On step 3 of the section, you will find information on how to allow objects located in a specific OU or container. Specify the DN of the domain where the Custom Command can be executed as the container DN.
0

When will the next release be available? This is very important for the use of the webinterface for our users. Would it be possible to get a fix for this?

The workaround with custom commands as actions on the home page is not a good solution for us.

0

Hello,

First of all, you should pay attention that when you execute Custom Commands from AD object lists. In object lists, the Web interface shows all Custom Commands that can be executed on the selected object types, regardless of permissions granted to the user. The permissions are not checked in AD object lists by design because checking permissions would cause a huge performance loss. To workaround this, you can disable Custom Commands in AD object lists. For information on how to do this, see step 6 in the following tutorial: http://www.adaxes.com/tutorials_WebInte ... bjects.htm.

On the page used for viewing properties of an object, permissions are checked. That is, a user will be shown only the Custom Commands they can execute on the object. The issue is that when you disallow executing a Custom Command by assigning a Deny execute permission, the permission is not taken into account when building the list of Custom Commands. However, if you distribute the permissions to execute Custom Commands only with the help of the Allow execute permissions, they will be taken into account when building the list of Custom Commands shown to the user. So, you can workaround the issue by distributing the permissions to execute the Custom Commands with the help of the Allow execute permissions only. To do this:

  1. Check that none of the Security Role give the Execute All Custom Commands permission for the object type (e.g. User). If any Security Roles give such a permission, remove it and add permissions to execute each Custom Command separately.

  2. Create a set of Security Roles, one Role per 'environment'. In that Role, you need to add the Allow permission to execute all Custom Commands that belong to a particular 'environment', assign the Role to Authenticated Users, and include the domains where the Command can be executed in the Assignment Scope of the Role. So, for example, for Citrix Custom Commands, you need to create a Security Role that allows the right to execute all Citrix commands, and include all domains that are running the Citrix platform in the Assignment Scope. To create such a Security Role:

    • Create a new Security Role.
    • On the 2nd step of the Create Security Role wizard, click Add.
    • Select the object type on which the Custom Commands can be executed (e.g. User).
    • In the General permissions section, check the necessary Custom Commands in the Allow column.
    • Click OK.
    • If necessary, repeat steps 2-5 for as many object types as you need.
    • On the 3rd step, assign the Role to Authenticated Users, including the domains where the commands can be executed in the Assignment Scope of the Role.
0

Good. This was part of the solution.. The other part was to remove "Full Control" over User objects.. With Full Control enabled, you will still see the command and be able to execute it.

0

Yes, the Full Control permission also includes the permission to execute all Custom Commands.

Related questions

0 votes
1 answer

I can add a security group as the users "manager" but I can't query members from that group I only have the option to query for manager "is" and not "includes". Using ... as a users manager, or is there a better way of adding multiple managers to a user?

asked Mar 13 by dominik.stawny (160 points)
0 votes
1 answer

I'm trying to implement the script on https://www.adaxes.com/script-repository/changes-in-group-membership-including-changes-made-by-3rd-party-tools-s289.htm. I added my ... is set to run hourly on Domain Admins, and Exchange Admin "group" objects. Thanks

asked Feb 26 by stevehalvorson (110 points)
0 votes
1 answer

Hello, In this specific example, we have 3 different groups. 1 for Access, 1 for resource, then one for authentication. Each company has a Resource and Access Group. I ... already have a log message included to state one was not found. Can you please help?

asked Feb 5 by Edogstraus00 (470 points)
0 votes
1 answer

The default pattern format we need should be :First letter of User firstname concatinated to user lastname and pd.sandiego.gov as in jdoe@pd.sandiego.gov

asked Jan 23 by hhsmith (40 points)
0 votes
1 answer

Using the powershell module, I know how to create a scheduled task, and also how to bind to a scheduled task that is already known. I also have used code to try creating ... same time as another. These are all one-time tasks and will be removed once executed.

asked Jan 19 by aweight (40 points)
3,326 questions
3,026 answers
7,727 comments
544,678 users