0 votes

Hi All,

I have just been notified that if a user uses the export feature. They are able to export attributes such as 'Member Of' that they do not have permission to see on the web interface.

I think this is because the Domain User security role has Read permission on all object types which is then locked down via the web interface.

Is there an easy way to restrict the export like you restrict the web interface or will I have to individually add permissions to the Domain User security role?

Thanks

by (440 points)

1 Answer

+1 vote
by (2.4k points)
selected by
Best answer

Hello,

Permissions in Adaxes are granted with the help of Security Roles. Hiding the elements of the Web Interface from the users doesn’t affect their permissions to view certain object properties. If the built-in Domain User Security Role was not modified in your environment, all authenticated users effectively have the permissions to view all objects and all their property values.

To restrict the permissions to export certain property values, you have to deny the rights to view these values using Security Roles. For details, please see https://www.adaxes.com/tutorials_DelegatingPermissions_GrantRightsToModifySpecificProperties.htm. On step 3 of the tutorial, check the Read <Property Name> permission in the Deny column.

Please note, that even if you restrict the rights to view the value of a certain property (e.g. Member Of), users will still be able to select this property during export, but the value in the exported document will be blank.

0

Thank you for that. I will have to make the Domain User permissions a bit more granular

Related questions

0 votes
0 answers

Good Afternoon, I'm looking for some clarification on what security settings I would need to apply to the Self-Service Users to allow them to update both their own ... accounts they have full access to. Please let me know if this requires more clarification.

asked Jul 22, 2021 by jtop (680 points)
0 votes
1 answer

Hi, I had to create Custom Command for distribution group creation. Default group creation wizard cannot be used, because we need some of parameters to be mandatory etc. Anyway I ... which shouldn't be targeted to any particular AD object. How do I do it?

asked Jan 20, 2020 by KIT (520 points)
0 votes
0 answers

Hi Evryone, I am trying to set up an external portal within a new webserver on dmz, and with only access to a webservice created from selfservice. The new webservice is only ... login, only reset password. What I am mising there that its not working? Thanks,

asked Nov 26, 2021 by yagoityd (20 points)
0 votes
1 answer

When we deprovision a user the member of groups are deleted and the power shell scrips only runs as removing all memberships. I can't see what was removed. Is there a scrips I can run prior to removing those memberships that will e-mail what they are?

asked Oct 15, 2019 by meyerm (50 points)
0 votes
1 answer

I am trying to see if Adaxes and send me a report of how many users have Dial In access. is there a way to do it.. If so please advise .. The object is msNPAllowDialin

asked Dec 2, 2011 by Nate (20 points)
2,635 questions
2,370 answers
6,286 comments
976,004 users