0 votes

Hi All,

I have just been notified that if a user uses the export feature. They are able to export attributes such as 'Member Of' that they do not have permission to see on the web interface.

I think this is because the Domain User security role has Read permission on all object types which is then locked down via the web interface.

Is there an easy way to restrict the export like you restrict the web interface or will I have to individually add permissions to the Domain User security role?

Thanks

by (1.9k points)

1 Answer

+1 vote
ago by (970 points)
selected ago by
Best answer

Hello,

Permissions in Adaxes are granted with the help of Security Roles. Hiding the elements of the Web Interface from the users doesn’t affect their permissions to view certain object properties. If the built-in Domain User Security Role was not modified in your environment, all authenticated users effectively have the permissions to view all objects and all their property values.

To restrict the permissions to export certain property values, you have to deny the rights to view these values using Security Roles. For details, please see https://www.adaxes.com/tutorials_DelegatingPermissions_GrantRightsToModifySpecificProperties.htm. On step 3 of the tutorial, check the Read <Property Name> permission in the Deny column.

Please note, that even if you restrict the rights to view the value of a certain property (e.g. Member Of), users will still be able to select this property during export, but the value in the exported document will be blank.

0

Thank you for that. I will have to make the Domain User permissions a bit more granular

Related questions

0 votes
1 answer

Hi, I had to create Custom Command for distribution group creation. Default group creation wizard cannot be used, because we need some of parameters to be mandatory etc. Anyway I ... which shouldn't be targeted to any particular AD object. How do I do it?

asked Jan 20 by KIT (2.9k points)
0 votes
1 answer

When we deprovision a user the member of groups are deleted and the power shell scrips only runs as removing all memberships. I can't see what was removed. Is there a scrips I can run prior to removing those memberships that will e-mail what they are?

asked Oct 15, 2019 by meyerm (280 points)
0 votes
1 answer

I am trying to see if Adaxes and send me a report of how many users have Dial In access. is there a way to do it.. If so please advise .. The object is msNPAllowDialin

asked Dec 2, 2011 by Nate (250 points)
0 votes
1 answer

Hey all Is there anyway you can set up an environment where u allow certain people to access adaxes webinterface and manage certain things themselves? right now only ... able to give permissions on certain security groups to certain people? is this possible?

asked Aug 22, 2019 by seanr (480 points)
0 votes
0 answers

Softerra Adaxes provides role-based security administration, so permissions are granted to users with the help of Security Roles. To view the Security Roles that delegate permissions ... delegated, right-click a Security Role and click Locate Role in Tree.

asked Apr 23, 2009 by Support (215k points)
2,221 questions
1,983 answers
5,447 comments
6,564 users