0 votes

Hi All,

I have just been notified that if a user uses the export feature. They are able to export attributes such as 'Member Of' that they do not have permission to see on the web interface.

I think this is because the Domain User security role has Read permission on all object types which is then locked down via the web interface.

Is there an easy way to restrict the export like you restrict the web interface or will I have to individually add permissions to the Domain User security role?

Thanks

by (440 points)

1 Answer

+1 vote
by (2.7k points)
selected by
Best answer

Hello,

Permissions in Adaxes are granted with the help of Security Roles. Hiding the elements of the Web Interface from the users doesn’t affect their permissions to view certain object properties. If the built-in Domain User Security Role was not modified in your environment, all authenticated users effectively have the permissions to view all objects and all their property values.

To restrict the permissions to export certain property values, you have to deny the rights to view these values using Security Roles. For details, please see https://www.adaxes.com/tutorials_DelegatingPermissions_GrantRightsToModifySpecificProperties.htm. On step 3 of the tutorial, check the Read <Property Name> permission in the Deny column.

Please note, that even if you restrict the rights to view the value of a certain property (e.g. Member Of), users will still be able to select this property during export, but the value in the exported document will be blank.

0

Thank you for that. I will have to make the Domain User permissions a bit more granular

Related questions

0 votes
0 answers

Good Afternoon, I'm looking for some clarification on what security settings I would need to apply to the Self-Service Users to allow them to update both their own ... accounts they have full access to. Please let me know if this requires more clarification.

asked Jul 22, 2021 by jtop (680 points)
0 votes
1 answer

Hi, I had to create Custom Command for distribution group creation. Default group creation wizard cannot be used, because we need some of parameters to be mandatory etc. Anyway I ... which shouldn't be targeted to any particular AD object. How do I do it?

asked Jan 20, 2020 by KIT (520 points)
0 votes
1 answer

For security purposes, we need to audit the objects that are capable of replicating the directory. As we have a number of individuals that need this report, I would like to ... four domains and would like to see any objects with this permission in any of them

asked 2 days ago by jiambor (1.2k points)
0 votes
0 answers

Hi Evryone, I am trying to set up an external portal within a new webserver on dmz, and with only access to a webservice created from selfservice. The new webservice is only ... login, only reset password. What I am mising there that its not working? Thanks,

asked Nov 26, 2021 by yagoityd (20 points)
0 votes
1 answer

I am trying to see if Adaxes and send me a report of how many users have Dial In access. is there a way to do it.. If so please advise .. The object is msNPAllowDialin

asked Dec 2, 2011 by Nate (20 points)
2,737 questions
2,471 answers
6,466 comments
1,350,938 users