Sorry, search feature is not supported in Internet Explorer 11

Restrict allowed operations

You can configure which operations and custom commands can be executed via REST API. For example, you can disable object deletion or other sensitive operations. If an operation is disabled, it can't be performed using REST API even if the authenticated user has sufficient permissions.

Note

Out of the box, only Adaxes service administrators have the rights to configure REST API. Other users can be granted such rights using a security role with the Write all properties permission assigned over Configuration objects.

Change settings

 Restrict operations

Operations that can be performed via REST API are listed in the ADM_WEBUI_OPERATION_TYPE_ENUM enumerator, and are all enabled by default. To disable operations, execute the following script and restart IIS on the computer where REST API component is installed.

In the script:

  • $serviceHost – the host name of the computer where the Adaxes service is installed.
  • $allowedOperations – an array of operations which should be enabled. All other operations will be disabled.
using namespace Softerra.Adaxes.Interop.Adsi.Management.WebUI.Operations 
[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$serviceHost = "localhost" 
$allowedOperations = @(
    "ADM_WEBUI_OPERATION_TYPE_CREATE",
    "ADM_WEBUI_OPERATION_TYPE_ADD_MEMBERS",
    "ADM_WEBUI_OPERATION_TYPE_ENABLE_ACCOUNT",
    "ADM_WEBUI_OPERATION_TYPE_RESET_PASSWORD"
 ) 

# Connect to the Adaxes service.
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly($serviceHost)

# Prompt for credentials.
$credential = Get-Credential

# Bind to the REST API configuration container.
$containerPath = $admService.Backend.GetConfigurationContainerPath("ClientAppsContainer")
$container = $admService.OpenObject($containerPath, $credential.UserName,`
    $credential.GetNetworkCredential().Password, 0)
$restApi = $container.RestApi

# Enable/disable operations.
$operationSettings = $restApi.OperationsSettings
$allOperations = [System.Enum]::GetNames("ADM_WEBUI_OPERATION_TYPE_ENUM")
foreach ($operationType in $allOperations)
{
    # Skip custom commands.
    if ($operationType -eq "ADM_WEBUI_OPERATION_TYPE_CUSTOM") { continue }

    $operation = $operationSettings.GetOperation($operationType)
    $operation.Enabled = $allowedOperations.Contains($operationType)
}

# Save settings.
$restApi.OperationsSettings = $operationSettings
$restApi.SetInfo()

Note

After executing the script, restart IIS on the computer where REST API component is installed.

 Restrict custom commands

By default, all custom commands including newly created commands can be executed using REST API. To allow only a limited set of custom commands, execute the following script and restart IIS on the computer where REST API component is installed.

In the script:

  • $serviceHost – the host name of the computer where the Adaxes service is installed.
  • $allowedCommands – an array of custom command identifiers that specifies which commands should be allowed in REST API.

Tip

For information on how to get the identifier of a custom command, see Get custom command identifier.

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$serviceHost = "localhost" 
$allowedCommands = @(
    "9db88ec3-1241-4ab1-9612-c7c982baa49f",
    "fe4ef324-79d8-4461-95db-7c38201668b8",
    "d41151e1-9f5d-44da-9a6b-3fd6bdf868b8"
) 

# Connect to the Adaxes service.
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly($serviceHost)

# Prompt for credentials.
$credential = Get-Credential

# Bind to the REST API configuration container.
$containerPath = $admService.Backend.GetConfigurationContainerPath("ClientAppsContainer")
$container = $admService.OpenObject($containerPath, $credential.UserName,`
    $credential.GetNetworkCredential().Password, 0)
$restApi = $container.RestApi

# Restrict custom commands.
$operationSettings = $restApi.OperationsSettings
$customCommandSettings = $operationSettings.CustomCommandOperations
$customCommandSettings.DefaultEnabledState = $False
$customCommandSettings.Clear()
foreach ($commandId in $allowedCommands)
{
    $customCommandConfiguration = $customCommandSettings.Create()
    $customCommandConfiguration.CustomCommandId = $commandId
    $customCommandConfiguration.Enabled = $True
    $customCommandSettings.Add($customCommandConfiguration)
}

# Save settings.
$restApi.OperationsSettings = $operationSettings
$restApi.SetInfo() 

Note

After executing the script, restart IIS on the computer where REST API component is installed.

 Allow all custom commands

To allow all custom commands, execute the following script and restart IIS on the computer where REST API component is installed.

In the script:

  • $serviceHost – the host name of the computer where the Adaxes service is installed.

Tip

For information on how to get the identifier of a custom command, see Get custom command identifier.

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$serviceHost = "localhost" 

# Connect to the Adaxes service.
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly($serviceHost)

# Prompt for credentials.
$credential = Get-Credential

# Bind to the REST API configuration container.
$containerPath = $admService.Backend.GetConfigurationContainerPath("ClientAppsContainer")
$container = $admService.OpenObject($containerPath, $credential.UserName,`
    $credential.GetNetworkCredential().Password, 0)
$restApi = $container.RestApi

# Allow all custom commands.
$operationSettings = $restApi.OperationsSettings
$operationSettings.CustomCommandOperations.Clear()
$operationSettings.CustomCommandOperations.DefaultEnabledState = $True

$restApi.OperationsSettings = $operationSettings
$restApi.SetInfo() 

Note

After executing the script, restart IIS on the computer where REST API component is installed.

View current settings

Execute the following script. In the script:

  • $serviceHost – the host name of the computer where the Adaxes service is installed.
using namespace Softerra.Adaxes.Interop.Adsi.Management.WebUI.Operations
[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$serviceHost = "localhost" 

# Connect to the Adaxes service.
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly($serviceHost)

# Prompt for credentials.
$credential = Get-Credential

# Bind to the REST API configuration container.
$containerPath = $admService.Backend.GetConfigurationContainerPath("ClientAppsContainer")
$container = $admService.OpenObject($containerPath, $credential.UserName,`
    $credential.GetNetworkCredential().Password, 0)
$restApi = $container.RestApi

# Operations
$operationSettings = $restApi.OperationsSettings
$allOperations = [System.Enum]::GetNames("ADM_WEBUI_OPERATION_TYPE_ENUM")
Write-Host "The following operations are enabled:"
foreach ($operationType in $allOperations)
{
    $operation = $operationSettings.GetOperation($operationType)
    if ($operation.Enabled)
    {
        Write-Host "`t"$operation.OperationType
    }
}

# Custom commands
$customCommandSettings = $operationSettings.CustomCommandOperations
if ($customCommandSettings.DefaultEnabledState)
{
    $disabledCommands = $customCommandSettings | Where-Object Enabled -eq $False
    if ($NULL -eq $disabledCommands -or @($disabledCommands).Count -eq 0)
    {
        Write-Host "All custom commands are allowed."
    }
    else
    {
        Write-Host "All custom commands are allowed except the following:"
        foreach ($command in $disabledCommands)
        {
            Write-Host "`t"$command.CustomCommandId 
        }
    }    
}
else
{
    Write-Host "Only the following custom commands are allowed:"
    foreach ($command in $customCommandSettings)
    {
        if ($command.Enabled) 
        { 
            Write-Host "`t"$command.CustomCommandId 
        }
    }    
}

See also