Deny rights to delete users

Out of the box, no one except Adaxes service administrators has the rights to delete users. However, if you create a security role with a wide range of permissions e.g. Allow Full Control over user objects, the trustees of this role will obtain the rights to delete users. This might be undesirable and you might want to granularly deny user deletion.

In Adaxes, all permissions are granted or denied with the help of security roles. If a user has both, Allow and Deny permissions for an operation, the Deny permission always takes precedence. For example, if two security roles are assigned to a user, one of which allows the deletion of user accounts and another that denies it, the delete operation will be denied for that user.

Permissions granted by security roles are effective only within Adaxes.

In this tutorial you will learn how to create a security role that denies user account deletion.

  1. Launch Adaxes Administration console.

     How { #collapse1}
    • On the computer where Adaxes Administration console is installed, open Windows Start menu.

    • Click Adaxes Administration Console.

  2. Right-click your Adaxes service, point to New and click Security Role.

  3. Enter a name for the new security role and click Next.

  4. On the Permissions step, click Add.

  5. In the Add Permissions dialog, do the following:

    • In the list of object types on the left, select User.

    • In the General permissions section, select the Delete Object permission in the Deny column.

    • Click OK.

  6. Click Next.

  7. On the Assignments step, click Add.

  8. Select the users and groups to deny the permissions for, and then click Next.

  9. Select the users whose deletion should be denied.

    Select from the following items:

    • All Objects – select to deny deletion of all user accounts in all domains managed by Adaxes.

    • Domain – select to deny deletion of all user accounts in a domain.

    • OU or Container – select to deny deletion of the user accounts located in an organizational unit or container.

    • Group – select to deny deletion of the user accounts that are members of a group.

    • Business unit – select to deny deletion of the user accounts that are members of a business unit. To select a business unit, open the Look in drop-down list and select the Business Units item.

    Click Finish to complete the Assign Role wizard.

  10. Click Finish to complete the Create Security Role wizard.