Limit access to the directory structure

Adaxes Web interface enables users to browse the directory structure. Even if you manage a Microsoft Entra domain which has a flat structure by nature, you can create a virtual hierarchy for such a domain. The hieracrchy will be available only in Adaxes, but users will be able to browse it nevertheless.

However, you might want to limit which parts of the structure are visible to the users. For example, if a help desk team provides support only for a specific office, you can allow them to view only the OU with objects from that office. And, of course, you can completely hide the directory structure from your users.

In this tutorial, you will learn how to limit the visibility of the directory structure in Adaxes Web interface.

Configure user permissions

In Web interface, users can see only the objects they have the permissions to view. By default, all users have the right to view all objects in all domains managed by Adaxes. To allow users to view only the objects they need, adjust their permissions.

For details, see Hide directory objects from Users.

Configure the Web interface

Adaxes Web interface has a number of settings that can further refine how users are allowed to browse the structure and which objects they have access to. You can:

Change top level node

You can allow users to view only the objects located in a particular organizational unit or domain, and hide the rest of the structure. For example, you may want users to see only their own OU and nothing else.

 How to change the top level node { #changetopnode}
  • Open Adaxes Web interface configurator.

  • In the top left corner, select the Web interface you want to customize.

  • In the left navigation menu, click Browsing.

  • In the Navigation section, specify an OU or domain in the Top level node field.

You can configure the top level node so that it will be different depending on the logged in user. For example, you may want it to be an OU that has the same name as the user's department, or the OU where the account of the user is located. To do this, you need to use a template instead of selecting a specific object for the top level node.

 How {.mb-0}
  • Click the button embedded into the Top level node field.

  • In the dialog that opens, click Template.

  • Specify a template to generate the distinguished name (DN) of the top level node. You can use value references in the template, e.g. %department%, %adm-ParentDN%, %adm-DomainDN%. The value references will be replaced with the corresponding property values of the logged in user's account.

    To insert a value reference, click the button.

Example 1 – Allow users to view only their own organizational unit

Use the %adm-ParentDN% value reference. It will be replaced with the DN of the organizational unit, where the account of the logged in user is located.

Example 2 – Allow users to view an OU named as their department

Use the following template:

OU=%department%,OU=People,%adm-DomainDN% 

The %department% value reference will be replaced with the value of the user's Department property, and %adm-DomainDN% will be replaced with the distinguished name of the user's domain.

For example, if a user from the Marketing department in the example.com domain signs in to the Web interface, the top level node for that user will be OU=Marketing,OU=People,DC=example,DC=com.

Changing the top level node affects the following components of the Web interface:

  • Browse in the main menu

     Screenshot

  • Directory search

     Screenshot

  • Operations on directory objects

     Screenshot

  • Object paths

     Screenshot

  • Members/Member Of sections

  • My Team, My Department, and My Managed Objects views

Hide specific containers

You can specify the types of containers displayed in the directory tree. For example, you may want users to see only organizational units and hide containers of other types.

Also, you can configure the Web interface to display only the containers that match certain criteria. For example, you may want the directory tree to contain only the organizational units with the word Department in their names.

 How to control which containers are visible
  • Open Adaxes Web interface configurator.

  • In the top left corner, select the Web interface you want to customize.

  • In the left navigation menu, click Browsing.

  • In the Filter options section, uncheck the types of objects you want to hide.

  • To hide containers based on criteria, select the Criteria checkbox next to the type of containers you want to restrict.

  • In the dialog that opens, configure the criteria for displaying containers. For example, to display only containers with the word Department in their name, specify Name contains Department.

     How
    • Click Add.

    • In the dialog that opens, select Name contains Department.

    • Click OK twice.

    You can use value references in criteria to make it different depending on the logged in user. For example, to display only containers whose name has the name of the user's department in it, use the following criteria: Name contains %department%.

    The %department% value reference will be replaced with the value of the Department property of the logged in user.

  • When done, click OK.

If you need to use identical criteria for multiple container types, you can copy and paste it by pressing the arrow button next to Edit criteria.

 Screenshot

Disable the Browse dialog

The Browse dialog is used for browing the directory in the Web interface. It is possible to either completely disable the dialog, or hide it in specific Web interface components.

The directory tree is displayed in the Browse dialog starting from the top level node.

 How to disable the Browse dialog { #disablebrowsedlg}
  • Open Adaxes Web interface configurator.

  • In the top left corner, select the Web interface you want to customize.

  • In the left navigation menu, click Browsing.

  • In the Navigation section, clear the Allow directory browsing in checkbox.

Hide directory object paths

Directory object paths allow users to see the location of an object and navigate to parent objects. It is possible to either completely disable the feature, or disable it for specific Web interface components.

Directory object paths are displayed starting from the top level node.

 How to hide directory object paths { #hidepaths}
  • Open Adaxes Web interface configurator.

  • In the top left corner, select the Web interface you want to customize.

  • In the left navigation menu, click Browsing.

  • In the Navigation section, under Object Paths, clear the Display directory object paths in checkbox.

Display business units

Business units are virtual organizational units that can include directory objects spread across different locations, but matching certain membership criteria. With the help of business units you can create alternative hierarchies of directory objects that can be used instead of the real structure.

To enable users to use business units, you can make them available on the Home page of the Web interface. For details, see Customize the Home page.

Also, you can configure the Browse dialog located in the main menu to display business units only.

 How to display only business units in the Browse dialog { #businessunitsinbrowse}
  • Open Adaxes Web interface configurator.

  • In the top left corner, select the Web interface you want to customize.

  • In the left navigation menu, click Browsing.

  • In the Navigation section, under Browsing, click Configure.

  • In the dialog that opens, leave only the Business units checkbox enabled.

  • Click OK.

Configure Home page

If you restrict access to the directory structure, users might not be able to find the objects they need. To ensure users have access to the necessary objects, you can place them on the Home page of the Web interface.

For details on how to configure the Home page, see Customize the Home page.