Restrict allowed operations

You can configure which operations and custom commands can be executed via REST API. For example, you can disable object deletion or other sensitive operations. If an operation is disabled, it can't be performed using REST API even if the authenticated user has sufficient permissions.

Out of the box, only Adaxes service administrators have the rights to configure REST API. Other users can be granted such rights using a security role with the Write all properties permission assigned over Configuration objects.

Change settings

 Restrict operations

Operations that can be performed via REST API are listed in:

To disable operations, execute the following script and restart IIS on the computer where REST API component is installed.

In the script:

  • $serviceHost – the host name of the computer where the Adaxes service is installed.
  • $allowedOperations – an array of operations which should be enabled. All other operations will be disabled.
Adaxes 2023 and newer
using namespace Softerra.Adaxes.Models.WebApp.WebInterfaceConfiguration.Operations
[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$serviceHost = "localhost"
$allowedOperations = @(
    "Create",
    "AddMembers",
    "EnableAccount",
    "ResetPassword"
)

# Connect to the Adaxes service.
$ns = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$service = $ns.GetServiceDirectly($serviceHost)

# Prompt for credentials.
$credential = Get-Credential

# Bind to the REST API configuration container.
$containerPath = $service.Backend.GetConfigurationContainerPath("ClientAppsContainer")
$container = $service.OpenObject($containerPath, $credential.UserName, `
    $credential.GetNetworkCredential().Password, 0)
$restApi = $container.RestApi

$config = $restApi.ToJson("{elements: ['Operations']}") | ConvertFrom-Json

# Enable/disable operations.
foreach ($operation in $config.operations.operations)
{
    $operationName = [System.Enum]::GetName("OperationType", $operation.type)

    # Skip custom commands
    if ($operationName -eq "CustomCommand") { continue }

    $operation.enabled = $allowedOperations.Contains($operationName)
}

# Save settings.
$restApi.FromJson("{elements: ['Operations']}", ($config | ConvertTo-Json -Depth 100))
Adaxes 2021.1
using namespace Softerra.Adaxes.Interop.Adsi.Management.WebUI.Operations 
[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$serviceHost = "localhost" 
$allowedOperations = @(
    "ADM_WEBUI_OPERATION_TYPE_CREATE",
    "ADM_WEBUI_OPERATION_TYPE_ADD_MEMBERS",
    "ADM_WEBUI_OPERATION_TYPE_ENABLE_ACCOUNT",
    "ADM_WEBUI_OPERATION_TYPE_RESET_PASSWORD"
) 

# Connect to the Adaxes service.
$ns = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$service = $ns.GetServiceDirectly($serviceHost)

# Prompt for credentials.
$credential = Get-Credential

# Bind to the REST API configuration container.
$containerPath = $service.Backend.GetConfigurationContainerPath("ClientAppsContainer")
$container = $service.OpenObject($containerPath, $credential.UserName,`
    $credential.GetNetworkCredential().Password, 0)
$restApi = $container.RestApi

# Enable/disable operations.
$operationSettings = $restApi.OperationsSettings
$allOperations = [System.Enum]::GetNames("ADM_WEBUI_OPERATION_TYPE_ENUM")
foreach ($operationType in $allOperations)
{
    # Skip custom commands.
    if ($operationType -eq "ADM_WEBUI_OPERATION_TYPE_CUSTOM") { continue }

    $operation = $operationSettings.GetOperation($operationType)
    $operation.Enabled = $allowedOperations.Contains($operationType)
}

# Save settings.
$restApi.OperationsSettings = $operationSettings
$restApi.SetInfo()

After executing the script, restart IIS on the computer where REST API component is installed.

 Restrict custom commands

By default, all custom commands including newly created commands can be executed using REST API. To allow only a limited set of custom commands, execute the following script and restart IIS on the computer where REST API component is installed.

In the script:

  • $serviceHost – the host name of the computer where the Adaxes service is installed.
  • $allowedCommands – an array of custom command identifiers that specifies which commands should be allowed in REST API.

For information on how to get the identifier of a custom command, see Get custom command identifier.

Adaxes 2023 and newer
[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$serviceHost = "localhost" 
$allowedCommands = @(
    "9db88ec3-1241-4ab1-9612-c7c982baa49f",
    "fe4ef324-79d8-4461-95db-7c38201668b8",
    "d41151e1-9f5d-44da-9a6b-3fd6bdf868b8"
) 

# Connect to the Adaxes service.
$ns = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$service = $ns.GetServiceDirectly($serviceHost)

# Prompt for credentials.
$credential = Get-Credential

# Bind to the REST API configuration container.
$containerPath = $service.Backend.GetConfigurationContainerPath("ClientAppsContainer")
$container = $service.OpenObject($containerPath, $credential.UserName, `
    $credential.GetNetworkCredential().Password, 0)
$restApi = $container.RestApi

$config = $restApi.ToJson("{elements: ['Operations']}") | ConvertFrom-Json
$customCommandSettings = $config.operations.customCommands

# Restrict custom commands.
$customCommandSettings.defaultEnabledState = $false
$newCommandSettings = @()
foreach ($commandId in $allowedCommands)
{
    $commandItem = New-Object `
        Softerra.Adaxes.Models.WebApp.WebInterfaceConfiguration.Operations.CustomCommandOperationDto
    $commandItem.customCommandId = $commandId
    $commandItem.enabled = $true
    $newCommandSettings += $commandItem
}

# Save settings.
$customCommandSettings.items = $newCommandSettings
$restApi.FromJson("{elements: ['Operations']}", ($config | ConvertTo-Json -Depth 100))
Adaxes 2021.1
[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$serviceHost = "localhost" 
$allowedCommands = @(
    "9db88ec3-1241-4ab1-9612-c7c982baa49f",
    "fe4ef324-79d8-4461-95db-7c38201668b8",
    "d41151e1-9f5d-44da-9a6b-3fd6bdf868b8"
) 

# Connect to the Adaxes service.
$ns = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$service = $ns.GetServiceDirectly($serviceHost)

# Prompt for credentials.
$credential = Get-Credential

# Bind to the REST API configuration container.
$containerPath = $service.Backend.GetConfigurationContainerPath("ClientAppsContainer")
$container = $service.OpenObject($containerPath, $credential.UserName,`
    $credential.GetNetworkCredential().Password, 0)
$restApi = $container.RestApi

# Restrict custom commands.
$operationSettings = $restApi.OperationsSettings
$customCommandSettings = $operationSettings.CustomCommandOperations
$customCommandSettings.DefaultEnabledState = $false
$customCommandSettings.Clear()
foreach ($commandId in $allowedCommands)
{
    $customCommandConfiguration = $customCommandSettings.Create()
    $customCommandConfiguration.CustomCommandId = $commandId
    $customCommandConfiguration.Enabled = $true
    $customCommandSettings.Add($customCommandConfiguration)
}

# Save settings.
$restApi.OperationsSettings = $operationSettings
$restApi.SetInfo() 

After executing the script, restart IIS on the computer where REST API component is installed.

 Allow all custom commands

To allow all custom commands, execute the following script and restart IIS on the computer where REST API component is installed.

In the script:

  • $serviceHost – the host name of the computer where the Adaxes service is installed.

For information on how to get the identifier of a custom command, see Get custom command identifier.

Adaxes 2023 and newer
[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$serviceHost = "localhost" 

# Connect to the Adaxes service.
$ns = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$service = $ns.GetServiceDirectly($serviceHost)

# Prompt for credentials.
$credential = Get-Credential

# Bind to the REST API configuration container.
$containerPath = $service.Backend.GetConfigurationContainerPath("ClientAppsContainer")
$container = $service.OpenObject($containerPath, $credential.UserName, `
    $credential.GetNetworkCredential().Password, 0)
$restApi = $container.RestApi

$config = $restApi.ToJson("{elements: ['Operations']}") | ConvertFrom-Json
$currentCommandSettings = $config.operations.customCommands

# Allow all custom commands.
$currentCommandSettings.defaultEnabledState = $true
$currentCommandSettings.items = $null

# Save settings.
$restApi.FromJson("{elements: ['Operations']}", ($config | ConvertTo-Json -Depth 100))
Adaxes 2021.1
[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$serviceHost = "localhost" 

# Connect to the Adaxes service.
$ns = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$service = $ns.GetServiceDirectly($serviceHost)

# Prompt for credentials.
$credential = Get-Credential

# Bind to the REST API configuration container.
$containerPath = $service.Backend.GetConfigurationContainerPath("ClientAppsContainer")
$container = $service.OpenObject($containerPath, $credential.UserName,`
    $credential.GetNetworkCredential().Password, 0)
$restApi = $container.RestApi

# Allow all custom commands.
$operationSettings = $restApi.OperationsSettings
$operationSettings.CustomCommandOperations.Clear()
$operationSettings.CustomCommandOperations.DefaultEnabledState = $true

$restApi.OperationsSettings = $operationSettings
$restApi.SetInfo() 

After executing the script, restart IIS on the computer where REST API component is installed.

View current settings

Execute the following script. In the script:

  • $serviceHost – the host name of the computer where the Adaxes service is installed.
Adaxes 2023 and newer
using namespace Softerra.Adaxes.Models.WebApp.WebInterfaceConfiguration.Operations
[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$serviceHost = "localhost"

# Connect to the Adaxes service.
$ns = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$service = $ns.GetServiceDirectly($serviceHost)

# Prompt for credentials.
$credential = Get-Credential

# Bind to the REST API configuration container.
$containerPath = $service.Backend.GetConfigurationContainerPath("ClientAppsContainer")
$container = $service.OpenObject($containerPath, $credential.UserName, `
    $credential.GetNetworkCredential().Password, 0)
$restApi = $container.RestApi

$config = $restApi.ToJson("{elements: ['Operations']}") | ConvertFrom-Json

# Operations
$operationSettings = $config.operations.operations
$allOperations = [System.Enum]::GetNames("OperationType")
Write-Host "The following operations are enabled:"
foreach ($operation in $operationSettings)
{
    if ($operation.enabled)
    {
        $operationName = [System.Enum]::GetName("OperationType", $operation.type)
        Write-Host "`t"$operationName
    }
}

# Custom commands
$customCommandSettings = $config.operations.customCommands
if ($customCommandSettings.defaultEnabledState)
{
    $disabledCommands = $customCommandSettings.items | Where enabled -eq $false
    if ($null -eq $disabledCommands)
    {
        Write-Host "All custom commands are allowed."
    }
    else
    {
        Write-Host "All custom commands are allowed except the following:"
        foreach ($command in $disabledCommands)
        {
            Write-Host "`t"$command.customCommandId 
        }
    }
}
else
{
    Write-Host "Only the following custom commands are allowed:"
    foreach ($command in $customCommandSettings.items)
    {
        if ($command.enabled)
        {
            Write-Host "`t"$command.customCommandId
        }
    }
}
Adaxes 2021.1
using namespace Softerra.Adaxes.Interop.Adsi.Management.WebUI.Operations
[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$serviceHost = "localhost" 

# Connect to the Adaxes service.
$ns = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$service = $ns.GetServiceDirectly($serviceHost)

# Prompt for credentials.
$credential = Get-Credential

# Bind to the REST API configuration container.
$containerPath = $service.Backend.GetConfigurationContainerPath("ClientAppsContainer")
$container = $service.OpenObject($containerPath, $credential.UserName,`
    $credential.GetNetworkCredential().Password, 0)
$restApi = $container.RestApi

# Operations
$operationSettings = $restApi.OperationsSettings
$allOperations = [System.Enum]::GetNames("ADM_WEBUI_OPERATION_TYPE_ENUM")
Write-Host "The following operations are enabled:"
foreach ($operationType in $allOperations)
{
    $operation = $operationSettings.GetOperation($operationType)
    if ($operation.Enabled)
    {
        Write-Host "`t"$operation.OperationType
    }
}

# Custom commands
$customCommandSettings = $operationSettings.CustomCommandOperations
if ($customCommandSettings.DefaultEnabledState)
{
    $disabledCommands = $customCommandSettings | Where-Object Enabled -eq $false
    if ($null -eq $disabledCommands -or @($disabledCommands).Count -eq 0)
    {
        Write-Host "All custom commands are allowed."
    }
    else
    {
        Write-Host "All custom commands are allowed except the following:"
        foreach ($command in $disabledCommands)
        {
            Write-Host "`t"$command.CustomCommandId 
        }
    }    
}
else
{
    Write-Host "Only the following custom commands are allowed:"
    foreach ($command in $customCommandSettings)
    {
        if ($command.Enabled) 
        { 
            Write-Host "`t"$command.CustomCommandId 
        }
    }    
}

See also