Restrict access to objects

You can restrict access to certain objects to make it impossible to perform any operations on them using REST API, even if the authenticated user has sufficient permissions.

Note

Out of the box, only Adaxes service administrators have the rights to configure REST API. Other users can be granted such rights using a security role with the Write all properties permission assigned over Configuration objects.

Change settings

 Restrict access by object type

You can restrict which object types (e.g. Users, Computers) can be accessed via REST API. To do this, execute the following script and restart IIS on the computer where REST API component is installed.

In the script:

  • $serviceHost – the host name of the computer where the Adaxes service is installed.
  • $allowedObjectTypes – an array of object types which should be accessible via REST API.
using namespace Softerra.Adaxes.Management.WebUI.Browsing
[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$serviceHost = "localhost" 
$allowedObjectTypes = @(
    "user",
    "group",
    "organizationalUnit",
    "container",
    "builtinDomain",
    "computer",
    "contact",
    "printQueue"
    # "volume"
    # "adm-RoomMailbox"
    # "adm-EquipmentMailbox"
    # "adm-LinkedMailbox"
 ) 

# Connect to the Adaxes service.
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly($serviceHost)

# Prompt for credentials.
$credential = Get-Credential

# Bind to the REST API configuration container.
$containerPath = $admService.Backend.GetConfigurationContainerPath("ClientAppsContainer")
$container = $admService.OpenObject($containerPath, $credential.UserName,`
    $credential.GetNetworkCredential().Password, 0)
$restApi = $container.RestApi

# Restrict object types.
$filterOptions = $restApi.FilterOptionsSettings
$objectTypeList = @()
foreach ($objectType in $allowedObjectTypes)
{
    $objectTypeSettings = [AdmWebUIBrowsingObjectTypeSettings]::new($objectType, $False, -1)
    $objectTypeList += $objectTypeSettings
}

# Save settings.
$filterOptions.ObjectTypes = $objectTypeList
$restApi.FilterOptionsSettings = $filterOptions
$restApi.SetInfo() 

Note

After executing the script, restart IIS on the computer where REST API component is installed.

 Restrict access with an LDAP filter

You can restrict access to objects that don't match an LDAP filter. To do this, execute the following script and restart IIS on the computer where REST API component is installed.

Tip

LDAP filter restriction and object type restriction can be used simultaneously.

In the script:

  • $serviceHost – the host name of the computer where the Adaxes service is installed.
  • $myFilter – the LDAP filter to apply. To disable LDAP filter restriction, specify $NULL.
[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$serviceHost = "localhost" 
$myFilter = "(&(sAMAccountType=805306368)(!(department=IT)))" 

# Connect to the Adaxes service.
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly($serviceHost)

# Prompt for credentials.
$credential = Get-Credential

# Bind to the REST API configuration container.
$containerPath = $admService.Backend.GetConfigurationContainerPath("ClientAppsContainer")
$container = $admService.OpenObject($containerPath, $credential.UserName,`
    $credential.GetNetworkCredential().Password, 0)
$restApi = $container.RestApi

# Set the LDAP filter restrictions.
$filterOptions = $restApi.FilterOptionsSettings
$filteroptions.FilterEnabled = if ($NULL -eq $myFilter) {$False} else {$True}
$filterOptions.Filter = $myFilter

# Save settings.
$restApi.FilterOptionsSettings = $filterOptions
$restApi.SetInfo() 

Note

After executing the script, restart IIS on the computer where REST API component is installed.

View current settings

Execute the following script. In the script:

  • $serviceHost – the host name of the computer where the Adaxes service is installed.
[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$serviceHost = "localhost" 

# Connect to the Adaxes service.
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly($serviceHost)

# Prompt for credentials.
$credential = Get-Credential

# Bind to the REST API configuration container.
$containerPath = $admService.Backend.GetConfigurationContainerPath("ClientAppsContainer")
$container = $admService.OpenObject($containerPath, $credential.UserName,`
    $credential.GetNetworkCredential().Password, 0)
$restApi = $container.RestApi

# Object types
$allowedObjectTypes = $filterOptions.ObjectTypes
Write-Host "The following object types can be accessed:"
foreach ($entry in $allowedObjectTypes)
{ 
    Write-Host "`t" $entry.ObjectType 
}

# LDAP filter
$filterOptions = $restApi.FilterOptionsSettings
if ($filterOptions.FilterEnabled)
{ 
    Write-Host "The following LDAP filter restriction is enabled:" $filterOptions.Filter 
}
else 
{ 
    Write-Host "LDAP filter restriction is disabled"
}

See also