Limit access to the directory structure

Adaxes web interface enables users to browse the directory structure. Even if you manage a Microsoft Entra domain which has a flat structure by nature, you can create a virtual hierarchy for such a domain. The hierarchy will be available only in Adaxes, but users will be able to browse it nevertheless.

However, you might want to limit which parts of the structure are visible to the users. For example, if a help desk team provides support only for a specific office, you can allow them to view only the OU with objects from that office. And, of course, you can completely hide the directory structure from your users.

In this tutorial, you will learn how to limit the visibility of the directory structure in Adaxes web interface.

Configure user permissions

Users can see only the objects they have the permissions to view. Out of the box, all users have the rights to view all objects in all domains managed by Adaxes. To allow users to view only the objects they need, adjust their permissions.

For details, see Hide directory objects from Users.

Configure the web interface

Adaxes web interface has a number of settings that can further refine how users are allowed to browse the structure and which objects they have access to. You can:

Configure top level nodes

Top level nodes limit how far up the directory tree users can see when browsing, searching, and selecting objects. This means you can hide the full directory structure from your users and allow them to view objects only in particular containers.

For example, you can allow your help desk team to view the contents of the Employees and Groups organizational units, but hide everything above them. These OUs can even be from different domains.

 How to configure top level nodes

  • Open Adaxes web interface configurator.

  • In the top left corner, select the web interface you want to customize.

  • In the left navigation menu, click Browsing.

  • In the Navigation section, select the Top level nodes checkbox.

  • Add top level nodes in the dialog that opens.

If you add multiple top level nodes with the same name, you can change their display names to allow the users to distinguish between them. The display names are changed only in the web interface.

A top level node can be dynamic. In other words, it can be different for every signed in user. For example, it can be the OU where user's account resides or an OU named like the user's department. Dynamic top level nodes are added using templates.

 How

  • In the Top level nodes dialog, click Add.

  • In the dialog that opens, click the Template button.

  • Specify a template to generate the distinguished name of the top level node. To make the top level node dynamic, you need to use value references in the template, e.g. %department%, %adm-ParentDN%. They will be replaced with the corresponding property values of the signed in user.

    To insert a value reference, click the button.

Example 1 – Allow users to view only their own organizational unit

Use the %adm-ParentDN% value reference. It will be replaced with the DN of the organizational unit where the signed-in user resides.

Example 2 – Allow users to view an OU named as their department

Use a template similar to this:

OU=%department% staff,%adm-DomainDN%

The %department% value reference will be replaced with the value of the user's Department property, and %adm-DomainDN% will be replaced with the distinguished name of the user's domain.

For example, if a user from the Marketing department in the example.com domain signs in to the web interface, the top level node for that user will be OU=Marketing staff,DC=example,DC=com.

Hide specific containers

You can choose which types of containers are displayed in the web interface. For example, you might want your users to see only organizational units and hide other container types.

Also, you can display only the containers that meet certain criteria. For example, you can hide containers that don't have the word Department in their name.

 How to control which containers are visible

  • Open Adaxes web interface configurator.

  • In the top left corner, select the web interface you want to customize.

  • In the left navigation menu, click Browsing.

  • In the Object types section, clear the checkboxes next to the object types you want to hide.

  • To hide containers that don't meet criteria, select the Criteria checkbox next to the container type that you want to restrict.

  • In the dialog that opens, configure the criteria for displaying containers. For example, to display only containers with the word Department in their name, specify Name contains Department.

     How

    • Click Add.

    • In the dialog that opens, select Name contains Department.

    • Click OK twice.

    You can use value references in criteria to make it different depending on the signed in user. For example, to display only containers whose name has the name of the user's department in it, use the following criteria: Name contains %department%.

    The %department% value reference will be replaced with the value of the Department property of the signed in user.

  • When done, click OK.

If you need to use identical criteria for multiple container types, you can copy and paste it by pressing the arrow button next to Edit.

 Screenshot

Disable directory browsing

Users can browse the directory in many places around the web interface. For example, the Browse dropdown can be accessed from the navigation bar.

Users can also browse the directory tree from the sidebar.

It is possible to either completely disable browsing or control where it is allowed.

 How to disable directory browsing

  • Open Adaxes web interface configurator.

  • In the top left corner, select the web interface you want to customize.

  • In the left navigation menu, click Browsing.

  • In the Navigation section, switch off the Allow directory browsing slider.

Hide directory object paths

Directory object paths allow users to see the location of an object and navigate to parent objects. It is possible to either completely disable the feature, or disable it for specific web interface components.

Directory object paths are displayed starting from the top level node.

 How to hide directory object paths { #hidepaths}

  • Open Adaxes web interface configurator.

  • In the top left corner, select the web interface you want to customize.

  • In the left navigation menu, click Browsing.

  • In the Navigation section, switch off the Display directory object paths slider.

Display business units

Business units are virtual organizational units that can include directory objects spread across different locations, but matching certain membership criteria. With the help of business units, you can create alternative hierarchies of directory objects that can be displayed instead of the real structure.

To allow users to access business units, you can make them available on the Home page of the web interface. For details, see Customize the Home page.

You can also hide the entire directory tree and present only business units for browsing.

 How to allow browsing only business units

  • Open Adaxes web interface configurator.

  • In the top left corner, select the web interface you want to customize.

  • In the left navigation menu, click Browsing.

  • In the Navigation section, next to Sidebar and Browse dropdown, click Configure.

  • In the dialog that opens, leave only the Business units checkbox selected.

  • Click OK.

Configure Home page

If you restrict access to the directory structure, users might not be able to find the objects they need. To ensure users have access to the necessary objects, you can place them on the Home page of the web interface.

For details on how to configure the Home page, see Customize the Home page.

© Softerra 2022. All rights reserved.
Contact us