0 votes

As Always thank you guys for such an excellent product, I have could not have so few IT admins for such a large organization as I do without this tool. As they say it is worth its weight in gold!!

I have been toying with the idea of allowing end users to utilize the search functionality as an alternative to Outlook or Lync's contact cards. As you very well know there is greater flexibility and general user experience to display information in the WebGui ./SelfService site.

My one issues is that currently when doing a search within the web GUI the results returned will also include users that are disabled.

Should this be limited by the role of "User Self Service" and their role's visibility or should I be doing something else?

by (360 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

First of all, thank you for your good words, we really appreciate that.

As to your question, no, the User Self Service role doesn't limit users from viewing disabling user accounts. Moreover its name doesn't mean that it applies only in the Web interface for Self-Service. The name only means that the role contains permissions for users to perform various self-service tasks, such as changing own password, updating personal information etc. Any Security Role applies everywhere in Adaxes.

To implement what you want, you need to use the Blind User Security Role. This role denies the permissions to view objects.

Note, however, that if permissions to view an object are denied to a user with the help of Security Roles, the user won't be able to view the object anywhere, neither in the Administration Console, nor in any of the Web interfaces.

To implement what you need, you want, you need to:

  • Create a Business Unit that contains all disabled users;
  • Assign the Blind User role to your users, including the Business Unit in the Assignment Scope.

i. Create a Business Unit that contains all disabled users

To create such a Business Unit:

  1. Create a new Business Unit.
  2. On step 2 of the Create Business Unit wizard, click Add.
  3. Select Query Results.
  4. In the Filter edit box, specify:
    (&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=2))
  5. Click OK, then click Finish.

ii. Assign the Blind User Security Role to your users

To do this:

  1. Launch Adaxes Administration Console.
  2. Select the Blind User role in the Console Tree.
  3. Right-click the Assignments section and click Add Assignment.
  4. Select Authenticated Users and click OK.
  5. Select the Business Units item in the Look in drop-down list.
  6. Select the Business Unit you created and click Add.
  7. Select the Members of this Business Unit and This Business Unit object options.
  8. Click OK 2 times. This will hide disabled accounts from all users.
  9. Now, if you want to allow certain users to view disabled accounts, you can exclude them from the Security Roles Assignments. For example, to exclude the Administrators group from the assignments, right-click in the Assignments section and click Add Assignment.
  10. Select Administrators group and click OK.
  11. Select the Business Units item in the Look in drop-down list.
  12. Select the Business Unit you created and click Add.
  13. Select the Members of this Business Unit and This Business Unit object options.
  14. Select Exclude the selection.
  15. Click OK.
  16. When done, save the changes.

Related questions

0 votes
1 answer

Hi Team, I am looking to see if we can enable MFA for self service for specific users, I have enabled MFA for self service using the web configuratior sign on options, but that ... MFA for all the users. So wanted to check if this is a possibility, thank you.

asked Jul 9, 2021 by Vish539 (460 points)
0 votes
1 answer

would like to know the method to provide a button to security Q&A reset for enrolled users to Adaxes Admins via Web UI

asked Mar 21, 2023 by Vish539 (460 points)
0 votes
0 answers

I'm trying to modify the script http://www.adaxes.com/script-repository ... ce-s79.htm to find all the users in a specific AD group, and I ... Adaxes.Adsi.Search.DirectorySearcher' returns in a search. Alternatively is enrollment status available via LDAP?

asked Jul 1, 2016 by johnsonua (390 points)
0 votes
1 answer

Is there a way to export the list of users enrolled in Password Self-Service? When I click on "Statistics" and select only "Enrolled", I see the list ... Attributes such as "adm-PasswordSelfServiceEnrollmentInfo" (I am guessing that is the correct attribute)

asked Jun 6, 2016 by Kikaida (1.1k points)
0 votes
1 answer

Is there a way to present different pages when users view their own properties, and if they view other users properties in the Self Service portal? We have certain custom fields ... 't see the fields, but I would rather the whole section not shown if possible.

asked Mar 31, 2016 by Kikaida (1.1k points)
3,588 questions
3,277 answers
8,303 comments
548,084 users