0 votes

Is there a quick\consistent way to prevent someone modifying anything to do with their own account i.e. do not allow user to add themselves to groups, modify their account properties, move into different OU's etc? Thanks

by (1.6k points)

1 Answer

0 votes
by (289k points)
selected by
Best answer

Hello,

Out of the box, the built-in User Self-Service Security Role grants users permissions to modify properties and change passwords of their own accounts. To prevent users from modifying specific properties of their accounts, you need to add corresponding Deny permissions to the role. For example, to disallow users to modify Description of their own accounts:

  1. Launch Adaxes Administration Console.
  2. Navigate to Configuration\Security Roles\Builtin and select the User Self-Service role.
  3. Click Add in the Result Pane.
  4. Select User Object type and select Deny Write ‘Description’ Property.
  5. Click OK and save the changes.

There is no possibility to disallow users to add themselves to groups using Security Roles. As a workaround, you can use a Business Rule triggering Before Adding a member to a Group. The rule will cancel the operation if a user tries to add themselves to a certain group. If this solution meets your needs, we will provide you with detailed instructions.

0

Thanks, that would be good for the groups.

I've been looking at this use case and have something similar to what you describe - user business rule for 'before adding member to a group' adding a conditional statement "if %initiator% eq member" etc, but think this may trigger if they are already a member of the group and try to add someone else, and that could be a valid operation.

0

Hello,

This condition will not do what you need. You need to use a PowerShell script instead. To update your Business Rule:

  1. Launch Adaxes Administration Console.

  2. Navigate to Configuration/Business Rules and select the rule.

  3. Double-click the if %initiator% eq member condition.

  4. Select If PowerShell script returns true and paste the script below into the Script field.

     # Get member guid
     $member = $Context.BindToObject("Adaxes://%member%")
     $memberGUID = [Guid]$member.Get("objectGUID")
    
     # Get initiator guid
     $initiatorGUID = [Guid]$Context.Initiator.UserAdsObject.Get("objectGUID")
    
     $Context.ConditionIsMet = $initiatorGUID -eq $memberGUID
  5. Enter a short description.

  6. Click OK and save the changes.

0

Awesome, thanks.

Related questions

0 votes
1 answer

I am attempting to block changing of SAM Account Name through a business rule. When attempting to do a rename in the portal, changing the SAM Account Name is offered at the same time, and despite not changing it the business rule is triggered. Thoughts?

asked Aug 21 by Daniel (160 points)
0 votes
1 answer

When allowing Account Unlocking from the Self Password Reset service, is there a way to limit the amount of times that someone can unlock their account before they are ... would be greyed out, or removed altogether). Is something like this possible? Thanks!

asked Jun 18, 2014 by PunkinDonuts (360 points)
0 votes
0 answers

WorkFlow : From Adaxes, how can the Director or Assistant validate the employee’s "Job Title" modification request?

asked Jul 12, 2023 by LucasGrd (40 points)
0 votes
0 answers

From Adaxes, how can the Director or Assistant validate the employee’s "Job Title" modification request ?

asked Jun 15, 2023 by LucasGrd (40 points)
0 votes
1 answer

Hi, I need to run a schedule task only if a customattribute is not empty. Can I use ConditionIsMet?

asked Oct 7, 2021 by Simone.Vailati (430 points)
3,552 questions
3,242 answers
8,243 comments
547,828 users