Prevent Account Self-Modification

Question

Is there a quick\consistent way to prevent someone modifying anything to do with their own account i.e. do not allow user to add themselves to groups, modify their account properties, move into different OU's etc? Thanks

Answer 1

Hello,

Out of the box, the built-in User Self-Service Security Role grants users permissions to modify properties and change passwords of their own accounts. To prevent users from modifying specific properties of their accounts, you need to add corresponding Deny permissions to the role. For example, to disallow users to modify Description of their own accounts:

1. Launch Adaxes Administration Console.
2. Navigate to Configuration\Security Roles\Builtin and select the User Self-Service role.
3. Click Add in the Result Pane.
   
4. Select User Object type and select Deny Write ‘Description’ Property.
   
5. Click OK and save the changes.

There is no possibility to disallow users to add themselves to groups using Security Roles. As a workaround, you can use a Business Rule triggering Before Adding a member to a Group. The rule will cancel the operation if a user tries to add themselves to a certain group. If this solution meets your needs, we will provide you with detailed instructions.

Comments

Thanks, that would be good for the groups.

I've been looking at this use case and have something similar to what you describe - user business rule for 'before adding member to a group' adding a conditional statement "if %initiator% eq member" etc, but think this may trigger if they are already a member of the group and try to add someone else, and that could be a valid operation.

---

Hello,

This condition will not do what you need. You need to use a PowerShell script instead. To update your Business Rule:

1. Launch Adaxes Administration Console.

2. Navigate to Configuration/Business Rules and select the rule.

3. Double-click the if %initiator% eq member condition.

4. Select If PowerShell script returns true and paste the script below into the Script field.
   

    # Get member guid
    $member = $Context.BindToObject("Adaxes://%member%")
    $memberGUID = [Guid]$member.Get("objectGUID")
   
    # Get initiator guid
    $initiatorGUID = [Guid]$Context.Initiator.UserAdsObject.Get("objectGUID")
   
    $Context.ConditionIsMet = $initiatorGUID -eq $memberGUID

5. Enter a short description.

6. Click OK and save the changes.

---

Awesome, thanks.