Adaxes

Feature Request : Delegation

0 votes

Hi,

I did not find how to delegate configuration tasks, for instance, modifying a business rule (a specific one or a set), property patterns, and so on.
It seems to me that we can only manage access to the whole configuration. I'm organizing rules/patterns in folders (containers) and the underlying idea would be to delegate only these containers (and associated objects) to specific users.

Maybe i'm wrong, in that case i will be more than happy to get the answer :-)

Thanks !

Stephen

by (800 points)

1 Answer

0 votes
by (18.0k points)

Hello,

It is possible to allow users or groups to manage Adaxes configuration objects (Business Rules, Property Patterns, Scheduled Tasks, etc.).

To create a Security Role that will allow users to manage Business Rules:

  1. Launch Adaxes Administration Console.
  2. Start the Security Role Creation wizard.
  3. On the 2nd step of the wizard, open submenu of the Add button.
  4. Select Manage Business Rules. This will add all the necessary permissions to manage Business Rules.
  5. Assign the Security Role to a user or group over Configuration Objects.

Using Adaxes Administration Console it is impossible to assign a Security Role over a specific Business Rule or a container of Business Rules. However, it is possible to do this via a script. We can implement such a script for you.

0

Yes, i saw that but our requirement is exactly what you described at the end of your message. I believe your script will modify permssions on LDDS backend. What would be the conditions to have that kind of script ?
Thanks for your help

by (800 points)
0

The following script assigns group My Group to a Security Role called My Role over a Business Rules container called My Container:

 [Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$adaxesHost = "localhost"
$trusteeDN = "CN=My Group,CN=Users,DC=company,DC=com" # TODO: modify me
$businessRuleContainerName = "My Container" # TODO: modify me
$securityRoleName = "My Role" # TODO: modify me

# Connect to the Adaxes service
$admNS = New-Object("Softerra.Adaxes.Adsi.AdmNamespace")
$admService = $admNS.GetServiceDirectly($adaxesHost)

# Bind to the trustee object
$trustee = $admService.OpenObject("Adaxes://$trusteeDN", $NULL, $NULL, 0)

# Bind to the root container of Business Rules
$businessRulesPath = $admService.Backend.GetConfigurationContainerPath([Softerra.Adaxes.Adsi.WellKnownBackendContainer]::BusinessRules)
$businessRulesPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" $businessRulesPath
$businessRulesContainerAdsPath = $businessRulesPathObj.CreateChildPath("CN=$businessRuleContainerName")
$businessRulesContainer = $admService.OpenObject($businessRulesContainerAdsPath.ToString(), $NULL, $NULL, 0)

# The following function assigns a Security Role to a given trustee over specified activity scope
function AssignRole($roleName, $trustee, $baseObject, $scopeType, $scopeInheritance)
{
    $securityRolesContainerPath = $admService.Backend.GetConfigurationContainerPath([Softerra.Adaxes.Adsi.WellKnownBackendContainer]::AccessControlRoles)
    $securityRolesContainerAdsPath = New-Object "Softerra.Adaxes.Adsi.AdsPath" $securityRolesContainerPath
    $roleAdsPath = $securityRolesContainerAdsPath.CreateChildPath("CN=$roleName")
    $admRole = $admService.OpenObject($roleAdsPath.ToString(), $NULL, $NULL, 0)
    $admAssignment = $admRole.Assignments.Create()
    $trusteeSidBytes = $trustee.Get("objectSid")
    $trusteeSid = New-Object "Softerra.Adaxes.Adsi.Sid" @($trusteeSidBytes, 0)
    $admAssignment.Trustee = $trusteeSid.ToString()
    $admAssignment.SetInfo()
    $admRole.Assignments.Add($admAssignment)
    $admScopeItem = $admAssignment.ActivityScopeItems.Create()
    $admScopeItem.Put("adm-ScopeBaseObjectGuid", $baseObject.Get("objectGUID"))
    $admScopeItem.Exclude = $False
    $admScopeItem.Type = $scopeType
    $admScopeItem.Inheritance = $scopeInheritance
    $admScopeItem.SetInfo()
    $admAssignment.ActivityScopeItems.Add($admScopeItem)
}

# Assign the Security Role over the specified container of Business Rules
AssignRole $securityRoleName $trustee $businessRulesContainer "ADM_SCOPEBASEOBJECTTYPE_CONTAINER" "ADS_SCOPE_SUBTREE"

BTW, if you assign your Security Role like that, it may contain only one permission - Allow Full Control -> All Objects.

by (18.0k points)

Related questions

0 votes
1 answer
Feature Request: Add a "schedule" column to the Scheduled Tasks list in the Administrator console

It would be good to have a selectable column for the tasks schedule pane. This would allow us to easily show tasks scheduled dates and give us the ability to sort by the ... case it would be good to sort all of these password resets by their scheduled date.

asked Apr 30 by Moodie007 (60 points)
0 votes
1 answer
Feature Request: Script repo examples in both powershell and ADSI

the script repo examples are almost entirely written in ADSI, however powershell is now far more widely used, is it possible to have all scripts written in both ADSI and powershell.

asked Jan 5 by i*windows (280 points)
0 votes
1 answer
feature request: Separate view for Shared Mailboxes

Shared mailboxes are treated as standard users, however they really should have a separate view. I would like to request that a new view is made avaiilable for Shared ... office location, data from HR systems, windows profile, etc are not really relevant.

asked Jun 23, 2023 by i*windows (280 points)
0 votes
1 answer
Feature Request: Add ability to make exclusions to built-in report scopes

Hello, Using the "Inactive user allowed to log in" report in Adaxes, I want to be able to select specific OUs to exclude out of the scope in this report, or have the option to filter based on a user property such as Department.

asked Nov 8, 2022 by GronTron (320 points)
0 votes
1 answer
Feature Request - Confirmation window when changing logic from "AND" to "OR" and vice versa

On scheduled tasks, business rules, and custom commands, inside an if statement, you have the option for it to be "AND" or "OR" in the condition. Can there be a ... a bunch of computer accounts to be deleted. We think this would be a good safety measure.

asked Mar 22, 2021 by mark.it.admin (2.3k points)
3,548 questions
3,239 answers
8,232 comments
547,814 users