Adaxes

Permissions Error

0 votes

Hi,

I seem to have hit a permissions error. For the life of me I'm sure this has been working fine, now we appear to have a very strange situation.

I noticed today that a particular Custom Command that users should only have permission to run on their own entry was showing up for all entries:-


I've been trying to find out why this is, and now I'm even more confused. I've changed things round to try and find the cause, and I've given rights to this command to one role only (that I'm not a member of):


Yet, I can still execute this command (against anyone) - which is one problem - but the really strange thing is, when I look at the role assignments of the command it says no-one has rights to it, when we know from the above that at least one role has?


I'm also digging around other permissions issues, and it looks like there may be other 'over-permissive' access via the web interface. I'm 100% sure this has all been OK up to the last few days, so athis must be something to do with a change we've made recently - but I cannot think of any permissions that have been changed.

Rgds

by (1.6k points)

1 Answer

0 votes
by (1.6k points)

...

I managed to find the root cause - mainly my fault but still a little confused about something.

We had temporarily added 'Full User Object' rights to a specific role (that my account was a member of but I hadn't realised, and it was just 'off the bottom of the page' in the trustee scroll box), and removing this fixed the underlying permissions issue:-


However, I'm confused as to i) why this role wasn't being reflected in the 'Effective Security Roles' for the custom command if it granted me the right to run the custom command, how ii) granting Full Control over 'User' objects also gave the right to run a Custom Command, that I thought were permissioned explicitly (or via the 'All Custom Commands' right).

Rgds

0

Through trial and error I seem to have confirmed that, for i), the 'Effective Roles' details those roles that have the right to manage`configure a Custom Command, not run it - is that correct?

Still not sure about ii) - though to be honest I may have created more problems by trying to fix the original one, and then lost track a bit of what was working when.

Either way - I have everything permissioned again as I expected, so you can ignore this thread!

RGds

by (1.6k points)
0

Hello,

...
i) why this role wasn't being reflected in the 'Effective Security Roles' for the custom command if it granted me the right to run the custom command

The Effective Security Roles section only shows the Security Roles that grant the permissions to manage the Custom Command, not execute it.

...how ii) granting Full Control over 'User' objects also gave the right to run a Custom Command, that I thought were permissioned explicitly (or via the 'All Custom Commands' right).

No. The Full Access permission grants the right to perform any operations on the object, that is write all properties, execute all Custom Commands etc, and the Execute all Custom Commands is a partial permission that grants only the rights to execute Custom Commands on the object.

As you mentioned in your initial post, you would like to grant users to execute this Custom Command on their own accounts only. To do this, you need to create a Security Role that grants the right to execute the Custom Command and assign it to Self and include All Objects in the Assignment Scope. To do this:

  1. Create a new Security Role.
  2. On the 2nd step, add the permission that allows to execute the Custom Command you need.
  3. On the 3rd step, assign the Role to Self and include All Objects in the Assignment Scope.
by (216k points)
0

Many thanks. The very granular permissions model is both a curse and a god send!

by (1.6k points)

Related questions

0 votes
1 answer
permissions to read properties of your account error

The following error is displayed on the top of the screen, after one of my users logs into Adaxes... "You don't have any permissions to read properties of your account. ... entire domain. Can someone tell me what is triggering this error and how to resolve it?

asked Feb 8, 2013 by rmedeiros (380 points)
0 votes
1 answer
What are the options when a script need permissions on multiple subdomains and root domain

Hi, Situation: Imagine we have a forest consisting of 3 domains (1 root domain and 2 sub domains) in a single forest At the moment we installed Adaxes service in the root domain ... "enterprise admins" group (We wouldn't want to do that...) Any other ideas?

asked Apr 10 by dper (40 points)
0 votes
1 answer
Office Authentication says account doesn't have enough permissions, but it does

When trying to authenticate M365 Cloud Serice, it says the account used doesn't have enough permissions, but it does. It has Active Global Admin: I was able to get it with the ... ? It says Global Admin (Which it has) OR the follow 2. So it should work.

asked Mar 31 by Edogstraus00 (530 points)
0 votes
1 answer
Script to change home folder permissions

Hello Adaxes Support, is there any way you could help me with a script that changes the permissions on a users home folder? I need to remove the permission to delete the folder and add the permission to delete subfolders and files.

asked Aug 1, 2024 by dominik.stawny (280 points)
0 votes
1 answer
Grant modify permissions to a specific group

Hello, Can i grant modify permission to one specific group, I have already created a secuity role which if mostly read only but I want to allow this role write access to one specific group. Is this possible? Thanks, Darren

asked Jul 17, 2024 by DarrenFisk (100 points)
3,677 questions
3,361 answers
8,494 comments
549,333 users