Adaxes

How to

0 votes

Is there a way to enable custom commands for one domain ONLY? So that the command doesnt even show when viewing a user in a domain that doesnt have that custom command?

Example:

You have one webinterface for all your managed domains
Users in domain A is on a Citrix plattform, and you should be able to run Citrix Custom Commands against users in this domain. You should also just see the Citrix commands.

Users in domain B is on a VDI plattform, and you should be able to run VDI Custom Commands against users in this domain, and NOT Citrix Custom Commands. You should also just see the VDI commands.

by (960 points)

1 Answer

0 votes
by (216k points)

Hello,

Yes, you can do this with the help of Security Roles. You can create a set of Security Roles, one Role per 'environment'. In that Role, you need to add the Deny permission to execute all Custom Commands that belong to a particular 'environment', assign the Role to Authenticated Users, and include the domains where the Command must not be executed in the Assignment Scope of the Role. So, for example, for Citrix Custom Commands, you need to create a Security Role that denies the right to execute all Citrix commands, and include all domains that are not running the Citrix platform in the Assignment Scope.

To create such a Security Role:

  1. Create a new Security Role.
  2. On the 2nd step of the Create Security Role wizard, click Add.
  3. Select the object type on which the Custom Commands can be executed (e.g. User).
  4. In the General permissions section, check the necessary Custom Commands in the Deny column.
  5. Click OK.
  6. If necessary, repeat steps 2-5 for as many object types as you need.
  7. On the 3rd step, assign the Role to Authenticated Users, including the domains where the commands must not be executed in the Assignment Scope of the Role.
0

I've tested this solution, but i still see the commands in the web interface. When i click it though, i get "Access is denied".

I've also done a iisreset after applying these rights.

by (960 points)
0

Hello,

It is a bug in Adaxes that will be fixed by the next release. Custom Commands that a user doesn't have the right to execute on a specific object shouldn't be shown in the Web interface on the page that displays properties of the object.

For now, until the workaround is available, you can create the following workaround:

  1. You can disable all Custom Commands on the Web interface. For information on how to do this, see step 4 in Disallow Certain Operations on Active Directory Objects.
  2. Then, you can create a series of Home Page Actions, one for each Custom Command. For information on how to do this, see section Custom Command in Configure Home Page Actions. On step 3 of the section, you will find information on how to allow objects located in a specific OU or container. Specify the DN of the domain where the Custom Command can be executed as the container DN.
by (216k points)
0

When will the next release be available? This is very important for the use of the webinterface for our users. Would it be possible to get a fix for this?

The workaround with custom commands as actions on the home page is not a good solution for us.

by (960 points)
0

Hello,

First of all, you should pay attention that when you execute Custom Commands from AD object lists. In object lists, the Web interface shows all Custom Commands that can be executed on the selected object types, regardless of permissions granted to the user. The permissions are not checked in AD object lists by design because checking permissions would cause a huge performance loss. To workaround this, you can disable Custom Commands in AD object lists. For information on how to do this, see step 6 in the following tutorial: http://www.adaxes.com/tutorials_WebInte ... bjects.htm.

On the page used for viewing properties of an object, permissions are checked. That is, a user will be shown only the Custom Commands they can execute on the object. The issue is that when you disallow executing a Custom Command by assigning a Deny execute permission, the permission is not taken into account when building the list of Custom Commands. However, if you distribute the permissions to execute Custom Commands only with the help of the Allow execute permissions, they will be taken into account when building the list of Custom Commands shown to the user. So, you can workaround the issue by distributing the permissions to execute the Custom Commands with the help of the Allow execute permissions only. To do this:

  1. Check that none of the Security Role give the Execute All Custom Commands permission for the object type (e.g. User). If any Security Roles give such a permission, remove it and add permissions to execute each Custom Command separately.

  2. Create a set of Security Roles, one Role per 'environment'. In that Role, you need to add the Allow permission to execute all Custom Commands that belong to a particular 'environment', assign the Role to Authenticated Users, and include the domains where the Command can be executed in the Assignment Scope of the Role. So, for example, for Citrix Custom Commands, you need to create a Security Role that allows the right to execute all Citrix commands, and include all domains that are running the Citrix platform in the Assignment Scope. To create such a Security Role:

    • Create a new Security Role.
    • On the 2nd step of the Create Security Role wizard, click Add.
    • Select the object type on which the Custom Commands can be executed (e.g. User).
    • In the General permissions section, check the necessary Custom Commands in the Allow column.
    • Click OK.
    • If necessary, repeat steps 2-5 for as many object types as you need.
    • On the 3rd step, assign the Role to Authenticated Users, including the domains where the commands can be executed in the Assignment Scope of the Role.
by (216k points)
0

Good. This was part of the solution.. The other part was to remove "Full Control" over User objects.. With Full Control enabled, you will still see the command and be able to execute it.

by (960 points)
0

Yes, the Full Control permission also includes the permission to execute all Custom Commands.

by (216k points)

Related questions

0 votes
1 answer
How to compare group membership between 2 users

Our helpdesk asked for a solution to easily compare 'member of' details between 2 (or more) users so they can see the differences in group memberships.

asked Oct 28 by ddesmedt (40 points)
0 votes
1 answer
How can I get this to trigger properly when a new user is created by script?

The rule runs but since the first name and last name are passed as parameters, I only get the sequential # as a userID without the initials.

asked Oct 24 by curtisa (290 points)
0 votes
1 answer
How to use ADSI script to validate a user answer to his question?

We try to use ADSI scripting to automate some tasks using Adaxes 2023. One such task is to try to check whether an answer provided by a user to his question is correct or not. ... . But I do not see an easy way to do this using ADSI script and/or interfaces.

asked Oct 22 by gfang (20 points)
0 votes
1 answer
How can I add a user directly to an Entra ID group?

Hi all, How can I add a user directly to an Entra ID group? I understand it might be possible via CLI e.g. Add-AzureADGroupMember - But is there a built-in GUI method via Business Rules? Thanks, David

asked Oct 2 by dshortall (80 points)
0 votes
1 answer
How to assign O365 Licence to Room Mailbox

Hi. How can we assign O365 licence to Room mailbox (exemple teams room device)? Activate / modify Office 365 property step is not available on that kind of object. Therefore, ... a custom command to set the licence and do other stuff on that kind of object.

asked Sep 19 by dper (20 points)
3,549 questions
3,240 answers
8,232 comments
547,814 users