0 votes

Hi there !

I use the blind users role to hide objects to web operators but it seems that default containers (builtin, computers, users) are always visible, when i use group management features (so i always see groups like Users, Pre Windows 2000...)
Even if the user do not have the rights to edit these objects, i'd like these to be really hidden.

Any clue ?

by (800 points)

1 Answer

0 votes
by (216k points)

Hello,

This happens because you excluded security principal Self from the activity scope of the Blind User role. The security principal Self also includes all groups a user is a member of.

To fix your problem you can do the following:

  1. Create a new Security Role.

  2. Add Deny Read Groups permission to this role.

  3. Assign this role to Everyone over the groups that you what to hide.

  4. Exclude the users that you want to allow to view these groups from the activity scope.

We are considering changing this behaviour, and probably in the next version, the security principal Self will be treated as the self user account only.

0

Thanks a lot !

Related questions

0 votes
1 answer

Hi again, It seems that there is a problem with the Blind Users role and the add to group features : i configured a user as he can see only a specific OU through blind ... " (Where My User stands for the real user name obviously). Am i doing something wrong ?

asked Jul 5, 2011 by sroux (800 points)
0 votes
1 answer

Hi, Still struggling with blind user role :-) i found out that i cannot exclude configuration object from the role (this is greyed) so users cannot use "My Approval" "My requests" features Is this normal ? TIA

asked Jul 21, 2011 by sroux (800 points)
0 votes
1 answer

I have 18 domains managed by Adaxes and have noticed that Admin (full access) t all objects acts normally, but for piecemeal scopes like Service Desk that scopes to individual ... role (including 16 denies) and expect it to grow as we add more domains.

asked Sep 20, 2022 by DA-symplr (100 points)
0 votes
1 answer

I need to replace one Active Directory security group that has been given rights over many OUs within several Security Roles. There are likely ~300 entries that need ... in the SDK documentation appears to be broken - http://adaxes.com/scriptrepository

asked May 1, 2013 by SomeUser (90 points)
0 votes
1 answer

Is it possible to create a security role that would only allow disabling accounts, but not enabling?

asked Feb 21, 2012 by BradG (950 points)
3,588 questions
3,277 answers
8,303 comments
548,093 users