Adaxes

Exporting a user shows attributes don't have permissions to see

0 votes

Hi All,

I have just been notified that if a user uses the export feature. They are able to export attributes such as 'Member Of' that they do not have permission to see on the web interface.

I think this is because the Domain User security role has Read permission on all object types which is then locked down via the web interface.

Is there an easy way to restrict the export like you restrict the web interface or will I have to individually add permissions to the Domain User security role?

Thanks

by (440 points)

1 Answer

+1 vote
by (3.6k points)
selected by
Best answer

Hello,

Permissions in Adaxes are granted with the help of Security Roles. Hiding the elements of the Web Interface from the users doesn’t affect their permissions to view certain object properties. If the built-in Domain User Security Role was not modified in your environment, all authenticated users effectively have the permissions to view all objects and all their property values.

To restrict the permissions to export certain property values, you have to deny the rights to view these values using Security Roles. For details, please see https://www.adaxes.com/tutorials_DelegatingPermissions_GrantRightsToModifySpecificProperties.htm. On step 3 of the tutorial, check the Read <Property Name> permission in the Deny column.

Please note, that even if you restrict the rights to view the value of a certain property (e.g. Member Of), users will still be able to select this property during export, but the value in the exported document will be blank.

0

Thank you for that. I will have to make the Domain User permissions a bit more granular

by (440 points)

Related questions

0 votes
0 answers
Permissions to allow a self-service user to set out-of-office replies on mailboxes they have direct full control over

Good Afternoon, I'm looking for some clarification on what security settings I would need to apply to the Self-Service Users to allow them to update both their own ... accounts they have full access to. Please let me know if this requires more clarification.

asked Jul 22, 2021 by jtop (700 points)
0 votes
1 answer
Users don't see Actions in web interfaces which are based on Custom Command targeted to domaindns object

Hi, I had to create Custom Command for distribution group creation. Default group creation wizard cannot be used, because we need some of parameters to be mandatory etc. Anyway I ... which shouldn't be targeted to any particular AD object. How do I do it?

asked Jan 20, 2020 by KIT (960 points)
0 votes
1 answer
Setup a report in Adaxes that shows all the objects with the Replicate Directory permissions

For security purposes, we need to audit the objects that are capable of replicating the directory. As we have a number of individuals that need this report, I would like to ... four domains and would like to see any objects with this permission in any of them

asked May 20, 2022 by jiambor (1.2k points)
0 votes
0 answers
Web Service only for Self-Service with deny login all "Access is denied. You don't have access to any Web Interfaces."

Hi Evryone, I am trying to set up an external portal within a new webserver on dmz, and with only access to a webservice created from selfservice. The new webservice is only ... login, only reset password. What I am mising there that its not working? Thanks,

asked Nov 26, 2021 by yagoityd (20 points)
0 votes
1 answer
Trying to see all users who have Dial in access

I am trying to see if Adaxes and send me a report of how many users have Dial In access. is there a way to do it.. If so please advise .. The object is msNPAllowDialin

asked Dec 2, 2011 by Nate (20 points)
3,548 questions
3,238 answers
8,232 comments
547,814 users