• State Suggested Answer
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 62 subscribers
  • Views 885 views
  • Users 0 members are here
Options
Related

Allow a single user to read specific LDS attribute - Access Templates - Active Roles 7

c0dac0da
over 4 years ago

Hello,

I'm quite new to ARS in terms of access templates,

i want to have a single user to read just a specific LDS attribute in the ARS web console

for eg: when the user searches an LDAP object, after selecting it - he should the properties option & after clicking that he should just see the specific attribute not the others.

Please advice

  • 0 over 4 years ago

    Hello, c0dac0da.

    While possible, such a request does have several challenges.

    You can create an Access Template that would grant the List Object privilege for the desired object class(es), then the Read permission to whatever single attribute you're interested in: let's use description as an example. There are a variety of other "baseline" permissions that I would be inclined to include as well, however, such as the ability to read the objectClass of the object. Otherwise the product won't display the proper icon for the object. You'd probably want to allow them to read all of the basic naming attributes, as well (e.g., name, cn, distinguishedName, samAccountName, userPrincipalName, edsaUPNPrefix, and so on).

    Rather than go through all of that, I would ask if you really need to restrict the permissions in this way? Remember that your delegated person will be able to see all object attributes in native AD, so you're not really introducing a security boundary. Second, you can just create a customised version of the Web interface that only displays the very few attributes that you want them to look at. The Web customisation wouldn't restrict their privileges to see the attributes, but would just customise the user interface such that the unwanted attributes are not displayed on-screen. It would be much easier to do that, I expect.

    Cheers,
    Shawn.