• State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 62 subscribers
  • Views 3599 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Managed Units container visible to everyone (Active Roles 7.2)

BojanNS
over 6 years ago

Hi, is there a way of preventing that literally everyone can see Managed Units container having logged in Active Roles Server using mmc/http? I have just logged in Active Roles Server using my low-privileged account both via mmc/http and all created managed units are visible - hopefully any action for instance on user account which is member of given unit will be followed by access denied message. Making Managed Units container visible only to the ones who should see them would be preferred way of preventing non-authorized stuff to even know about them let alone seeing their members ...

It seems the following security entry for Managed Units is possible cause but is this by default?

  • +1 over 6 years ago
    The Access Template which you show in your screenshot is present by default, but it is explicitly linked to the root Managed Unit container, without inheritance. It does not include any permissions to view Managed Units, only Managed Unit Containers.

    Active Roles has a zero-permissions model. Out-of-the-box, a standard User account can see nothing from the environment, including the Domain and any Active Roles configuration objects.

    If a low-privileged account can see an object which you do not wish them to see, then there is an Access Template in place which grants that access. The one from your screenshot is not it.

    I suggest looking at the individual Managed Units to see if something is linked.
  • 0 over 6 years ago

    Excellent, if you select any of these Managed Units Containers with low-privileged account used Managed Units inside will not be shown. Account I have used initially is a member of certain groups which have elevated privileges so I apologize for that.

  • 0 over 6 years ago
    No need to apologize, I've done much worse before my morning coffee :-)

    If you have a better understanding of the product, then it is time well spent.
  • 0 over 6 years ago
    I have recently joined company and Active Roles was already in place - I have just upgraded Active Roles from 6.9 to 7.2, nothing has been changed in terms of configuration. Boss told me this morning that literally everyone could see all user accounts in Active Directory - I have checked it out - low-privileged user can not see anything apart from MU Containers let alone to view all user accounts ...