• State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 62 subscribers
  • Views 3600 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Managed Units container visible to everyone (Active Roles 7.2)

BojanNS
over 6 years ago

Hi, is there a way of preventing that literally everyone can see Managed Units container having logged in Active Roles Server using mmc/http? I have just logged in Active Roles Server using my low-privileged account both via mmc/http and all created managed units are visible - hopefully any action for instance on user account which is member of given unit will be followed by access denied message. Making Managed Units container visible only to the ones who should see them would be preferred way of preventing non-authorized stuff to even know about them let alone seeing their members ...

It seems the following security entry for Managed Units is possible cause but is this by default?

Parents
  • +1 over 6 years ago
    The Access Template which you show in your screenshot is present by default, but it is explicitly linked to the root Managed Unit container, without inheritance. It does not include any permissions to view Managed Units, only Managed Unit Containers.

    Active Roles has a zero-permissions model. Out-of-the-box, a standard User account can see nothing from the environment, including the Domain and any Active Roles configuration objects.

    If a low-privileged account can see an object which you do not wish them to see, then there is an Access Template in place which grants that access. The one from your screenshot is not it.

    I suggest looking at the individual Managed Units to see if something is linked.
Reply
  • +1 over 6 years ago
    The Access Template which you show in your screenshot is present by default, but it is explicitly linked to the root Managed Unit container, without inheritance. It does not include any permissions to view Managed Units, only Managed Unit Containers.

    Active Roles has a zero-permissions model. Out-of-the-box, a standard User account can see nothing from the environment, including the Domain and any Active Roles configuration objects.

    If a low-privileged account can see an object which you do not wish them to see, then there is an Access Template in place which grants that access. The one from your screenshot is not it.

    I suggest looking at the individual Managed Units to see if something is linked.
Children
No Data