Lockdown web interface

I've started seeing if I could lockdown my policy more.  I created an MU with only Exchange enabled objects in it.  I set my policy to that MU to use the builtin Active Roles groups "Primary Owner" and "Secondary Owner.

In the web interface I can still see all the AD structure.  In the MMC I can't.  Is this supposed to be like that?

Preference being users can't see the AD Structure in the web interface.

You can suppress the Active Directory node entirely and just give them an MU to work with.  Populate that with a flat list of the users you want them to see.

That's what I did.  The MMC is showing correctly.  The web interface is not.

What I was suggesting was "physically" removing the Active Directory node from the web site definition.  Yes, that's a bit extreme but some customers want a very simplified user experience.  There is a KB on how to do this.

I see what you mean.  I was thinking the permissions would filter this information out if it isn't available.  Just like the console does.  I was trying to avoid having all these URLs I can't control access to.  Ugh. 

Technically, you should be able to filter by ATs only.  (Notwithstanding the physical presence of the Active Directory and other nodes).  I can't understand how you would see one thing in the MMC and something different in the web.  The data layer is the same.  Are you possibly having some replication latency in your AR configuration?  This I have seen.

Technically, you should be able to filter by ATs only.  (Notwithstanding the physical presence of the Active Directory and other nodes).  I can't understand how you would see one thing in the MMC and something different in the web.  The data layer is the same.  Are you possibly having some replication latency in your AR configuration?  This I have seen.

I doubt replication issues.  It's a small environment with a single service. 

If you tell me that AD structure is filtered out for you then I'll open a helpdesk case. 

I don't know how you manage the visibility of AD but I recommend separate ATs for visibility vs for tasks and property editing on objects.  As a rule, I don't use the built-in ATs because most grant visibility rights that I prefer to control explicitly.

Still haven't told me if your web interface filters out AD just like the MMC.  :)

The Active Directory node in the Navigation Pane in the Active Roles Web Interface is hard-coded and cannot be hidden.

However, the entire Navigation Pane can be hidden, and then a new button added on the Web Interface Home page to go directly to Managed Units.

1) In the Active Roles Console, choose Mode | Raw Mode.

2) Navigate to Configuration/Application Configuration/Web Interface

3) Modify either an Admin or HelpDesk site (this cannot be done on a Self Service Site)

4) Expand the site, then find Interface Settings and WorkingCopy. Right-click on WorkingCopy and choose All Tasks | Advanced Properties

5) Find edsaWISettings

6) Inside this attribute, find this xml section:

<UIPolicy ID="Default"
ShowQuickSearch="true"
ShowPathToAdObject="true"
ShowActionPane="true"
ShowTopPanel="true"
ShowNavigationPane="true">

7) Change ShowNavigationPane to "false"

8) Log into the same Web Interface Site as an Active Directory Administration and choose Customization | Reload to post the changes

9) On the Home page, add a new button which links to this URL:

List.aspx?TaskId=UnitContainerContent&TargetClass=edsManagedUnitsContainer&DN=CN%3dManaged+Units%2cCN%3dConfiguration

10) When adding the button, expand Advanced Properties and deselect the option to Open the URL in a frame.