Adaxes Web Interface HelpShow AllHide All

Security Role Permissions

Permissions are assigned to trustees on certain resources. That is, Security Roles define users or groups that are permitted to access specific resources and determine the level of that access. Permissions can allow or deny rights to perform certain operations. If a permission is not explicitly granted, it is assumed to be implicitly denied.

Security Role permissions can be allowed to perform on objects of all types or on objects of the selected types only. The list of permissions can change depending on the selected object types. For example, if you select only Contact type of objects, Operations on Child Objects are not in the list of permissions, because contacts cannot have child objects.

There are three kinds of permissions:

General Permissions

PermissionDescription
Full ControlThe right to create or delete child objects, delete a subtree, read and write properties, examine child objects and an object itself, add and remove the object from the directory and read or write with an extended right.
Read The right to read all properties of an object, read permissions on this object, list this object name when the parent container is listed, and list the contents of this object if it is a container.
Write The right to read permissions on an object, write all the properties on this object, an perform all validated writes to this object.
Read All Properties The right to read properties of an object.
Write All Properties The right to write properties of an object.
Read Logging Information The right to read the object logging information, such as operations performed on an object, or operations performed by an object (when applied to a user).
Disenroll User (Password Self-Service) The right to disenroll users from Password Self-Service system. This permission is only available when the 'User' object type is selected.
Send SMS The right to perform the 'Send SMS' operation. This permission is only available when the 'User', 'InetOrgPerson' or 'Contact' object type is selected.
Execute All Custom Commands The right to execute all Custom Commands on an object.
View Password Self-Service Statistics The right to view the statistics of enrollment in Password Self-Service Policies, password resets and user blocking. This permission is only available when the 'PasswordSelfServiceStatistics' object type is selected.
Read General Service Log The right to read the logging information on any operation performed via the Adaxes service. This extended right is effective when assigned on Configuration Objects only. This permission is only available when the 'ServiceLog' object type is selected.
Run Program or Script The right to run external programs or scripts. This extended right is effective when assigned on Configuration Objects only. This permission is only available when the 'ConfigurationObjectContainer' object type is selected.
Delete Object The right to delete objects.
Delete Subtree The right to delete all child objects of an object, regardless of the permissions of the child objects.
List Contents The right to list child objects of an object.
Read Permissions The right to read data from the security descriptor of an object, not including the data in the SACL.
Modify Permissions The right to modify the discretionary access-control list (DACL) in the security descriptor of an object.
Modify Owner The right to assume ownership of an object. The user must be an object trustee. The user cannot transfer the ownership to other users.

Operations on Child Objects: deletion and creation of child objects of the specified type or of all types if not specified.

PermissionDescription
Create Child ObjectsThe right to create child objects of the specified type. If no object types are specified, the right will control creation of all child object types.
Delete Child ObjectsThe right to delete child objects of the specified type. If no object types are specified, the right will control deletion of all child object types.

Property-specific Permissions: writing and reading object properties.

PermissionDescription
Read Property The right to read this property of an Active Directory object.
Write PropertyThe right to write this property of an Active Directory object.

See Also

Copyright © 2009-2017 Softerra, Ltd.Send a feedback to Softerra