HOW TO: Expose a Web Interface command to only some Users with a Web Interface gatekeeper attribute (4340978)

It may be desired to expose a Web Interface command or tab to only some Delegated Administrators.

For example, a custom User Account creation form could be created for Service Accounts. By default, all Delegated Administrators with Create User permissions will also be able to use this form, and this may not be desired.

The Active Roles Web Interface has visibility options which can be controlled according to access to any attribute, including custom Active Roles Virtual Attributes.

Create Child object permissions are actually present on a container, like an Organizational Unit or a Container object, so it is necessary to create a Create User gatekeeper attribute on containers.

It is possible to create a new Virtual Attribute and link visibility of a Web Interface element to access to that new attribute. So, if a Delegated Administrator only has minimum standard delegated permissions, they will not see the option. Even All Objects - Read All Properties is not sufficient: the Delegated Administrator will need to be granted either Full Control or read/write access to the specific gatekeeper attribute in order to see the Active Roles Web Interface command.

Create a new Virtual Attribute of Boolean syntax which is linked to Organizational Units and Container objects

1. In the Active Roles Console, expand Configuration | Server Configuration | Virtual Attributes
2. In the menu at the top, choose Action | New | Virtual Attribute
3. Provide an appropriate Common Name and LDAP Display Name, such as edsvaServiceAccountCreationWIGateKeeper and then click Next
4. In the Syntax dropdown menu, choose Boolean and then click Next
5. Check off Container and Organizational Unit and then click Next
6. Deselect the checkbox for Store values of this virtual attribute in the Active Roles Administration database and then click Next and Finish
7. Reconnect in the Active Roles Console and perform an IISRESET in an elevated command prompt on the Active Roles Web Interface host in order to see this new Virtual Attribute.

Create the new Web Interface form and link visibility to the Web Interface Gatekeeper Attribute

1. Log into the Active Roles Web Interface as an Active Roles Administrator
2. Expand Customization | Directory Objects and click on Organizational Unit
3. Click on Create New Command then Form Task and Next
4. Choose an appropriate Command Name, like New Service Account, and set a description and tooltip if desired, then click on Finish
5. Click on the new command name and then click on the Visibility tab
6. Select the If the user has sufficient rights and the object selected by the user meets each of the following conditions radio button and under The user is allowed to modify each of these properties of the selected object click on Add and choose the Web Interface gatekeeper attribute created above, then click Save
7. On the left-hand menu, click on Link with New Form
8. Choose New Object then click on Next
9. Choose an appropriate Form Name, like New Service Account, and choose User from the Object type dropdown menu, then click Finish

Create the new Access Template which will grant access to the New Service Account command

1. In the Active Roles Console, browse to Configuration | Access Templates
2. In the menu at the top, choose Action | New | Access Template
3. Choose an appropriate Name, such as Grant access to Service Account Creation Form in Web Interface then click on Next
4. Click Add then select the Only the following classes: radio button and check off Organizational Unit, then click on Next
5. Choose the Object property access radio button and check off both Read properties and Write properties then click Next
6. Choose the The following properties radio button and check off the Web Interface gatekeeper attribute created above, then click Finish
7. Complete steps 4-6 again for Container objects, if desired
8. Click on Next and Finish
9. Link this new Access Template to the desired Trustee and Directory Object