-
标题
Unable to delegate access to an attribute which is flagged as "Confidential" in Active Directory -
说明
If an attribute is flagged as Confidential in Active Directory, Active Roles Access Templates which should be able to delegate read permissions or any access other than Full Control do not function as expected. Instead, the trustee is not able to view any values of this attribute.
-
原因
In versions of Active Roles prior to Active Roles 7.1, this is expected functionality. Only Users who have native Extended Rights can view confidential attributes. -
解决办法
WORKAROUND
It is possible to programmatically populate an Access Template with the specific Extended Rights permission needed to view attributes which are flagged with as confidential in Active Directory. This must be done programmatically, as only a generic Extended Rights permission can be delegated though the Active Roles Console, and this would allow all of the following:
- All Extended Rights
- Allowed to Authenticate
- Change Password
- Receive As
- Reset Password
- Send As
In order to populate an Access Template programmatically, a blank Access Template must first be created at a known location. The below script assumes that an Access Template named TestAT has been created in the root of the default Access Template container. This should be changed to match an actual Access Template name. The script is setting the necessary access for a custom Active Directory attribute called ssn. This should also be changed to match an actual attribute which is flagged as confidential.
const EDS_RIGHT_DS_READ_PROP=16const EDS_RIGHT_DS_WRITE_PROP=32const ACCESS_ALLOWED_ACE_TYPE=0const EDS_RIGHT_DS_CONTROL_ACCESS=256Set atObject=GetObject("EDMS://CN=TestAT,CN=Access Templates,cn=Configuration")Set NewATE=Nothing' Create a new Permission Entryset NewATE=atObject.CreatePermissionEntry' Set properties of the newly created Permission Entry: write description for userNewATE.AteType=ACCESS_ALLOWED_ACE_TYPE ' "Allow" ATE type' Write Property access maskNewATE.AccessMask=EDS_RIGHT_DS_CONTROL_ACCESS' Apply to User objectsNewATE.InheritedObjectTypeADsPath="EDMS://user,Schema"' Apply to ssn propertyNewATE.ObjectTypeADsPath="EDMS://ssn,Schema"atObject.AddPermissionEntry(NewATE)atObject.SetInfoSTATUS
This has been resolved in Active Roles 7.1. After upgrading to Active Roles 7.2.1 and later versions, Active Roles will handle confidential attributes just like any other attribute: if access is granted via any Access Template, then the trustee will be able to see the values stored in that attribute.
If it is desired to prevent view access for all but some trustees, even if they have been granted a View All Properties Access Template, then it is possible to implement an Access Rule as per this resource.
-
变更请求
649787