Skip to main content

AD Group Security

Dan Griffin

Hi, I'm having some trouble getting active directory security to work the way I want it to.  Basically, I have a site open to all domain users.  I want to restrict the overall domain group from certain features (workflows, layers, etc.).  If I block access to the domain group, can I then add permissions to a specific groups of users - even if these users are also part of the domain user group?  Is there a security hierarchy where a user could be part of a domain group but have access based on smaller group or user permissions?      

0

Comments

2 comments

Date Votes
  • Dan Griffin

    My issue was applying security to a workflow.  This from support:

    ***

    Regarding the AD question, you can add permissions to a specific groups of users even if they are part of a larger group that has been denied access to that resource. There are two way to do this:

    - Deny access to all users to a parent object, and then allow the group of users that you want a child object. Explicit permissions set on child objects always take precedence. The most common scenario is that you have an editable layer that you want only a group of users to see. In the layer tree you will have the map service (feature service) and as a child the feature layer.  In this case you'll deny permissions to the feature service to all users, and then allow permissions on the layer to some specific users.

    - In some cases you don't have a parent object to deny (like with workflows). In this case you can specifically tell Essentials that Allow beats Deny for that object (the other way is the default). To do this, you have to add Precedence="AllowBeforeDeny" within the <Permissions> tag for that workflow:

    An example from a site.xml:

        <Workflow DisplayName="GeotagSample" ID="GeotagSample" Uri="{SiteUri}/GeotagSample.xaml">

          <Permissions Inherit="True" Precedence="AllowBeforeDeny">>

            <Allow Type="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" Value="S-1-5-32-544" Issuer="AD AUTHORITY" />

            <Deny Type="http://www.geocortex.net/security/claims/category/user" Issuer="AD AUTHORITY" />

          </Permissions>

        </Workflow>

     

    0
  • Dan Griffin

    That should be:  <Permissions Inherit="True" Precedence="AllowBeforeDeny">

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post