Cannot find AD attribute to delegate permissions for User Objects

Follow

SecureAuth IdP Version Affected:  All

 

Description: 

When trying to delegate permissions to certain attributes in Active Directory (i.e. registeredAddress) to User Objects, you cannot find it listed in the Permissions window.

 

Cause: 

The following list of attributes are stored within specific property sets for User Objects, which is what is actually listed as in the Permissions window:

General Information

Property set containing a set of user attributes that constitute general user information.

Applies to: User

  • Display Name

  • adminDescription

  • codePage

  • CountryCode

  • ObjectSid

  • primaryGroupID

  • sAMAccountName

  • sAMAccountType

  • sDRightsEffective

  • showInAdvancedViewOnly

  • sIDHistory

  • UID

  • comment

Personal Information

Property set containing user attributes that describe personal user information.

Applies to: Computer, Contact, User

  • streetAddress

  • homePostalAddress

  • assistant

  • info

  • country/region name

  • facsimileTelephoneNumber (fax number)

  • International-ISDN-Number

  • Locality-Name

  • MSMQ-Digests

  • mSMQSignCertificates

  • Personal-Title

  • Phone-Fax-Other

  • Phone-Home-Other

  • Phone-Home-Primary

  • otherIpPhone

  • ipPhonenumber

  • primaryInternationalISDNNumber Phone-ISDN-Primary

  • Phone-Mobile-Other (otherMobile)

  • Phone-Mobile-Primary

  • Phone-Office-Other (otherTelephone)

  • Phone-Pager-Other

  • Phone-Pager-Primary

  • physicalDeliveryOfficeName

  • thumbnailPhoto (Picture)

  • postalCode

  • preferredDeliveryMethod

  • registeredAddress

  • State-Or-Province-Name

  • Street-Address

  • telephoneNumber

  • teletexTerminalIdentifier

  • telexNumber

  • primaryTelexNumber

  • userCert

  • User-Shared-Folder

  • User-Shared-Folder-Other

  • userSMIMECertificate

  • x121Address

  • X509-Cert

 

Public Information

Property set containing user attributes that describe user public information.

Applies to: Computer, User

  • Additional-Information notes

  • Allowed-Attributes

  • allowedAttributesEffective

  • allowedChildClasses

  • allowedChildClassesEffective

  • altSecurityIdentities

  • Common-Name (cn)

  • company

  • department

  • description

  • displayNamePrintable

  • division

  • E-mail-Addresses

  • givenName

  • initials

  • legacyExchangeDN

  • manager

  • msDS-Approx-Immed-Subordinates

  • msDS-Auxiliary-Classes

  • distinguishedName (Obj-Dist-Name)

  • Object-Category

  • Object-Class

  • Object-Guid

  • Organization-Name

  • Organizational-Unit-Name

  • otherMailbox

  • Proxy-Addresses

  • RDN name

  • Reports (directReports)

  • servicePrincipalName

  • showInAddressBook

  • Surname

  • System-Flags

  • Text-Country/Region

  • Title

  • userPrincipalName

 

Private Information (2008 Domain Functional Level or newer)

Property set containing user attributes that describe user public information.

Applies to: Computer, User 

  • ms-PKI-Credential-Roaming-Tokens

  • ms-PKI-RoamingTimeStamp

  • ms-PKI-DPAPIMasterKeys

  • ms-PKI-AccountCredentials

 

Resolution:  

Find the attribute you are trying to delegate permissions to in the list above, and then delegate read/write permissions to the property set it belongs to.

 

Special Considerations:  

From a security perspective, you will need to be aware when delegating permissions to property sets as it will allow read/write abilities to other attributes within that set, which may be more access than you want to grant to the service account in use by the IdP.  If that is the case, you should review other AD attributes as potential candidates to store the user's data for IdP consumption.

 

SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.