Is there a way to allow authentication to a dashboard while restricting login to the admin interface? I have a dashboard and I use the Authentication script to authenticate users in AD to allow access. I have also used the Roles script to assign roles that removes admin access to all users except those of a set AD group. However if an AD user, who is not in this admin group, authenticates they can still log into the Admin interface, even though they can’t do anything they can still click on things and launch the New Dashboard and other setup links. Nothing is saved or changed , but our security team will not allow the dashboard to go to production until we restrict access to the admin interface.
This will be part of 1.5. It’s currently not possible to totally restrict the admin console based on role.
looking forward for the update. i am in the same situation
I presume this has been added now, but i cant seem to find any documentation on how to implement… any ideas?
Hi, neo. I ran into something similar when I started. This is what I did (I am hosting through the Windows Service):
- In appsettings.json, under Authentication>>Windows>>Enabled, set it to True.
- Restart the service
This causes the following issue:
All authentication now goes through A.D., however by default all authenticated users (including NTAuthority\AnonymousUser) can log in with Admin rights.
To resolve this, you need to configure the roles. In the Admin console, browse to Settings>>Security. On the roles tab, edit the Administrator role to point to an A.D. security group. The documentation gives an example here: Security - PowerShell Universal. Once I was confident in testing the authentication, I just removed the lines where it is writing out to the text file.
I then disabled the other roles (reader, operators, etc.), until I had a use for them, by setting them like so:
param( $User ) $UserName = ($User.Identity.Name) $UserName = $UserName.Split('\') $IsMember = $false; $IsMember
Now users must authenticate when hitting the admin console, and only those in my security group are allowed access. Hope this helps.