There are multiple ways to restrict access, depends on which attribute you use and if its part of a default “AD” permission set. Like you, we have to hide data in AD to maintain compliance, we went with the “otherMailbox” and “mobile” attributes for PWM and had to do some changes on it, the Exchange extensionAttributes, never used those attributes before, but you can either set the “Confidential” bit if allowable or just set permissions to “Deny Read” for everyone except “SELF” and whoever else can read it. In order to get default attributes like “otherMailbox” and “mobile” from being globally readable we first had to remove the attributes from the property sets, property sets are groups of attributes with default permissions (security descriptors) that can’t be overridden except on each object itself which would be a nightmare to apply every time, you can see more of those here, https://docs.microsoft.com/en-us/windows/win32/adschema/property-sets , it is easy to remove them from the set, the attribute in schema will have “attributeSecurityGUID” set with a value, just clear out the value for the attribute and you can now set permissions and acl’s globally.
We do this so much for other items not PWM related and also have many custom attributes, we created security groups for the likes of GDPR and FERPA and assign permissions to those. I highly recommend you come up with a good strategy for future use as well for hiding needed data, it makes it so much easier.
--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/b5e9c42d-fcca-4579-b2f0-a217524d1a76n%40googlegroups.com.