Restricting Open Access to AD Groups

I’ve been exploring the Open Access feature of the new v2.3. I have a group of users for whom I want to create a separate Open Access menu structure containing only the dashboards I have created for them.

For that separate Open Access menu structure, I want to be able restrict it based on their AD role group so that they can only see the items under that menu. Can this be done?

3 Likes

Open Access dashboards do not require authentication so anonymous users can access them. This means that you’re unable to restrict these dashboards to a certain AD group.

If you wish to do this I would suggest investigating role-based access, which allows you to create different navigation bars for AD groups or users. This would require a named user licence for each user. There is more info on that here.

Our solution was to disable the option for adding a link to the Open Access navigation bar on all Open Access dashboards. And then we created a dummy pages on another webserver with two frames that required authentication. One top menu we added links for the Open Access dashboards that the groups or user should have access to and in the bottom frame we show the Open Access dashboards.

That way not every user can access all Open Access dashboards. Only the ones they know the URL for.

If they try to access: https://server/SquaredUp/OpenAccess they get an error telling them that there are not any dashboards on the navigation page.

6 Likes

You can add the Open Access URL as a blocked site in your companies Group policy. The following Blog will show you how to do this. http://www.grouppolicy.biz/2010/07/how-to-use-group-policy-to-allow-or-block-urls/

This site has more detail on how to block certain users / groups (organisational Unit) at the end of the blog post. http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Restricting-Specific-Web-Sites-Internet-Explorer-Using-Group-Policy.html

1 Like

It might be overkill, but you can set up a reverse proxy server using Application Request Routing and URLRewrite (modules for IIS available from the Gallery) or Web Application Proxy role in Server 2012 R2. Basically, it acts as a “firewall” between SquaredUp and your users. Depending on your network design, you may need a dedicated SquaredUp server, depending on if you want all SquaredUp traffic to go through the proxy or only Open Access users.

What you do is have the reverse proxy site require authentication and you set up the ACL and back-end URLs. It will then forward only allowed traffic to the SquaredUp server. You have to set the SquaredUp server to only allow web traffic from the reverse proxy, so users can’t just go around the web proxy.

From the user perspective, it’s a logon to get to the Open Access dashboards and it otherwise operates the same as if access were unrestricted.

1 Like