/
Use ResAdmin Mode to Restrict the Visibility of Resources

Use ResAdmin Mode to Restrict the Visibility of Resources

Owned by Phillip Hanegan
Last updated: Oct 29, 2024
3 min read

Administrators can leverage the “ResAdmin” mode in conjunction with visibility filters to restrict the scope of access to resources appearing to users in Resource Admin. For example, these tools can be used to limit the number of people that appear to users searching for people within the organization. This article demonstrates how to configure and apply the ResourceAdmin mode.

Procedure

To configure the ResourceAdmin mode, follow these steps:

  1. Navigate to Visibility Restriction Policies
    On the navbar, expand Role Management and select Visibility Restriction Policies.

  2. Create a Visibility Restriction Policy
    On the Find Visibility Filters page, click the Create Policy tab. This opens the "Create a Visibility Restriction Policy" form.

    image-20240829-161516.png

     

  3. Complete the Policy Form

    • Assign Policy To: Select the type of assignee to whom the policy will be applied. Assignee types include:

      • Person

      • Group

      • Business Role and Location

      • Management Role

      • Management Role Definition

      • Query-Based Collection (SetGroup)

    • Enter a <Assignee Type> Name to Search: Enter the name of the specific assignee instance you want to target. For example, if you selected Management Role as the assignee type, search for and select the relevant Management Role. Note that <Assignee Type> is replaced by the selected assignee type in the form.

    • Object Type To Restrict: Select the object type you want to restrict. For Resource Admin, object types include:

      • ProtectedApplicationResource

      • Group

      • Management Role

      • Shared Folder

      • Mailboxes

      • Person

    • Assignment Type: Define the scope of the visibility restriction. The following assignment types work with ResAdmin mode :

      • Person Relative Resource: Limits the scope of resource visibility to those relative to the policy assignee. Using security groups as an example, relative assignments for that resource type include:

        • Security Groups I am RBAC owner of

        • Security Groups I am responsible for

        • Security Groups I am an owner of

        • Security Groups in organizations I belong to

        • Security Groups in person’s locations

      • Scoped At Location: Limits the visibility of resources to those in and below the selected location.

    • Enter a <Target Assignee> Name to Search: Depending on the assignment type chosen, search for and select the specific instance. For example, if you selected Management Role, search for and select the relevant Management Role.

    • Priority: Enter a priority value for the policy. Lower values indicate higher priority, ensuring that users with multiple assignments receive the policy with the highest priority.

    • Mode: Replace “Default” with “ResAdmin”

    • Enabled: Leave this option checked to enable policy enforcement immediately or uncheck it to disable the policy.

      In the example image below, the policy is assigned to a Management Role named "Docs-SA" and is restricted to people in or below the “Columbus” location. This configuration ensures that members of the Docs-SA Management Role can only view people in Columbus or locations directly below Columbus within the Resource Admin app.

      image-20241028-183007.png

       

  4. Click Save.

Expected Results

Policy assignees should only see the resources meeting the policy's conditions. To verify this, sign in to Resource Admin as a user assigned the policy and verify they can only view the specified resources.