Hi all,
Is it possible to only show adminmode if the user is in a certain ad group?
Thanks
Paul
This should help you out:
https://docs.universaldashboard.io/security/authorization/claims-based
Hi, thanks for the link. Iâve got authentication working fine for pages, but I canât work out how to apply it to the -AdminMode switch of start-uddashboard.
just the same 
https://docs.universaldashboard.io/admin-mode#authorization
you define the policy
Ahh thanks!
I added the following, but now get an error
$AdminPolicy = New-UDAuthorizationPolicy -Name 'Admin' -Endpoint {
param($User)
$User.Identity.Name -eq 'harmanp'
}
$LoginPage = New-UDLoginPage -AuthenticationMethod @($Auth) -PassThru -AuthorizationPolicy @($ITPolicy, $AdminPolicy)
$DashboardParams = @{
Title = $ConfigurationFile.dashboard.title
Theme = $SampleTheme
Pages = $Pages
EndpointInitialization = $Initialization
LoginPage = $LoginPage
}
Start-UDDashboard -Dashboard $MyDashboard -Name $ConfigurationFile.dashboard.title -Endpoint $endpoint -AutoReload -Wait -AdminMode -AllowHttpForLogin -AdminModeAuthorizationPolicy 'Admin'
I guess this is correctly
Same issue Iâm afraid. If I remove -AdminModeAuthorizationPolicy from start-uddashboard then it will start correctly but obviously then everyone has admin mode.
Can you try running this outside IIS to see if you get an error?
-AdminModeAuthorizationPolicy doesnât go under Start-UDDashboard, it belongs to New-UDDashboard
-AdminMode goes under Start-UDDashboard
ex:
$dashboard = New-UDDashboard -LoginPage $LoginPage -Title $dashboardTitle -Theme $theme -Pages $Pages -Footer $footer -EndpointInitialization $addlog -Navigation $Navigation -AdminModeAuthorizationPolicy "ITPolicy"
# Launch
Start-UDDashboard -Port 80 -Dashboard $dashboard -Endpoint $AllUsersEndpoint -Name $DashboardTitle -PublishedFolder $folder, $pictures -Wait -AutoReload -AllowHttpForLogin -AdminModeAck. Good catch!! Thanks
Ahh I see! Will take a look tomorrow thanks. If thatâs it then the example on https://docs.universaldashboard.io/admin-mode#authorization needs to be updated
1 Like
I had my take on this also just now 
@adam what is the different between the two?
New-UDDashboard -AdminModeAuthorizationPolicy -AdminModeRole ?
it dont seems that -adminmoderole works? atleast I throught that it should be pointed to the Policy Name, and that the AdminModeAuthorizationPolicy would be the New-UDAuthorizationPolicy.
I changed to using the -AdminModeAuthorizationPolicy âRoleNameâ and it now works.
for the record I used this in the authpolicy:
New-UDAuthorizationPolicy -Name âDashboardAdminsâ -Endpoint {
param($ClaimsPrincipal)$ClaimsPrincipal.HasClaim("http://schemas.xmlsoap.org/claims/Group", "Domain\SomeGroup")}
This is for working with ADFS claims and users.
1 Like
Roles and policies are different ways of locking down a dashboard. For most authentication methods, you wonât use roles. Roles work for New-UDAuthenticaitonMethod -Endpoint {} because you can assign a role to the user when they login using New-UDAuthenticationResult -Role.
So to answer your question, youâll always want to use -AdminModeAuthorizationPolicy in your case.
Hereâs the write up on role-based auth: https://docs.universaldashboard.io/security/authorization/role-based
so AdminModeAuthorizationPolicy only looks for UDAuthorizationPolicy and AdminModeRole are only looking for UDAuthenticationResult -Role ?
but other places we use the ârolesâ AuthorizedRole if looks fo both types ?
aint this misleading? 
AuthorizedRole is only looking for roles assigned. Not authorization policies.
AuthorizationPolicy is only looking for passing authorization polcies. Not roles.
If there is a situation where you use an authorization policy and then can check it with a role parameter, that is incorrect and should be fixed. Do you have an example of that?