Adminmode based on New-UDAuthorizationPolicy?

Hi all,

Is it possible to only show adminmode if the user is in a certain ad group?


This should help you out:

Hi, thanks for the link. I’ve got authentication working fine for pages, but I can’t work out how to apply it to the -AdminMode switch of start-uddashboard.

just the same :slight_smile:
you define the policy

Ahh thanks!

I added the following, but now get an error

$AdminPolicy = New-UDAuthorizationPolicy -Name 'Admin' -Endpoint {
    $User.Identity.Name -eq 'harmanp'
$LoginPage = New-UDLoginPage -AuthenticationMethod @($Auth) -PassThru -AuthorizationPolicy @($ITPolicy, $AdminPolicy)
$DashboardParams = @{
    Title                  = $ConfigurationFile.dashboard.title
    Theme                  = $SampleTheme
    Pages                  = $Pages
    EndpointInitialization = $Initialization
    LoginPage              = $LoginPage 

Start-UDDashboard  -Dashboard $MyDashboard -Name $ConfigurationFile.dashboard.title -Endpoint $endpoint -AutoReload -Wait -AdminMode -AllowHttpForLogin -AdminModeAuthorizationPolicy 'Admin'


I guess this is correctly

Same issue I’m afraid. If I remove -AdminModeAuthorizationPolicy from start-uddashboard then it will start correctly but obviously then everyone has admin mode.

Can you try running this outside IIS to see if you get an error?

-AdminModeAuthorizationPolicy doesn’t go under Start-UDDashboard, it belongs to New-UDDashboard

-AdminMode goes under Start-UDDashboard


$dashboard = New-UDDashboard -LoginPage $LoginPage -Title $dashboardTitle -Theme $theme -Pages $Pages -Footer $footer -EndpointInitialization $addlog -Navigation $Navigation -AdminModeAuthorizationPolicy "ITPolicy"

# Launch
Start-UDDashboard -Port 80 -Dashboard $dashboard -Endpoint $AllUsersEndpoint -Name $DashboardTitle -PublishedFolder $folder, $pictures -Wait -AutoReload -AllowHttpForLogin -AdminMode

Ack. Good catch!! Thanks

Ahh I see! Will take a look tomorrow thanks. If that’s it then the example on needs to be updated

1 Like

I had my take on this also just now :slight_smile:
@adam what is the different between the two?
New-UDDashboard -AdminModeAuthorizationPolicy -AdminModeRole ?
it dont seems that -adminmoderole works? atleast I throught that it should be pointed to the Policy Name, and that the AdminModeAuthorizationPolicy would be the New-UDAuthorizationPolicy.

I changed to using the -AdminModeAuthorizationPolicy ‘RoleName’ and it now works.

for the record I used this in the authpolicy:

New-UDAuthorizationPolicy -Name ‘DashboardAdmins’ -Endpoint {

$ClaimsPrincipal.HasClaim("", "Domain\SomeGroup") 


This is for working with ADFS claims and users.

1 Like

Roles and policies are different ways of locking down a dashboard. For most authentication methods, you won’t use roles. Roles work for New-UDAuthenticaitonMethod -Endpoint {} because you can assign a role to the user when they login using New-UDAuthenticationResult -Role.

So to answer your question, you’ll always want to use -AdminModeAuthorizationPolicy in your case.

Here’s the write up on role-based auth:

so AdminModeAuthorizationPolicy only looks for UDAuthorizationPolicy and AdminModeRole are only looking for UDAuthenticationResult -Role ?

but other places we use the “roles” AuthorizedRole if looks fo both types ?

aint this misleading? :stuck_out_tongue:

AuthorizedRole is only looking for roles assigned. Not authorization policies.
AuthorizationPolicy is only looking for passing authorization polcies. Not roles.

If there is a situation where you use an authorization policy and then can check it with a role parameter, that is incorrect and should be fixed. Do you have an example of that?