0 votes

Hello

Setup:
- Test environment, not in production.
- A User manager (UM) is logged on WebUI.
- The UM is trustee "Owner (Managed by)", Scope "Users"; subtree.
- The given OU (in the example called Distrikt Nord) is "Managed by" a security group where the UM is a member.
- UM is not member of any security groups pointing to underlying OU's.

Issue 1:
When selecting "My managed Objects", the UM can see underlying OU's (in the example "Institution N"), for which he is not manager (Owner).
Okay, the UM has no rights to perform user management in the OU (Institution N), but we expected this OU to be hidden from the UM.
Actually, we expected the "My managed objects" to be a flat representation of OU's, rather than a hierarchically one.

Issue 2:
When adding a user to a security group, the UM gets all users displayed.

We expected only to see a list of users, for whom UM was user manager for.
In the given example, the UM should only be shown the users "Test Et" and "Test Tre", because he is user manager for those two users only.

If put into production, I do not think it would be a god idea to list +3500 users :-)

- Thanks in advance

by (2.6k points)

1 Answer

0 votes
by (215k points)
selected by
Best answer

Hello,

Issue 1

Actually, this was the original idea to allow users to browse into the OUs they mange if they have sufficient permissions to view the OU structure. Since the Web interface shows only the objects a user has permissions to view granted via Security Roles, you can adjust Security Roles to hide the sub-OUs nested within the managed OUs. However, pay attention that in this case, users won't be able to view the sub-OUs anywhere in the Web Interface or the Administration Console, not just in the My Managed Objects section. For information on how to hide objects from users with the help of Security Roles, see the following tutorial: http://www.adaxes.com/tutorials_Delegat ... mUsers.htm.

Issue 2

Here, again, you can hide the unnecessary user accounts with the help of a Security Roles. Alternatively, you can configure the section that displays group members not to show objects who are not managed by the currently logged on user. In this case, users won't be able to view the user accounts they don't manage either when viewing a list of the group members or when adding / removing members. For information on how to do this, see section Group members in step 8 of the following tutorial: http://www.adaxes.com/tutorials_WebInte ... diting.htm (subsection How to filter group members displayed in the new section). You need to configure the section to show only objects that match a LDAP filter and use the following LDAP filter:
(|(manager=%distinguishedName%)(managedBy=%distinguishedName%))

0

Hello

Yes, a combination of BR and scripts. However, I run the scripts every hour as well.

AfterUserCreateBusinessRule:

"Brugere" is the OU hierarchy that contains only user accounts.

-----

Created a new user (using WebUI), "Den Mark":
- Security roles are ok.
- Manager is set correctly.
- Log looks fine.

"Show my users" (a Home Page Action):
New user not shown and this means, that the filters are not working, which can be verified here:

"Add members to a group" (a Home Page Action):
New user is not shown but it correctly only shows my users:

Browsing shows no new user either:

but, "Browsing to Den Mark's OU" (using an Active Directory Pane object), shows the new user.

"My Managed Objects"
Yes, new user is shown.

----

- Thanks

0

Additional picture:


The manager is user manger for "Afdeling AA" and "Afdeling AAA".

0

In your Custom Commands, do you use the following scripts from the Script Repository, without any changes:

0

Update:

The new users were shown after a couple of hours, yesterday.
Creating new users today triggers the same issue.

Tried without any luck:
- Restarting the webserver.
- Restarting Softerra Adaxes Service.
- Logging the user manager off and on thw WebUI.
- Empty browser data.

Summary:
- Required scripts are executed correctly, setting the proper CustomAttribute values on the right objects.
- All rights on roles, OU's and users must be correct, as the user is displayed through the ref. Home Page Pane action after some time.
- The new user can be shown otherwise on the WebUI.

- Merry Christmas :D

0

In your Custom Commands, do you use the following scripts from the Script Repository, without any changes:

Yes, this are the scripts we are using.

Regards

Related questions

0 votes
1 answer

I would like to know if it is possible to create a field in the web UI under user management to "assign" a machine to a user. I would like to be able to put the ... be moved to "workstation OU. Is there s custome field that can be used to accomplish this?

asked Oct 22, 2020 by copatterson (70 points)
0 votes
1 answer

Can we increase the number of users shown under My Team?

asked Feb 24, 2020 by mark.it.admin (2.1k points)
0 votes
1 answer

We have four OUs in Active Directory (Pending Deletion, Disabled with Mail Delegates, Disabled with HR Extensions and Disabled_Temp_Leave) that users are moved to prior to their eventual ... past 7 days have been moved to one of 4 of these OUs. Thanks!

asked Jun 3, 2021 by RayBilyk (220 points)
0 votes
1 answer

Hello, I have my OUs structured so each department we're working with has an OU for their service accounts under their department OU. e.g. OU=Service Accounts,OU=Sales,OU= ... add each new OU to the scheduled task but I was hoping for something more hands off.

asked Oct 19, 2015 by drew.tittle (810 points)
0 votes
1 answer

What is the minimum permission required to move user accounts between OUs?

asked Feb 14, 2012 by BradG (950 points)
2,801 questions
2,535 answers
6,605 comments
61,783 users