Too many OU's and users shown

Question

Hello

Setup:
- Test environment, not in production.
- A User manager (UM) is logged on WebUI.
- The UM is trustee "Owner (Managed by)", Scope "Users"; subtree.
- The given OU (in the example called Distrikt Nord) is "Managed by" a security group where the UM is a member.
- UM is not member of any security groups pointing to underlying OU's.

Issue 1:
When selecting "My managed Objects", the UM can see underlying OU's (in the example "Institution N"), for which he is not manager (Owner).
Okay, the UM has no rights to perform user management in the OU (Institution N), but we expected this OU to be hidden from the UM.
Actually, we expected the "My managed objects" to be a flat representation of OU's, rather than a hierarchically one.

Issue 2:
When adding a user to a security group, the UM gets all users displayed.

We expected only to see a list of users, for whom UM was user manager for.
In the given example, the UM should only be shown the users "Test Et" and "Test Tre", because he is user manager for those two users only.

If put into production, I do not think it would be a god idea to list +3500 users :-)

- Thanks in advance

asked Aug 31, 2015 by Boxx.dk (2.6k points)

1 Answer

Best answer

Hello,

Issue 1

Actually, this was the original idea to allow users to browse into the OUs they mange if they have sufficient permissions to view the OU structure. Since the Web interface shows only the objects a user has permissions to view granted via Security Roles, you can adjust Security Roles to hide the sub-OUs nested within the managed OUs. However, pay attention that in this case, users won't be able to view the sub-OUs anywhere in the Web Interface or the Administration Console, not just in the My Managed Objects section. For information on how to hide objects from users with the help of Security Roles, see the following tutorial: http://www.adaxes.com/tutorials_Delegat ... mUsers.htm.

Issue 2

Here, again, you can hide the unnecessary user accounts with the help of a Security Roles. Alternatively, you can configure the section that displays group members not to show objects who are not managed by the currently logged on user. In this case, users won't be able to view the user accounts they don't manage either when viewing a list of the group members or when adding / removing members. For information on how to do this, see section Group members in step 8 of the following tutorial: http://www.adaxes.com/tutorials_WebInte ... diting.htm (subsection How to filter group members displayed in the new section). You need to configure the section to show only objects that match a LDAP filter and use the following LDAP filter:
(|(manager=%distinguishedName%)(managedBy=%distinguishedName%))

Show 6 previous comments

Hello

Yes, a combination of BR and scripts. However, I run the scripts every hour as well.

AfterUserCreateBusinessRule:

"Brugere" is the OU hierarchy that contains only user accounts.

-----

Created a new user (using WebUI), "Den Mark":
- Security roles are ok.
- Manager is set correctly.
- Log looks fine.

"Show my users" (a Home Page Action):
New user not shown and this means, that the filters are not working, which can be verified here:

"Add members to a group" (a Home Page Action):
New user is not shown but it correctly only shows my users:

Browsing shows no new user either:

but, "Browsing to Den Mark's OU" (using an Active Directory Pane object), shows the new user.

"My Managed Objects"
Yes, new user is shown.

----

- Thanks

commented Dec 17, 2015 by Boxx.dk (2.6k points)

Too many OU's and users shown

Please log in or register to add a comment.

Please log in or register to answer this question.

1 Answer

Please log in or register to add a comment.

Related questions