0 votes

Hello

Setup:
- Test environment, not in production.
- A User manager (UM) is logged on WebUI.
- The UM is trustee "Owner (Managed by)", Scope "Users"; subtree.
- The given OU (in the example called Distrikt Nord) is "Managed by" a security group where the UM is a member.
- UM is not member of any security groups pointing to underlying OU's.

Issue 1:
When selecting "My managed Objects", the UM can see underlying OU's (in the example "Institution N"), for which he is not manager (Owner).
Okay, the UM has no rights to perform user management in the OU (Institution N), but we expected this OU to be hidden from the UM.
Actually, we expected the "My managed objects" to be a flat representation of OU's, rather than a hierarchically one.

Issue 2:
When adding a user to a security group, the UM gets all users displayed.

We expected only to see a list of users, for whom UM was user manager for.
In the given example, the UM should only be shown the users "Test Et" and "Test Tre", because he is user manager for those two users only.

If put into production, I do not think it would be a god idea to list +3500 users :-)

- Thanks in advance

by (2.6k points)

1 Answer

0 votes
by (215k points)
selected by
Best answer

Hello,

Issue 1

Actually, this was the original idea to allow users to browse into the OUs they mange if they have sufficient permissions to view the OU structure. Since the Web interface shows only the objects a user has permissions to view granted via Security Roles, you can adjust Security Roles to hide the sub-OUs nested within the managed OUs. However, pay attention that in this case, users won't be able to view the sub-OUs anywhere in the Web Interface or the Administration Console, not just in the My Managed Objects section. For information on how to hide objects from users with the help of Security Roles, see the following tutorial: http://www.adaxes.com/tutorials_Delegat ... mUsers.htm.

Issue 2

Here, again, you can hide the unnecessary user accounts with the help of a Security Roles. Alternatively, you can configure the section that displays group members not to show objects who are not managed by the currently logged on user. In this case, users won't be able to view the user accounts they don't manage either when viewing a list of the group members or when adding / removing members. For information on how to do this, see section Group members in step 8 of the following tutorial: http://www.adaxes.com/tutorials_WebInte ... diting.htm (subsection How to filter group members displayed in the new section). You need to configure the section to show only objects that match a LDAP filter and use the following LDAP filter:
(|(manager=%distinguishedName%)(managedBy=%distinguishedName%))

0

Issue 2

You need to configure the section to show only objects that match a LDAP filter and use the following LDAP filter:
(|(manager=%distinguishedName%)(managedBy=%distinguishedName%))


Hello

Well, the shown LDAP filter will not work because the logged in User manager may be user manger for several different department.
To control the departments user managers, they are member of a security group related to each department.
Eg. "Department A - User managers", "Department B - User managers", etc.
These security groups are added as "Manged By" to the related OU.

Example:

So, we need a LDAP filter that will show a user if:

  • The logged-on-user is member of the user's OU's "Mangaged By" security group.

I do not know how to design such a LDAP filter :-/ ?


In our current IDM solution, the User manager can filter the shown users, using a drop down list (dynamically populated).

In this example, I can show all users or just the users I manage.

  • Thanks
0

Hello,

I do not know how to design such a LDAP filter :-/ ?

Actually, it is possible to build a filter that includes all subordinates of a manager, including direct reports, subordinates of the direct reports, and users managed via membership in AD groups. However, you'll need to update the filter to keep up with changes in the management structure of your organization. For this purpose, we recommend creating a Scheduled Task that will 'stamp' each manager with an LDAP filter allowing to find all the manager's subordinates. For information on how to create Scheduled Tasks, see the following tutorial: http://www.adaxes.com/tutorials_Automat ... gement.htm. Use it as a guide.

As a LDAP filter for groups, use a value reference for the property that you specified in the script. For example, if you specified adm-CustomAttributeText1, use the following value reference: %adm-CustomAttributeText1%.

0

Hello,

As a LDAP filter for groups, use a value reference for the property that you specified in the script. For example, if you specified adm-CustomAttributeText1, use the following value reference: %adm-CustomAttributeText1%.


Hello

Yes, it works well !!

Now (more wants more ....) - is it possible to create a similar filter showing only "my managed object" when selecting OU's or Groups ?

Cannot find "My managed objects" as a calculated property.

Thanks

0

Hello,

is it possible to create a similar filter showing only "my managed object" when selecting OU's or Groups ?

Yes, sure. See Create LDAP filter to find all objects managed by user.

0

Hello

The filters works fine, but I experience some latency before the filters are working correctly.
I'm afraid, that this latency could prove a security issue, leaving a newly created user open for unauthorized editing, before the filters are working ?

Issue:

When a manager create a new user, Adaxes run both scripts after the user is created, to update the filters. Log says, that everything is okay.

But when the manager afterwords tries to view all his users using a Home Page Action (Show my users), the new user is not shown in the list before after a while. Logging off and on again, does not solve the problem.


The Manager attribute is set correctly on the user.

When browsing to the users OU, the new user is present, however - the purpose of the Home Page Action is pointless then....

We only got 4 users created in the test environment, so I do not hope it's a performance issue, with 3600 users awaiting to be enrolled in the production environment :shock:

- Thanks

0

Hello,

When a manager create a new user, Adaxes run both scripts after the user is created, to update the filters. Log says, that everything is okay.

Is this done using a Business Rule? Can you post here or send us a screenshot of the actions/conditions of the Business Rule?

0

Hello

Yes, a combination of BR and scripts. However, I run the scripts every hour as well.

AfterUserCreateBusinessRule:

"Brugere" is the OU hierarchy that contains only user accounts.

-----

Created a new user (using WebUI), "Den Mark":
- Security roles are ok.
- Manager is set correctly.
- Log looks fine.

"Show my users" (a Home Page Action):
New user not shown and this means, that the filters are not working, which can be verified here:

"Add members to a group" (a Home Page Action):
New user is not shown but it correctly only shows my users:

Browsing shows no new user either:

but, "Browsing to Den Mark's OU" (using an Active Directory Pane object), shows the new user.

"My Managed Objects"
Yes, new user is shown.

----

- Thanks

0

Additional picture:


The manager is user manger for "Afdeling AA" and "Afdeling AAA".

0

In your Custom Commands, do you use the following scripts from the Script Repository, without any changes:

0

Update:

The new users were shown after a couple of hours, yesterday.
Creating new users today triggers the same issue.

Tried without any luck:
- Restarting the webserver.
- Restarting Softerra Adaxes Service.
- Logging the user manager off and on thw WebUI.
- Empty browser data.

Summary:
- Required scripts are executed correctly, setting the proper CustomAttribute values on the right objects.
- All rights on roles, OU's and users must be correct, as the user is displayed through the ref. Home Page Pane action after some time.
- The new user can be shown otherwise on the WebUI.

- Merry Christmas :D

0

In your Custom Commands, do you use the following scripts from the Script Repository, without any changes:

Yes, this are the scripts we are using.

Regards

Related questions

0 votes
1 answer

I would like to know if it is possible to create a field in the web UI under user management to "assign" a machine to a user. I would like to be able to put the ... be moved to "workstation OU. Is there s custome field that can be used to accomplish this?

asked Oct 22, 2020 by copatterson (70 points)
0 votes
1 answer

Can we increase the number of users shown under My Team?

asked Feb 24, 2020 by mark.it.admin (2.1k points)
0 votes
1 answer

We have four OUs in Active Directory (Pending Deletion, Disabled with Mail Delegates, Disabled with HR Extensions and Disabled_Temp_Leave) that users are moved to prior to their eventual ... past 7 days have been moved to one of 4 of these OUs. Thanks!

asked Jun 3, 2021 by RayBilyk (220 points)
0 votes
1 answer

Hello, I have my OUs structured so each department we're working with has an OU for their service accounts under their department OU. e.g. OU=Service Accounts,OU=Sales,OU= ... add each new OU to the scheduled task but I was hoping for something more hands off.

asked Oct 19, 2015 by drew.tittle (810 points)
0 votes
1 answer

What is the minimum permission required to move user accounts between OUs?

asked Feb 14, 2012 by BradG (950 points)
2,801 questions
2,535 answers
6,605 comments
61,758 users