Adaxes

Security Role wildcard pattern

0 votes

Hallo @All,

I'm working in an cloud environment with many tenants and every tenat has the same organizational unit structure.
Now I want to add a security rule that deny access to the administration ou under the ROOT of each tenat.
The nomal case is to add a rule for every administration ou (one per tenat).

Here my question: Is this possible to add a rule that works like this?

Deny => OU=Administration,OU=*,DC=contoso,dc=msft,dc=com

I hope someone has a hint for me.

Thanks
Arne

by (360 points)
0

Hello @All,

does nobody have a hint for me?
:cry:

by (360 points)

1 Answer

0 votes
by (216k points)

Hello Arne,

Yes, this is possible. You can:

  1. Create a Business Unit that will include objects located under the Administration OU in each tenant.
  2. Create a Security Role that denies the operations you don't want and include the Business Unit in the Assignment Scope of the role.
  3. Create a Scheduled Task that will iterate through all the tenant OUs and update the Membership Rules of the Business Unit automatically.

If you are OK with such a solution, we can provide you more detailed instructions and a script that will be required for the Scheduled Task.

Related questions

0 votes
1 answer
Security Role for Read Only Configuration Items

How can I grant read only rights for Configuration items in the Adaxes Admin Console?

asked Jan 26 by mark.it.admin (2.3k points)
0 votes
1 answer
What specific permission is needed in a security role to grant access to enable a user account?

What specific permission is needed in a security role to grant access to enable a user account?

asked Dec 7, 2023 by mightycabal (1.0k points)
0 votes
1 answer
Is it better to grant access via multiple OU and group assignments in the security role or use a business unit?

I have 18 domains managed by Adaxes and have noticed that Admin (full access) t all objects acts normally, but for piecemeal scopes like Service Desk that scopes to individual ... role (including 16 denies) and expect it to grow as we add more domains.

asked Sep 20, 2022 by DA-symplr (80 points)
0 votes
1 answer
Assign permission other than 'Account Options' to a security role

I only want to allow a security role to write 'user must change password at next logon' and not all options they have under 'Account Options'. The only permission I can see in ... ". I'd rather not assign permissions to all these settings if I don't have to.

asked Apr 6, 2021 by cfrazier (20 points)
0 votes
0 answers
Security role not working?

Followed this tutorial https://www.adaxes.com/tutorials_DelegatingPermissions_GrantRightsToModifySpecificProperties.htm, when logged into webpage cannot change any properties.

asked Jan 10, 2020 by Derek.Axe (480 points)
3,351 questions
3,052 answers
7,791 comments
545,079 users