0 votes

Hey there,

We allow our staff to modify membership to certain AD groups by designating a person in the 'Managed By' field. That person then changes the group's members via Outlook. I noticed that, in Adaxes Web UIs, this person gets an 'Access Denied' message when attempting to add or remove members.

Basically, I'd like there to be some logic that says 'When looking at a group... If logged in user = Managed By user for this group, then allow them to modify group membership' without any object specific configuration. Is this possible?

Thanks!

by (60 points)

1 Answer

0 votes
by (18.0k points)

Update 2015

You can use the Owner (Managed By) security principal to grant the permissions. For details, have a look at section Grant rights to add or remove group members of the following tutorial: https://www.adaxes.com/tutorials_DelegatingPermissions_GrantRightsToModifyADGroupMembership.htm#assigned.

Original

Hi Kirk,

In one of the nearest releases we are planning to extend Security Roles to allow delegating permissions to object owners. This will allow you to grant the 'add/remove member' right to group managers.

However there is another way to implement what you need.

In 2011.3 it will be possible to use value references in Business Rule conditions. This will allow you to control access to objects based on the whether the operation initiator is the group manager or not.


What you will need to do:

  • With the help of Security Roles allow all users to add/remove members from certain groups (e.g. groups that belong to a Business Unit, or located under an OU).
  • Create a Business Rule that is triggered before adding/removing group members. If the operation initiator is not the group manager, this rule will cancel the operation (see screenshot above). Optionally this Business Rule can submit an approval request to the group manager.
0

Thank you, Eugene.

Is it possible to modify the approach below to account for situations where 'Managed By' property references a group instead of an individual?

0

Hello Kirk,

For now, you can do this with the help of a script:

  1. Create a Business Rule that is triggered before adding or removing members from a group.

  2. Add Run a program or PowerShell script action to the Business Rule.

  3. Specify the following PowerShell script for the action:

      Import-Module Adaxes
     $initiatorDN = "%adm-initiatorDN%"
     $managedByDN = "%managedBy%";
     $domainName = "company.com"; # TODO:
     $allowed = $FALSE;
    
     if ($initiatorDN -eq $managedByDN)
     {
         $allowed = $TRUE;
     }
     else
     {
         foreach ($group in Get-AdmPrincipalGroupMembership $initiatorDN -Server $domainName -adaxesservice localhost)
         {
             if ($group.DistinguishedName -eq $managedByDN) 
             { 
                 $allowed = $TRUE;
                 break;
             }; 
         }
     }
    
     if (-not $allowed)
     {
         $Context.Cancel("Access is denied");
     }
    
0

Thank you, sir! Very helpful.

0

Here is another script that can be used in the If PowerShell script returns true condition.
The script allows group membership modification for group managers and Adaxes service administrators.

Import-Module Adaxes

$groupDN = "%distinguishedName%"
$initiatorDN = "%adm-initiatorDN%"
$managedByDN = "%managedBy%"
$Context.ConditionIsMet =$True

# Test whether the initiator is a service administrator
$configurationSetSettingsPath = $Context.GetWellKnownContainerPath("ConfigurationSetSettings")
$configurationSetSettings = $Context.BindToObject($configurationSetSettingsPath)
if ($configurationSetSettings.AdministratorManager.AmIAdministrator())
{
    $Context.ConditionIsMet = $False;
}
else
{
    # Test whether the group is managed by the intiator
    if ($initiatorDN -eq $managedByDN)
    {
        $Context.ConditionIsMet = $False
    }
    else
    {
        $domainName = $Context.GetObjectDomain($initiatorDN)
        foreach ($group in Get-AdmPrincipalGroupMembership $initiatorDN -Server $domainName -adaxesservice localhost)
        {
            if ($group.DistinguishedName -eq $managedByDN)
            {
                $Context.ConditionIsMet = $False
                break
            };
        }
    }
}

To use the script, add the Cancel this operation action to your Business Rule and add the If PowerShell script returns true condition for the action. Use the script in the condition.

Related questions

0 votes
0 answers

I'd like to implement an architecture whereby all Domain Users can request membership in any domain security group. I'd also like to allow the OU Owners to have ... from their groups without granting them the ability to remove users from all security groups?

asked Mar 25, 2020 by sirslimjim (400 points)
0 votes
1 answer

Is it possible to for security groups that are nested under an OU to inherit that OU's 'Managed By' value? I'd like to grant the OU Owner rights to the security groups ... option is to manually edit each group one by one. Is there a script that automates this?

asked Mar 26, 2020 by sirslimjim (400 points)
0 votes
1 answer

I have a dropdown-field on the web surface, which is populated by a script. The script looks up all groups in a specific OU and displays them. In the Property Pattern ... random order. What should i do to show the groups in alphabetical order in the portal?

asked Sep 15, 2020 by lohnag (100 points)
0 votes
1 answer

Is it possible to add multiple members to a group in a singe call to the REST API? The example code only shows a single member. What would the data structure look like in that case?

asked Dec 13, 2021 by swengr59 (60 points)
0 votes
1 answer

I've just been handed management of Adaxes and I'm looking for a bit of help. My first task is to allow our Admin staff using the Web Interface to Add a " ... this requires an attribute to show within the Interface. Any help would be much appreciated. Thanks

asked Sep 18, 2017 by AlanWJ (150 points)
2,779 questions
2,511 answers
6,574 comments
25,621 users