0 votes

Hi,

I have a Business Unit defined based on an LDAP Query which I use to limit the accounts in AD an admin can control. I would also like to limit the scope of the search so they can not find AD users outside of the BU.

I tried removing the Read All Objects from Domain User and adding Read All Objects to my admin role with an assignment over the BU, but now only the admin's own account is visible. I can only seem to get this to work by giving read to everything which isn't what I want?

I am assuming there is a set of attributes I need to allow access to for the LDAP filter to work on the BU, but having trouble working it out?

Thanks,

by (390 points)
0

Hello,

Could you post here or send us to support[at]adaxes.com the following:

  • A screenshot of Permissions and Assignments of your admin role.
  • A screenshot of Membership Rules of the Business Unit.
0

Screenshots emailed as I couldn't get them here :(

0

Dazbo,

When you click Reply to Post, look right above the check boxes below the window for Options and find just to the right of it, in gray lettering, Upload Attachment

0

This is the Domain User Role and the Membership Rule.

The rule just has %extensionattribute5% in it and the admin users has and LDAP filter in this attribute to define the users they can control - i.e. (|(depertment=HR)(department=IT))

Setup like this it works, but the Admin can search for any user in the domain which is not what I want. If I remove the domain assignment from the Role then the admin can only find themselves.

Thanks

1 Answer

0 votes
by (216k points)

Hello,

The assignment of the Security Role is incorrect for the task you want to achieve. You included the Business Unit in the Assignments of the Security Role, and selected This object only as the assignment scope.

This means that you allowed authenticated users to view the Business Unit itself, but not the members of the Business unit. To allow users to also view members of the Business Unit:

  1. Double-click the assignment of the Role that includes the Business Unit.
  2. Select the Members of this Business Unit option.
  3. Click OK.
  4. Save the Security Role.
0

Now I fell dumb. I stared at this for ages and didn't spot that :(

Thanks again.

Related questions

0 votes
1 answer

I have 18 domains managed by Adaxes and have noticed that Admin (full access) t all objects acts normally, but for piecemeal scopes like Service Desk that scopes to individual ... role (including 16 denies) and expect it to grow as we add more domains.

asked Sep 20, 2022 by DA-symplr (80 points)
0 votes
0 answers

Trying to setup a security role so that members can create and administer accounts and group membership. I would like to limit this via OU as a security role and not depend on the filters in the web console. Any suggestions?

asked Apr 5, 2016 by adaxes_user (420 points)
0 votes
1 answer

What rights are needed to view Password Manager Statistics? I have set Allow Read > All Object Types for a group assigned over Configuration Objects. But I get a "Data fetching Error" and "Access is denied" dialog when trying to view statistics. Thank you

asked Feb 2, 2016 by jheisley (590 points)
0 votes
1 answer

we have created some business units which only return certain items in our directory. when using the web ui, how do we restrict browing functions to only look in the business ... unit. if this is not possible, how is it envisaged that these units are used?

asked Apr 14, 2023 by i*windows (140 points)
0 votes
1 answer

I would like to create a scheduled task to search for specific AD groups based on part of the name and automatically be added to the Business Unit. I am not finding much online about it and it doesn't appear to be an OOB thing in Scheduled Tasks.

asked Dec 29, 2022 by msheppard (20 points)
3,326 questions
3,026 answers
7,727 comments
544,678 users