0 votes

We are using the SeeAlso attribute to store who is responsible for specific accounts.

We do not wish to use the Manager field, because the Manager/Direct Report structure is reflected in org charts in many applications we use.

So we implemented the SeeAlso attribute to store the DN of the "Account Owner"

The only bit we are missing is to grant permissions to edit a user when the initiatior DN is present in the SeeAlso attribute. This way, if my DN is present in the SeeAlso attribute for a user, I have rights to, for example, extende the expiration date of an account.

Is that possible?

by (510 points)

1 Answer

+1 vote
by (184k points)
selected by
Best answer

Hello Manuel,

Yes, it is possible using a dynamic Business Unit and a Security Role. For each user the Business Unit will contain only the accounts that have them specified in the See Also property and will be used to assign the Security Role. For information on how to create dynamic Business Units, have a look at the following tutorial: https://www.adaxes.com/tutorials_ActiveDirectoryManagement_CreateDynamicBusinessUnit.htm. On step 3 of the guide, select Query Results and enter the following LDAP filter into the corresponding field: (&(sAMAccountType=805306368)(seeAlso=%distinguishedName%)) image.png The Security Role will look like the following: image.png Additionally, you might consider using the Assistant or Secretary property to store managers. In this case, you will not need a Business Unit and the Security Role will look like the following: image.png

0

Thank you very much, this solves it.

We wish to use the SeeAlso because it allows multiple values to be used (so that multiple users can have permissions over multiple objects).

This worked perfect as you suggested

+1

Hello Manuel,

Thank you for the confirmation.

For you information, the Secretary property is also multi-valued, so you might consider using it to store multiple managers and avoid using the Business Unit.

0

I wasn't aware Secretary is also multi-valude. Great info, thanks!

0

After giving it some thoughts, using the Secretary field makes sense, considering that is also multi valued.

I am a little confused by the example you show, where the permissions show the Trustee to be "Assistant". Shouldn't it be "Secretary"?

image.png

+1

Hello Manuel,

Yes, you are absolutely right. It was just an example on how you can use either of the security principals. According to your screenshot, the Security Role should work just fine.

Related questions

0 votes
1 answer

I'd like to be able to either send an email report or export a CSV of all of the business rules carried out when a user is disabled. This would be ... Management Activity section but this includes things that weren't part of the disable operation. Thanks

asked Feb 19 by bavery (1.1k points)
0 votes
1 answer

Dear Is it possible to change the values of a custom attribute (adm-CustomAttributeTextMultiValue4) when selecting a value from another custom attribute (adm-CustomAttributeText1). For ... , 2Latijn, 3Latijn, etc... Is this possible? Sincerly Hilmi Emre Bayat

asked Aug 26, 2019 by hilmiemrebayat (710 points)
0 votes
1 answer

We have a process that when a new user is created they are emailed their username and apssword. If the user is in an Admin Group they are then sent an email with some PDFs ... you can send emails, but am unable to see where it could attach files to the email?

asked Sep 3 by dknapp (690 points)
0 votes
1 answer

I have a dropdown-field on the web surface, which is populated by a script. The script looks up all groups in a specific OU and displays them. In the Property Pattern ... random order. What should i do to show the groups in alphabetical order in the portal?

asked Sep 15 by lohnag (250 points)
0 votes
1 answer

Using the built in 'Deprovision' Custom Command, I would like the person that is trying to Deprovision a user (Help Desk member) be asked who (from a list of existing active ... to leave the question 'blank', which means that no one gets access to the mailbox.

asked Apr 22 by RayBilyk (680 points)
2,292 questions
2,046 answers
5,581 comments
57,294 users