0 votes

We are using the SeeAlso attribute to store who is responsible for specific accounts.

We do not wish to use the Manager field, because the Manager/Direct Report structure is reflected in org charts in many applications we use.

So we implemented the SeeAlso attribute to store the DN of the "Account Owner"

The only bit we are missing is to grant permissions to edit a user when the initiatior DN is present in the SeeAlso attribute. This way, if my DN is present in the SeeAlso attribute for a user, I have rights to, for example, extende the expiration date of an account.

Is that possible?

by (100 points)

1 Answer

+1 vote
by (277k points)
selected by
Best answer

Hello Manuel,

Yes, it is possible using a dynamic Business Unit and a Security Role. For each user the Business Unit will contain only the accounts that have them specified in the See Also property and will be used to assign the Security Role. For information on how to create dynamic Business Units, have a look at the following tutorial: https://www.adaxes.com/tutorials_ActiveDirectoryManagement_CreateDynamicBusinessUnit.htm. On step 3 of the guide, select Query Results and enter the following LDAP filter into the corresponding field: (&(sAMAccountType=805306368)(seeAlso=%distinguishedName%)) image.png The Security Role will look like the following: image.png Additionally, you might consider using the Assistant or Secretary property to store managers. In this case, you will not need a Business Unit and the Security Role will look like the following: image.png

0

Thank you very much, this solves it.

We wish to use the SeeAlso because it allows multiple values to be used (so that multiple users can have permissions over multiple objects).

This worked perfect as you suggested

+1

Hello Manuel,

Thank you for the confirmation.

For you information, the Secretary property is also multi-valued, so you might consider using it to store multiple managers and avoid using the Business Unit.

0

I wasn't aware Secretary is also multi-valude. Great info, thanks!

0

After giving it some thoughts, using the Secretary field makes sense, considering that is also multi valued.

I am a little confused by the example you show, where the permissions show the Trustee to be "Assistant". Shouldn't it be "Secretary"?

image.png

+1

Hello Manuel,

Yes, you are absolutely right. It was just an example on how you can use either of the security principals. According to your screenshot, the Security Role should work just fine.

Related questions

0 votes
1 answer

What specific permission is needed in a security role to grant access to enable a user account?

asked Dec 7, 2023 by mightycabal (1.0k points)
0 votes
1 answer

I am trying to trigger processing outside of Active Directory when an account is created based on the source user account that was used. Does Adaxes store the source account anywhere?

asked Oct 9, 2023 by jnordell (20 points)
0 votes
1 answer

I have 18 domains managed by Adaxes and have noticed that Admin (full access) t all objects acts normally, but for piecemeal scopes like Service Desk that scopes to individual ... role (including 16 denies) and expect it to grow as we add more domains.

asked Sep 20, 2022 by DA-symplr (80 points)
0 votes
0 answers

Over the last day or so we have been seeing this pop up under the exchange header in adaxes portal. cmdlet Get-CASMailbox is not present in the role definition of the current user

asked Jul 3, 2023 by Jeff.Briand (80 points)
0 votes
1 answer

I would like users to use Adaxes to add themselves or others to a group, but instead of it just working, it has to go thru an approval process and be approved by the group owner before they are added. Thanks!

asked Jun 30, 2021 by RayBilyk (230 points)
3,410 questions
3,105 answers
7,899 comments
545,798 users