Create dynamic business unit

Virtual collections of directory objects, called business units, allow grouping objects based on certain criteria. You can create static business units, membership in which does not depend on the logged in user. For example, if you create a business unit that includes users whose department is Sales, members of the business unit will be the same no matter who is logged in.

You can also create dynamic business units, members of which differ for different users. For example, a business unit can include users whose department is the same as the department of the logged in user. A user whose department is Sales will see members of the Sales department in the business unit, but the very same business unit will contain members from the IT department, when viewed by a user whose department is IT.

Apart from allowing users to browse and manage objects, business units can also be used to distribute permissions. Dynamic business units simplify the delegation process when objects you want to delegate permissions for are related to users which you want to delegate the permissions to. For example, if you want to assign rights to users within their own department, instead of creating multiple assignments for each department, you can create just one for a business unit that includes objects whose department is the same as the department of the logged in user.

For information on how to use business units in security role assignments, see Delegate rights on business unit members.

Dynamic business units cannot be used in the activity scope of business rules, scheduled tasks, Password Self-Service policies, and Microsoft 365 tenants.

Membership in business units is based on rules. To create dynamic business units, you need to use templates instead of including specific objects or using static criteria. To include the properties of the logged in user into templates, use value references (e.g. %department%). Value references will be replaced with the corresponding property values of the user.

In this tutorial, you will learn how to create a business unit that will have different members for different users.

  1. Launch Adaxes Administration console.

     How { #collapse1}
    • On the computer where Adaxes Administration console is installed, open Windows Start menu.

    • Click Adaxes Administration Console.

  2. Expand your Adaxes service, right-click Business Units, point to New and click Business Unit.

  3. Enter a name for the new business unit and click Next.

  4. On the Membership Rules step, click Add.

  5. Select whether you want to include specific objects, members of a group, objects located in an OU, or objects that match certain criteria.

    Specific objects

    Using the Specific objects rule, you can configure the business unit to include individual directory objects. To include different objects for different users, you need to specify a template that will be used to build the distinguished name (DN) of an object.

     How {.mb-9}
    • In the Parameters section, click Add.

    • Activate the Template tab.

    • In the Template field, specify a template for the distinguished name (DN) of an object. Use value references to make the template produce different DNs for different users. Value references will be replaced with the corresponding properties of the logged in user.

      To insert a value reference, click the button.

      For example, if you specify OU=%department%,DC=example,DC=com, and a user whose department is Sales logs in, the business unit will include the organizational unit with the following DN: OU=Sales,DC=example,DC=com.

    • Click OK.

    Group members

    Using the Group members rule, you can configure the business unit to include members of a group. To include members of different groups depending on who is logged in, you need to specify a template that will be used to build the distinguished name (DN) of a group.

     How {.mb-9}
    • In the Parameters section, click the button.

    • Activate the Template tab.

    • In the Template field, specify a template for the distinguished name (DN) of a group. Use value references to make the template produce DNs of different groups for different users. Value references will be replaced with the corresponding properties of the logged in user.

      To insert a value reference, click the button.

      For example, if you specify CN=%title%,CN=Users,DC=example,DC=com, and a user whose job title is Sales Manager logs in, the business unit will include members of the group with the following DN: CN=Sales Manager,CN=Users,DC=example,DC=com.

    • Click OK.

    • If you want the business unit to include direct members and members of nested groups, uncheck the Direct members only checkbox.

    • Click OK.

    Objects located in OU or container

    Using the Objects located in OU or container membership rule, you can configure the business unit to include objects located in a container or an organizational unit. To include objects located in different containers depending on who is logged in, you need to specify a template that will be used to build the distinguished name (DN) of a container.

     How {.mb-9}
    • In the Parameters section, click the button.

    • Activate the Template tab.

    • In the Template field, specify a template for the distinguished name (DN) of a container or an OU. Use value references to make the template produce DNs of different containers for different users. Value references will be replaced with the corresponding properties of the logged in user.

      To insert a value reference, click the button.

      For example, if you specify OU=%company%,DC=example,DC=com, and a user whose company is Acme logs in, the business unit will include objects located under the organizational unit with the following DN: OU=Acme,DC=example,DC=com.

    • Click OK.

    • If you want the business unit to include objects located directly in the container and objects in all nested containers, click the One level option to change it to Subtree.

    • Click OK.

    Query results

    Using the Query results rule, you can configure the business unit to include objects that match specific criteria. For example, a business unit can include groups with the word Department in their name, or users with the word Sales in the Job Title property.

    Value references in criteria

    Use value references in criteria to make it different, depending on the logged in user.

     Details {.mb-9}

    To specify the criteria, click the Edit button next to the Criteria field.

    Here are some examples of dynamic criteria that adjusts the business unit members depending on who is viewing it.

    Example 1 – Department is the same as the department of the logged in user
    • Click Add criteria.

    • Select User in the drop-down list.

    • Click Add.

    • Specify Department is %department%.

    • Click OK twice.

    For instance, if a user whose department is Sales views the business unit, value reference %department% will resolve into Sales, and the business unit will contain only users whose department also equals to Sales.

    Example 2 – Employee ID starts with the same characters as the logged in user's ID
    • Click Add criteria.

    • Select User in the drop-down list.

    • Click Add.

    • Specify Employee ID starts with %employeeID,3%.

    • Click OK twice.

    For instance, if a user whose employee ID is 111222333 views the business unit, value reference %employeeID,3% will resolve into 111, and the business unit will contain only users whose employee ID also starts with 111.

    Example 3 – All subordinates of the logged in user with disabled accounts
    • Click Add criteria.

    • Select User in the drop-down list.

    • Click Add.

    • Specify All managers includes %distinguishedName%.

    • Click OK.

    • Click Add.

    • Specify Account is disabled is Yes

    • Click OK twice.

    For instance, when a user views the business unit, value reference %distinguishedName% will resolve into the user's DN. The business unit will contain only users who are direct or indirect subordinates of the logged in user.

    Search base object

    You can limit where to look for objects matching the criteria i.e. only in a specific organizational unit or domain. To look in different locations depending on who is logged in, you need to specify a template that will be used to build the distinguished name (DN) of the search base object.

     Details { #how_searchbase}
    • In the Parameters section, click the button.

    • Activate the Template tab.

    • In the Template field, specify a template for the distinguished name (DN) of the search base object. Use value references to make the template produce DNs of different objects for different users. Value references will be replaced with the corresponding properties of the logged in user.

      To insert a value reference, click the button.

      For example, if you specify %adm-ParentDN%, it will be replaced with the distinguished name of the container where the logged in user is located. Adaxes will search for objects matching your criteria only in this container.

    • Click OK.

    Membership rule priority

    Membership rules have an order of priority. If the same object is supposed to be included in the business unit by one rule but excluded by another rule, Adaxes uses the priority order to determine what to do with the object.

     Details

    Membership rules are always displayed in their priority order, which is:

    • Specific objects – highest priority
    • Group members
    • Objects located in OU or container
    • Query results – lowest priority

    Rules that exclude objects have priority over rules of the same type that include objects.

    For example, imagine a business unit with two membership rules – Exclude group members and Include group members:

    The members of the Helpdesk London group will be excluded because the Exclude group members rule has a higher priority.

    Here's a different scenario – a business unit with the Include group members and Exclude query results rules:

    In this case, every member of the Helpdesk group will be included in the business unit, even if they are from the London office, because the Include group members rule has a higher priority.

    The priority order of membership rules can't be changed.

    When finished adding membership rules, click Next.

  6. On the Columns step, specify the columns that will be visible by default for the business unit and configure sorting and grouping options.

    Click Finish.