View & Manage AD Objects Collectively
Adaxes allows organizing Active Directory objects into virtual collections (or virtual Organizational Units) without changing the structure of the Active Directory hierarchy. These virtual collections are called Business Units. Business Units can include objects that correspond to certain membership criteria, but located in different Active Directory containers or even in different AD domains or forests. For example, a Business Unit can include all users from the Sales department, even if these users are located in different OUs or AD domains.
Not only is it possible to collectively view and manage members of a Business Unit, but you can also delegate rights over these collections or make certain Business Rules and Property Patterns effective for the members of a Business Unit.
In this tutorial you will learn how to create a Business Unit that includes members of the Sales department and how to assign security role 'Help Desk' to a user over members of this Business Unit.
Launch Adaxes Administration Console, expand your Adaxes service, right-click Business Units, point to New and click Business Unit. The Create Business Unit wizard will open.
Enter the name for the new Business Unit and click Next.
On this page, you need to specify the criteria to include (or exclude) members to the new Business Unit. Click the Add button located under the Membership Rules list.
We want our Business Unit to include all users whose department starts with 'Sales'. In the Add Membership Rule dialog, perform the following steps:
- Select Query Results.
- Click the Edit button located next to the Filter edit box.
- In the dialog that opens, select the User object type in the Type drop-down list.
- Type 'Sales' in the Department field.
- Click OK.
If necessary, in the Look in combo box, select a domain or click the Browse button to select a container to search in. When finished, click OK.
The specified membership rule will be displayed in the Membership Rules list. To view members of the Business Unit, click the Show Members button.
If necessary, you can exclude certain users from the Business Unit. For example, to exclude the users located under a specific container, do the following:
- Click the Add button located under the Membership Rules list.
- In the dialog that opens, select the Container Children item.
- Click Select Container and select the container you need.
- Select the Exclude specified objects option.
- Click OK.
In necessary, add some other membership rules. When finished, click Finish.
Delegating Rights to Manage Business Unit Members
Now, when the Business Unit is complete, you can view and manage its members collectively, apply Business Rules and Property Patterns to this Business Unit, and delegate rights over members of this Business Unit.
To give some users Help Desk rights over any user account that is a member of the Business Unit, perform the following steps:
Launch Adaxes Administration Console, expand
Adaxes service \ Configuration \ Security Roles \ Builtin and select Help Desk.
In the Result Pane (located on the right), click Add Assignment and select the users or groups to which you want delegate the Help Desk rights. Click OK.
In the dialog that opens, perform the following steps:
- In the Look in combo box, select Business Units.
- Select your Business Unit in the list below and click Add.
- In the Assignment Options dialog, select Members of this Business Unit and click OK.
- Click OK.
Click Save Changes.
Now, John Doe can use Adaxes Web Interface to perform help desk operations on all users that are members of the Business Unit.