Allow managers to manage direct reports

In this tutorial, you will learn how to grant managers the rights to perform certain operations on accounts of their direct reports. For example, you may want managers to be able to reset passwords of their subordinates, update their job title, telephone number, out of office message in Exchange, etc. The rights to manage user accounts are granted with the help of security roles, just like any other rights in Adaxes.

To delegate permissions to managers, you need to assign a security role to a special security principal, Manager, instead of assigning it to specific users or groups. When a permission is assigned to Manager, it is actually assigned to the user specified in the Manager property of user accounts. If the manager of a user changes, the previous manager loses and the new manager gains the rights instantly.

Permissions granted by security roles are effective only within Adaxes.

To create a security role and assign it to managers:

  1. Launch Adaxes Administration console.

     How {id=collapse1}
    • On the computer where Adaxes Administration console is installed, open Windows Start menu.

    • Click Adaxes Administration Console.

  2. Right-click your Adaxes service, point to New and click Security Role.

  3. Enter a name for the new security role and click Next.

  4. On the Permissions step, click Add.

  5. In the list of object types on the left, select User.

  6. In the right section of the dialog, select the permissions you want to delegate to managers. For example, to allow them to reset user passwords, select the Reset Password permission in the Allow column.

    To grant the rights to modify specific properties of user accounts, in the Property-specific permissions list, select the desired property in the Allow column.

     Optionally, add the Read permission {id=optionally_add_read_permission}

    It is a good practice to add the Read permission to all security roles. It will ensure that users have the right to view the objects they manage. By default, the rights to view directory objects are granted by built-in security role Domain user. It is recommended to add the Read permission because the default rights can be changed.

    Click OK.

  7. Click Next.

  8. On the Assignments step, click Add.

  9. Select Manager and click Next.

  10. Select the user accounts that managers will be able to manage.

    Select from the following items:

    • All Objects – select to allow managers to manage their direct reports in all the domains managed by Adaxes.

    • Domain – select to allow managers to manage their direct reports in a specific domain.

    • OU or Container – select to allow managers to manage only their direct reports located in a specific organizational unit or container.

    • Group – select to allow managers to manage only their direct reports that are members of a specific group.

    • Business unit – select to allow managers to manage only their direct reports that belog to a specific business unit. To select a business unit, open the Look in drop-down list and select the Business Units item.

    Click Finish to complete the Assign Role wizard.

  11. Click Finish to complete the Create security role wizard.

To manage accounts of direct reports, managers can use Adaxes Web interface. To facilitate access to the accounts, you can place the My Team pane right on the Home page of the Web interface. For details, see Customize the Home page.