Grant rights to modify specific properties of directory objects

Using security roles, you can grant users the rights to modify only particular properties of directory objects. For example, you can allow users to modify the Description property of groups, the Employee ID property of user accounts, and nothing else.

In this tutorial you will learn how to create a security role that grants the permissions to modify a single property of user objects.

Permissions granted by security roles are effective only within Adaxes.

  1. Launch Adaxes Administration console.

     How { #collapse1}
    • On the computer where Adaxes Administration console is installed, open Windows Start menu.

    • Click Adaxes Administration Console.

  2. Right-click your Adaxes service, point to New and click Security Role.

  3. Enter a name for the new security role and click Next.

  4. On the Permissions step, click Add.

  5. To add the permission to modify a property of user objects:

    • In the list of object types on the left, select User.

      Permissions for general properties, like Description, can be applied to all types of directory objects. To do it, select the All object types option.

    • In the Property-specific permissions section, type the name or a part of the name of the desired property in the filter edit box.

      If you can't find the property you need, make sure the Show all properties checkbox is selected.

    • Select the Write <property name> permission in the Allow column.

    • Click OK.

  6. Click Next.

  7. On the Assignments step, click Add.

  8. Select the users and groups you want to assign the permissions to.

    Click Next.

  9. Select the objects you want to assign the permissions over.

    Select from the following items:

    • All Objects – select to allow modifying the property on all objects in all domains managed by Adaxes.

    • Domain – select to allow modifying the property on all objects within a specific domain.

    • OU or Container – select to allow modifying the property on the objects located in an organizational unit or container.

    • Group – select to allow modifying the property on members of a group.

    • Business unit – select to allow modifying the property on members of a business unit. To select a business unit, open the Look in drop-down list and select the Business Units item.

    You can exclude specific objects, organizational units, members of groups and business units from the assignment scope. For example, if you assigned the security role over all objects in a domain, but do not want users to be able to update the objects located in a specific organizational unit, you can exclude the organizational unit from the scope. To exclude an object, select the Exclude the selection option in the Assignment Options dialog.

     Step by step { #exclude_scope}
    • Click the object you want to exclude.

    • In the Assignment Options dialog, select the Exclude the selection option.

    • Click OK.

    Click Finish to complete the Assign Role wizard.

  10. Click Finish to complete the Create Security Role wizard.