Create business unit

Business units are collections of directory objects, whose membership is based on certain rules. For example, a business unit can include users with the word Sales in their Department property and members of the Sales Managers group. Business units can contain objects located in different organizational units, domains and even forests.

Business units can be organized in folders, which allows you to create a virtual hierarchy of objects. This hierarchy can be displayed to your users instead of your natural directory structure.

You can also apply scheduled tasks, business rules, security roles, etc. to business unit members. For example, by assigning a security role over a business unit, you can allow your Help Desk to manage only the user accounts whose Employee ID starts with a particular number.

In this tutorial, you will learn how to create a business unit and assign a security role over members of a business unit.

  1. Launch Adaxes Administration console.

     How { #collapse1}
    • On the computer where Adaxes Administration console is installed, open Windows Start menu.

    • Click Adaxes Administration Console.

  2. Expand your Adaxes service, right-click Business Units, point to New and click Business Unit.

  3. Enter a name for the new business unit and click Next.

  4. On the Membership Rules step click Add.

  5. Select whether you want to include specific objects, members of a group, objects located in an OU, or objects that match certain criteria.

    For example, if you want the business unit to include users with the word Sales in their job title, do the following:

    • Select Query results.

    • Click the Edit button next to the Criteria field.

    • Click Add criteria, and select User in the drop-down menu.

    • Click Add.

    • Select Job Title is Sales.

    • Click OK twice.

    • To limit the search to a specific organizational unit or domain, select the location from which to start searching in the Look in field.

    • When finished, click OK.

    You can use value references (e.g. %username%, %department%) in membership rules. Value references will be replaced with corresponding property values of the user who is logged in, which means that different users will see different members in the same business unit. For details, see Create dynamic business unit.

  6. If necessary, you can exclude objects from the business unit. For example, if you don't want the business unit to contain members of the Administrators group, you can exclude the group from the business unit.

     Step by step { #how_exclude}
    • Click the Add button.

    • Select Group members.

    • In the Parameters section, select the group whose members you want to exclude.

    • Check the Exclude specified objects checkbox.

    • Click OK

    Membership rule priority

    Membership rules have an order of priority. If the same object is supposed to be included in the business unit by one rule but excluded by another rule, Adaxes uses the priority order to determine what to do with the object.

    Membership rules are always displayed in their priority order, which is:

    • Specific objects – highest priority
    • Group members
    • Objects located in OU or container
    • Query results – lowest priority

    Rules that exclude objects have priority over rules of the same type that include objects.

    For example, imagine a business unit with two membership rules – Exclude group members and Include group members:

    The members of the Helpdesk London group will be excluded because the Exclude group members rule has higher priority.

    Here's a different scenario – a business unit with the Include group members and Exclude query results rules:

    In this case, every member of the Helpdesk group will be included in the business unit, even if they are from the London office, because the Include group members rule has higher priority.

    The priority order of membership rules can't be changed.

    When finished adding membership rules, click Next.

  7. On the Columns step, specify the columns that will be visible by default for the business unit, configure sorting and grouping options.

    Click Finish.

Delegate rights on business unit members

To assign an existing security role to users over members of a business unit:

  1. Expand Configuration \ Security Roles and select the role you want to assign.

  2. In the Assignments section, click Add.

  3. Select the group or user you want to assign the role to.

  4. Click Next.

  5. In the Look in drop-down, click Business Units.

  6. Click the business unit.

  7. Click OK and then click Finish.

  8. Click Save changes.