0 votes

Hallo @All,

I'm working in an cloud environment with many tenants and every tenat has the same organizational unit structure.
Now I want to add a security rule that deny access to the administration ou under the ROOT of each tenat.
The nomal case is to add a rule for every administration ou (one per tenat).

Here my question: Is this possible to add a rule that works like this?

Deny => OU=Administration,OU=*,DC=contoso,dc=msft,dc=com

I hope someone has a hint for me.

Thanks
Arne

by (360 points)
0

Hello @All,

does nobody have a hint for me?
:cry:

1 Answer

0 votes
by (216k points)

Hello Arne,

Yes, this is possible. You can:

  1. Create a Business Unit that will include objects located under the Administration OU in each tenant.
  2. Create a Security Role that denies the operations you don't want and include the Business Unit in the Assignment Scope of the role.
  3. Create a Scheduled Task that will iterate through all the tenant OUs and update the Membership Rules of the Business Unit automatically.

If you are OK with such a solution, we can provide you more detailed instructions and a script that will be required for the Scheduled Task.

Related questions

0 votes
0 answers

I have applied a security role to a group at the top of a Business Unit Container and set it to apply to the subtree and it does, all Containers and Business Units do ... Unit. Did I apply the permissions wrong or is there some setting I need to change?

asked Aug 9 by ajmilic (100 points)
0 votes
1 answer

How can I grant read only rights for Configuration items in the Adaxes Admin Console?

asked Jan 26 by mark.it.admin (2.3k points)
0 votes
1 answer

What specific permission is needed in a security role to grant access to enable a user account?

asked Dec 7, 2023 by mightycabal (1.0k points)
0 votes
1 answer

I have 18 domains managed by Adaxes and have noticed that Admin (full access) t all objects acts normally, but for piecemeal scopes like Service Desk that scopes to individual ... role (including 16 denies) and expect it to grow as we add more domains.

asked Sep 20, 2022 by DA-symplr (100 points)
0 votes
1 answer

I only want to allow a security role to write 'user must change password at next logon' and not all options they have under 'Account Options'. The only permission I can see in ... ". I'd rather not assign permissions to all these settings if I don't have to.

asked Apr 6, 2021 by cfrazier (20 points)
3,589 questions
3,278 answers
8,303 comments
548,130 users