Allow person in 'Managed By' field to modify group members?

Question

1 Answer

Related questions

0 votes

1 answer

Allow one department to modify group members who are from another department

We have a potentially complicated sitaution and so far I have no found a solution. Any suggestions will be greatly appreciated. We have specific security groups that ... or see any user details other than the memberships for these specific security groups.

asked Jan 2, 2023 by WannabeGuru (20 points)

0 votes

0 answers

How to allow OU Owners to modify the members of their groups?

I'd like to implement an architecture whereby all Domain Users can request membership in any domain security group. I'd also like to allow the OU Owners to have ... from their groups without granting them the ability to remove users from all security groups?

asked Mar 25, 2020 by sirslimjim (480 points)

0 votes

1 answer

Possible for Group 'Managed By' Value to Inherit Parent OU 'Managed By' Value?

Is it possible to for security groups that are nested under an OU to inherit that OU's 'Managed By' value? I'd like to grant the OU Owner rights to the security groups ... option is to manually edit each group one by one. Is there a script that automates this?

asked Mar 26, 2020 by sirslimjim (480 points)

0 votes

1 answer

In order to add a managed domain does it have to be trusted by the primary domain adaxes is installed an running in?

In order to add a managed domain does it have to be trusted by the primary domain adaxes is installed an running in? I have set up a domain for testing adaxes and it ... I have set my host file to point the untrusted domain to it's primary Domain Controller.

asked Oct 5, 2022 by mightycabal (1.0k points)

0 votes

1 answer

Is it possible to sort a dropdown-field in the portal? The field is populated by a script

I have a dropdown-field on the web surface, which is populated by a script. The script looks up all groups in a specific OU and displays them. In the Property Pattern ... random order. What should i do to show the groups in alphabetical order in the portal?

asked Sep 15, 2020 by lohnag (160 points)

Eugene Pavlov · Answer 1 · 2011-11-09T12:06:32+0000

Update 2015

You can use the Owner (Managed By) security principal to grant the permissions. For details, have a look at section Grant rights to add or remove group members of the following tutorial: https://www.adaxes.com/tutorials_DelegatingPermissions_GrantRightsToModifyADGroupMembership.htm#assigned.

Original

Hi Kirk,

In one of the nearest releases we are planning to extend Security Roles to allow delegating permissions to object owners. This will allow you to grant the 'add/remove member' right to group managers.

However there is another way to implement what you need.

In 2011.3 it will be possible to use value references in Business Rule conditions. This will allow you to control access to objects based on the whether the operation initiator is the group manager or not.

What you will need to do:

With the help of Security Roles allow all users to add/remove members from certain groups (e.g. groups that belong to a Business Unit, or located under an OU).
Create a Business Rule that is triggered before adding/removing group members. If the operation initiator is not the group manager, this rule will cancel the operation (see screenshot above). Optionally this Business Rule can submit an approval request to the group manager.

Hello Kirk,

For now, you can do this with the help of a script:

Create a Business Rule that is triggered before adding or removing members from a group.
Add Run a program or PowerShell script action to the Business Rule.

Specify the following PowerShell script for the action:

  Import-Module Adaxes
 $initiatorDN = "%adm-initiatorDN%"
 $managedByDN = "%managedBy%";
 $domainName = "company.com"; # TODO:
 $allowed = $FALSE;

 if ($initiatorDN -eq $managedByDN)
 {
     $allowed = $TRUE;
 }
 else
 {
     foreach ($group in Get-AdmPrincipalGroupMembership $initiatorDN -Server $domainName -adaxesservice localhost)
     {
         if ($group.DistinguishedName -eq $managedByDN) 
         { 
             $allowed = $TRUE;
             break;
         }; 
     }
 }

 if (-not $allowed)
 {
     $Context.Cancel("Access is denied");
 }

commented Nov 10, 2011 by Eugene Pavlov (18.0k points)

Here is another script that can be used in the If PowerShell script returns true condition.
The script allows group membership modification for group managers and Adaxes service administrators.

Import-Module Adaxes

$groupDN = "%distinguishedName%"
$initiatorDN = "%adm-initiatorDN%"
$managedByDN = "%managedBy%"
$Context.ConditionIsMet =$True

# Test whether the initiator is a service administrator
$configurationSetSettingsPath = $Context.GetWellKnownContainerPath("ConfigurationSetSettings")
$configurationSetSettings = $Context.BindToObject($configurationSetSettingsPath)
if ($configurationSetSettings.AdministratorManager.AmIAdministrator())
{
    $Context.ConditionIsMet = $False;
}
else
{
    # Test whether the group is managed by the intiator
    if ($initiatorDN -eq $managedByDN)
    {
        $Context.ConditionIsMet = $False
    }
    else
    {
        $domainName = $Context.GetObjectDomain($initiatorDN)
        foreach ($group in Get-AdmPrincipalGroupMembership $initiatorDN -Server $domainName -adaxesservice localhost)
        {
            if ($group.DistinguishedName -eq $managedByDN)
            {
                $Context.ConditionIsMet = $False
                break
            };
        }
    }
}

To use the script, add the Cancel this operation action to your Business Rule and add the If PowerShell script returns true condition for the action. Use the script in the condition.

commented Jun 27, 2012 by Eugene Pavlov (18.0k points)

Allow person in 'Managed By' field to modify group members?

Please log in or register to add a comment.

Please log in or register to answer this question.

1 Answer

Update 2015

Original

Please log in or register to add a comment.

Related questions