[SOLVED] Got my security role wrong!

Question

Morning,

I have an issue with self service users being able to modify the properties of other users, my permissions look like this:

I assume it's my assignments: entry that needs to be set to "self" not my user group is that correct?

Thanks,
John.

Answer 1

Hello John,

Yes, to allow users to perform operations on their own accounts, the role must be assigned to Self.

However, as far as we can see, the role contains not only permissions for User objects, but also permissions for operations on objects of other types. For example, it allows writing all properties of groups and creating child objects. If you assign it to Self, users will not be able to use such permissions. We recommend splitting your Security Role into 2 roles:

1. A role that contains permissions only for the operations that users can perform on their own accounts;
2. Another role that contains permissions for operations on other objects.

The 1st role must be assigned to Self, and the 2nd role must be assigned only to users who can modify groups or create child objects and include the parts of AD where they can perform such operations in the Assignment Scope.

Comments

All separated out now and assigned the minimal required. Thanks for the help.