0 votes

Hello,

I search an ldap filter to allow me to show managed user and user managed by the managed user (dunno if i'm clear).

Let me give an exemple.

Pierre is the manager of Richard
George is the manager of Richard.

If george use my action pannel, i want him to be able to apply those modification on Richard and Pierre. Actually i am only able to show Pierre. Here is the LDAP filter for that : (manager=%distinguishedName%)

I tried this filter but it's not working :

(|(manager=%distinguishedName%)(manager=$((manager=%distinguishedName%).distinguishedname)))
(|(manager=%distinguishedName%)(manager=$(manager=%distinguishedName%))

by (460 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello Alexandre,

You won't be able to build such a filter only using value references. You'll need a script for that.

In our script repository, you can find a script that builds a filter to find all subordinates of a user. See Create LDAP filter to find all subordinates of user. Using the script, you can create a Scheduled Task that updates the filter for all managers in your AD on a certain schedule.

The script saves the filter to a certain attribute of the manager identified in the script by the propertyForFilter variable. In the parameters of your action, you can use a value reference for this attribute to insert the generated LDAP filter. Thus, for example, if you specified adm-CustomAttributeText1 in propertyForFilter, then in the parameters of your action you need to specify %adm-CustomAttributeText1%.

0

Perfect, this is indeed working using the Scheduled task.

Is there a security rule to apply to those kind of "super manager" to allow them to edit any user managed by them ?

0

Hello,

Yes, there is. First of all, you need to create a Business Unit that will include, for each manager, all objects managed by them. Then, you need to assign a Security Role to the managers including the Business Unit in the Activity Scope.

I. Create Business Unit that includes all objects managed by a user

For information on how to create a Business Unit that includes all objects managed by a user, see see Example 3 under Query Results in the following tutorial: http://www.adaxes.com/tutorials_ActiveD ... InUser.htm. In the LDAP Filter field, you need to specify a value reference for the property you used in your script. For example, if you specified adm-CustomAttributeText1 in propertyForFilter, then you need to specify %adm-CustomAttributeText1%.

II. Assign the Security Role
To grant the managers permissions for their subordinates, you need to assign them a Security Role that grants sufficient permissions and include the Business Unit you created on step I in the Assignment Scope. For example, you can use one of the built-in roles for this purpose, such as Account Manager or Super Manager, or create your own Security Role for this purpose.

To assign an existing role:

  1. Locate and select the role you need in the Console Tree.
  2. Right-click in the Assignments section and select Add Assignment.
  3. If you want to grant the permissions to all managers, select Authenticated Users.
    *- or -*
    If you want to grant the permissions to a specific user or group, select it in the list.
  4. Click OK.
  5. In the Specify Activity Scope dialog that opens, select the Business Units item in the Look in drop-down list.
  6. Select the Business Unit you created on step I.
  7. Click Add, then click OK 2 times.
  8. Save the changes.

Related questions

0 votes
1 answer

I have an export that will run as a monthly scheduled task that will write output to a CSV to contain employees that have been ... ([datetime]terminationDate>=$lastMonth))" $properties = $eachFieldIn $userSearcher.SetPropertiesToLoad($properties)

asked Nov 2, 2015 by sandramnc (870 points)
0 votes
1 answer

Hello Support Team We are looking to change our email address format to first.last@company.com. We have some newer users using the new format but we never backfilled the ... (NOT set to primary) to each account and deal with the possibility of duplicates?

asked Jun 5, 2018 by willy-wally (3.2k points)
0 votes
1 answer

We recently added another domain to our environment, when we use the script to create users from a CSV file they are all being created in the first domain instead of the ... password for user '$displayName'. Error: " + $_.Exception.Message, "Warning") } }

asked Nov 1, 2017 by willy-wally (3.2k points)
0 votes
1 answer

What I'm trying to accomplish: user should have access to modify certain accounts where customTextAttribute2="test" (example). When I modify the criteria under "object selection" ... to query custom attributes or do you have to use AD attributes for this?

asked Mar 19 by tromanko (330 points)
0 votes
1 answer

Hi, I recently upgraded Adaxes from 2021.1 to 2023.2, and after the upgrade, an LDAP filter for retrieving the groups a user is owner of, stopped working. The reason ... attribute instead, like this: It works, but sadly it is quite slow. Best regards Martin

asked Aug 21, 2023 by Martin (150 points)
3,589 questions
3,278 answers
8,303 comments
548,145 users