0 votes

Hello,

We would like to implement a form / extend one where a user (eventually created before) is made member of a security group defining his/her role, and this group is one among all the roles (groups) available in a precise OU.

Ideally, we envision a form field called 'Role' whose value is a combo box filled with all the roles the user could assume. That value would then make the user a member of the corresponding group, eventually removing him/her from any other previously role held. We understand that PowerShell coding is in order (either before visualizing the or after form validation), but we are prepared for this.

Or maybe a special (modified) 'Add to group' function is more suitable, calling it 'Add to role' with an exit script to guarantee the membership to a single role?

Apologize if the question seems convoluted. Thanks!

by (20 points)

1 Answer

0 votes
by (294k points)

Hello,

Sorry for the confusion, but we are not quite sure about the desired behavior. When a user calls a function, they need to be able to select a single group from a list and then get added to it. Is that correct? If so, you can use a custom command with a drop-down list parameter. The values of the parameter items will be group distinguished names and the item names can correspond to the role names. For example: image.png In the custom command, there will only be the Add to group action: image.png The following tutorial should be helpful: https://www.adaxes.com/help/CreateCustomCommand/. If this is not what you need, please, describe the desired behavior with live examples and screenshots (if possible).

0

Hello,

Thank you for your answer. I'll try to be more specific: assume that in a given OU there is a set of security groups, each one identifying internally a specific role. To give a couple of examples, the security group F-Secretary in that OU identifies a secretary. That group is already member of one or more other domain security groups (in other OUs) which give access to the resources the security group controls. Or you have the security group F-Head of Department, which is member in turn of all the security groups controlling the resources an head of department should access.

The idea behind is that by making a given user account a member of one of those 'role' groups will give the user access all the necessary resources. Hence the idea of making the user a member of just one of the 'role' groups, plus of course making room for additional specific needs an user could have in terms of membership.

For the help desk it would be helpful to have a 'guided' way to add the user to its role, but of course it is perfectly possible to do the same with the provided "Add to group" feature, except that it's less inmediate and it doesn't avoid possible manual errors, apart from browsing among tens or hundreds of security groups.

I don't know if the above explains better what we do have in mind.

Thanks a lot!

0

Hello,

Thank you for the provided details. It looks like the approach we suggested above should work just fine. Please, give it a try. If there is something specific in the solution that does not meet your needs, please, point it out in details.

0

Thank you again.

Now, regarding the custom command, the Drop-down list parameter needs to be pre-loaded manually, i.e. can't be generated dynamically with a script I suppose.

And the Directory object picker can only be filtered on a given OU, but always returns the AD object (the group samAccountName supposedly), right?

The best solution could be to pre-fill the drop-down list dynamically with a script at run time, getting the AD objects currently defined and eventually using another attribute (the display name for instance) in the list. But maybe we are asking too much.

0

Hello,

Drop-down list parameter needs to be pre-loaded manually, i.e. can't be generated dynamically with a script I suppose.

Yes, that is correct.

And the Directory object picker can only be filtered on a given OU, but always returns the AD object (the group samAccountName supposedly), right?

Yes, that is correct. However, the actual parameter value is the distinguished name, not the sAMAcountName.

The best solution could be to pre-fill the drop-down list dynamically with a script at run time

Unfortunately, there is no such possibility. We have plans for something like that, but there is currently no ETA for the feature.

Related questions

0 votes
1 answer

I have 18 domains managed by Adaxes and have noticed that Admin (full access) t all objects acts normally, but for piecemeal scopes like Service Desk that scopes to individual ... role (including 16 denies) and expect it to grow as we add more domains.

asked Sep 20, 2022 by DA-symplr (100 points)
0 votes
1 answer

When a new user account is created by copying an existing one, is it possible to prevent the new account from becoming a member of security groups in a specific OU (when the ... same way as the account being added to the group, which I need for audit purposes.

asked Sep 28, 2020 by markcox (70 points)
0 votes
1 answer

I have a script that i am trying to run against all users in an OU, but the script will only run against 1 user then not run again for any other users in the OU. Any thoughts on why this would happen?

asked Mar 1, 2018 by kevball2 (100 points)
0 votes
1 answer

I'm trying to schedule a report to look in a few specific OUs. Currently "Look in" location only allows for single instance or multiple drop downs. How do I schedule multiple OU locations without creating multiple reports?

asked Jul 2, 2020 by Al (20 points)
0 votes
1 answer

I only want to allow a security role to write 'user must change password at next logon' and not all options they have under 'Account Options'. The only permission I can see in ... ". I'd rather not assign permissions to all these settings if I don't have to.

asked Apr 6, 2021 by cfrazier (20 points)
3,588 questions
3,277 answers
8,303 comments
548,090 users