0 votes

Hi again : )

I would like to restrict adding members to specific groups only via Custom Command / Executed via PowerShell.

Why? We need information from Helpdesk like Ticket ID to check approval for adding users to groups. Since this is not possible by default at the moment, I created a custom command, allow only selection of specifc groups and ask for input.

Now I want to decline any operations from Adaxes done via Webinterface and not coming from the Custom command/script.

Is this possible? Let me know if you need more clarification and I am happy to share details.

Thanks!

by (1.5k points)

1 Answer

0 votes
by (294k points)
selected by
Best answer

Hello,

Yes, it is possible. You just need to deny the permissions to manage membership in the groups. The following tutorial will be helpful: https://www.adaxes.com/help/GrantRightsToModifyGroupMembership. Then you need to grant users the permissions to execute the custom command you have. once done, users will not be able to add/remove members from the groups in Adaxes except for using the custom command.

0

Ok, but this will deny managing membership in total, no? So Helpdesk can not remove users from group via classic way. I need to write another custom command for that?

+1

Hello,

Yes, that is correct. As long as it is about modifying the very same property (Member), it is a single permission for both adding and removing members.

0

Ok, understood.

Will it be possible, to show only members of a selected group? At the moment, I select a group and have then the option to select every AD user... would be nice to limit this only to real members of the group.

0

Got it : ) image.png

Related questions

0 votes
1 answer

Hi team, I have a follow up to this question https://www.adaxes.com/questions/14234/business-after-adding-members-powershell-script-executed Let me explain my setup A rule- ... area% failed due to the following exception: $($_.Exception.Message)", "Error") }

asked Feb 13 by wintec01 (1.5k points)
0 votes
1 answer

Hello, Is it possible to grant members of a business unit permission to run a custom command? I know I'm able to give permission to a user/group to run a cmd on a business ... that can run the command. I've not been successful with any of my attempts to do so.

asked Mar 23, 2017 by JoCCCsa (100 points)
0 votes
1 answer

We have a potentially complicated sitaution and so far I have no found a solution. Any suggestions will be greatly appreciated. We have specific security groups that ... or see any user details other than the memberships for these specific security groups.

asked Jan 2, 2023 by WannabeGuru (20 points)
0 votes
1 answer

Hey there, We allow our staff to modify membership to certain AD groups by designating a person in the 'Managed By' field. That person then changes the group' ... to modify group membership' without any object specific configuration. Is this possible? Thanks!

asked Nov 8, 2011 by Kirk (60 points)
0 votes
1 answer

We have RBAC groups inside an OU. We would like to restrict users from being added to multiple RBAC groups at a time. For example: RBAC Roles OU Sales RBAC Group ... groups outside of this OU structure though. What's the best way to achieve this? Thanks

asked Oct 13, 2021 by bavery (250 points)
3,588 questions
3,277 answers
8,303 comments
548,093 users