0 votes

Hello,

I'm new to Adaxes. We're simply trying to setup a securtiy role that allows our helpdesk users to modify some very basic properties in AD. Allowing them to modify Personal Information has proven very easy, but we're having trouble allowing them to modify Organziational Information such as Job Title, Department, Company, etc... They're using the web interface to make changes. Attached is a screenshot of the permissions we have assigned to this role. Adding the Write 'Organization' Property seems to make no difference. It seems no matter what we try they only have the ability to modify General / Telephones / Address categories from within the web interface. Is that by design? How do we give them the ability to modify orgization properties as well?

Thanks!

by (20 points)

1 Answer

0 votes
by (216k points)

Hello,

Welcome to our support forum. :)

First of all, you need to check the Assignments of your Security Role. The Assignments of a Role define the Trustees, i.e. users who will be able able to apply the permissions granted by the Role. The Assignment Scope defines where the Trustees will be able to apply the permissions of the Role. You need to check whether the Role is assigned to your helpdesk users and whether the Assignment Scope of the Role includes the users they can modify.

For example, on the screenshot below, the Help Desk Role is assigned to the Help Desk group, and the members of the group are able to apply the permissions granted by the role within the OU called example.com\Offices.

To view Assignments of a Security Role, you need to select it in the Console Tree of Adaxes Administration Console. The Assignments will be displayed in the Result Pane (located to the right).

Also, you should always remember that Deny permissions always override the Allow permissions. That is, if a Security Role grants a user the right to modify a certain property of a certain object, but another Security Role denies the right to modify the same property, the user will not be able to modify the property. So, you need to check that there are no other Security Roles that would deny your helpdesk the right to modify the properties. To check this:

  1. Find all the Security Roles that are assigned to your helpdesk users. For information on how to do this, see Viewing Security Roles Assigned to Users or Groups.
  2. Check whether any of the Roles assigned to them deny the permission to modify the properties they need to modify.
0

Thank you for the prompt reply. I feel I have a good grasp on the permissions, assignment scopes etc. 90% of what we're trying to accomplish is working with the exception of their (Helpdesk) ability to update organization information. Specifically Job Title, Department, and Company properties in AD.

In the first screenshot you can see how they have the abiltiy to view/read this information.

However when they click edit, they only have the ability to alter General, Telephones, Address categories.

What changes do I need to make so that they have the ability to alter these Job Title, Department, Company properties as well?

Thanks!

0

Hello,

The reason why the properties do not appear is not in permissions. It is in the configuration of Adaxes Web interface. To give users the ability to modify the properties via the Web interface, you need to add the Organization section with the necessary properties to the form used for modifying users. See the following tutorial for instructions on how to do this: http://www.adaxes.com/tutorials_WebInte ... diting.htm

0

That's what I needed.

Thanks!

Related questions

0 votes
1 answer

Specifically I am looking to set Auto-Decline Invitations to Yes, and cancel all meetings (and use Inside My Organization reply). These appear to be new(ish) ... not able to find examples in the SDK documentation for setting these options via Powershell.

asked May 18, 2022 by Brian F (20 points)
0 votes
1 answer

Is is possible to modify the properties on the Terminal Services tab through Adaxes? I tried using a "Modify the user" action and added ms-TS-Profile-Path but it didn't set the Terminal Services profile path for the user I ran it on. Thanks

asked May 8, 2012 by bemho (520 points)
0 votes
1 answer

Hi I've added values to two attributes of an Oraganization Unit: adm-CustomAttributeText1 adm-CustomAttributeText2 I'm trying to extract these properties with a powershell ... But this does not provide the value set in adm-CustomAttributeText1. Any ideas?

asked Jan 28, 2013 by kjesoo (960 points)
0 votes
0 answers

It is currently not possible to update the following properties of Microsoft 365 groups via Adaxes: Let people outside the organization email this group (allowExternalSenders ... permissions are not currently supported for the property by Microsoft Graph API.

asked Nov 16, 2022 by Adaxes (560 points)
0 votes
1 answer

I'd like to add a field for "Ticket Number" to pass through so that I can have it run a script post execution to log data to our ticketing system. I ... it may be possible to extend the public class ResetPasswordOptions but that's not really ideal...

asked May 27 by ZoomGhost (280 points)
3,589 questions
3,278 answers
8,303 comments
548,130 users