0 votes

Is there a way to apply permission to an object using an LDAP filter? I see in the SDK how to create and assign security roles but if you can't do it in the UI will scripting through the SDK allow it?

Our OU Structure is:
Country
-Office Name
--Users
--Computers

We have a global Help Desk, Regional and Local Support. For local support the permission assignment is easy but if I have to assign the move computer permissions to every "Compters" OU then I would have an exhausting list of permissions.

Of course I could just be thinking about this all wrong and there is already an easy way to do it then please let me know :)

Thank you

by (590 points)

1 Answer

0 votes
by (216k points)

Hello,

Actually, you can do it without any scripting. Adaxes allows organizing Active Directory objects into virtual collections (or virtual Organizational Units) called Business Units. This allows grouping objects by different criteria without changing the Active Directory structure. Business Units can include objects that correspond to certain membership criteria (for example, objects that match a specific LDAP filter), but located in different Active Directory containers or even in different AD domains or forests.

Take a look at the following tutorial that describes how to organize objects in Business Units and apply Security Role permissions to objects located in Business Units: http://www.adaxes.com/tutorials_ActiveD ... tively.htm.

0

I am currently using business units and I guess I will have to assign the permissions to the business unit and just not allow the users to view them in the web interface.

Initially I was organizing my business units in containers. Then I would assign the permissions to the container but permissions do not seem to be inherited from the containers. Also if you nest multiple containers nothing under the second level will show in the web interface. What I am trying to avoid by doing this is large business units with thousands of objects. Also when we bring on other domains I was hoping to organize by business units in containers.

The structure would look something like this but since nesting does not work I will have to figure something else out.

Business Units
-North America --> Container
--US --> Container (Does not show in web interface)
---Office --> Business Unit (Does not show in web interface)

Sorry not trying to be a pain, just trying to figure out the best easiest way to assign permissions for my situation.

0

Hello,

Permissions issue:

Currently that's not supported. You can assign a Security Role over a container with Business Units in it, however in this case the permissions will apply to the Business Unit objects themsleves, but not to their members. So, for example, this can be used to distribute rights to view different Business Units.

But if you want to grant some rights to members of Business Units, you'll need to include the Business Unit object into the Activity Scope of the Security Role, assigning the Role to the Unit members. For information on how to grant permissions for Business Unit members, see View & Manage AD Objects Collectively (the 2nd part of the tutorial).

Business Unit visibility in the Web interface:

On the Business Units pane of the Web Interface, users will see only the objects contained on the top level of the Business Units container. If they need to view some objects located deeply in the Business Unit structure, they need to browse to the necessary Business Unit. So, for example, if a user needs to access the Office Business Unit, located in the US subcontainer of the North America Container, the user will see only the North America container on the Business Units pane. To get to the Business Unit, the user will have to double-click the North America container, then open the US subcontainer.

Alternatively, if the Browse button is enabled in the Web Interface, users can browse the Business Units tree the same as they browse Active Directory.

Note that in order to be able to view and list containers with Business Units, and also view Business Unit objects, users need to be granted appropriate permissions with the help of Security Roles. If a user doesn't have permissions to view a Container or a Business Unit, he won't be able to view the Container or the Business Unit in the Web interface. By default, the permission to view all Containers and all Business Units is granted by the built-in Domain User Security Role that allows all authenticated users to view all objects. If you changed the assignments of the Domain User Role or disabled it, you will have to assign the permissions for the containers and Business Units explicitly. For example, in the scenario above, you will need to grant at least the Read permission for the North America Container and all of its children.

Related questions

0 votes
1 answer

Hello, I'd like to create a custom Adaxes report based on the following Logging Filters - I'm currently having to filter the logs manually each time I want to gather this ... would be easier to jump on a call to discuss this further? Thank you in advance!

asked Nov 16, 2020 by sirslimjim (480 points)
0 votes
1 answer

What I'm trying to accomplish: user should have access to modify certain accounts where customTextAttribute2="test" (example). When I modify the criteria under "object selection" ... to query custom attributes or do you have to use AD attributes for this?

asked Mar 19 by tromanko (330 points)
0 votes
1 answer

Hi, I recently upgraded Adaxes from 2021.1 to 2023.2, and after the upgrade, an LDAP filter for retrieving the groups a user is owner of, stopped working. The reason ... attribute instead, like this: It works, but sadly it is quite slow. Best regards Martin

asked Aug 21, 2023 by Martin (150 points)
0 votes
1 answer

I've created an interface to edit adm-CustomAttributeText19 when it's empty. I set in the configuration page this filter "Only allow selection of AD objects that match the LDAP ... I open the interface, even if the field is filled. What am I doing wrong?

asked Jan 30, 2023 by Simone.Vailati (430 points)
0 votes
1 answer

I'm trying to create a new command that can apply to User objects across multiple domains that are in OUs with the same 'Name' i.e. an OU called Directors that occurs in ... t seem to make it work with just contains 'OU Name' i.e. (distinguishedname=OU Name)

asked Jan 21, 2020 by richarddewis (260 points)
3,588 questions
3,277 answers
8,303 comments
548,090 users