Permissions Based on LDAP filter

Question

Is there a way to apply permission to an object using an LDAP filter? I see in the SDK how to create and assign security roles but if you can't do it in the UI will scripting through the SDK allow it?

Our OU Structure is:
Country
-Office Name
--Users
--Computers

We have a global Help Desk, Regional and Local Support. For local support the permission assignment is easy but if I have to assign the move computer permissions to every "Compters" OU then I would have an exhausting list of permissions.

Of course I could just be thinking about this all wrong and there is already an easy way to do it then please let me know :)

Thank you

Answer 1

Hello,

Actually, you can do it without any scripting. Adaxes allows organizing Active Directory objects into virtual collections (or virtual Organizational Units) called Business Units. This allows grouping objects by different criteria without changing the Active Directory structure. Business Units can include objects that correspond to certain membership criteria (for example, objects that match a specific LDAP filter), but located in different Active Directory containers or even in different AD domains or forests.

Take a look at the following tutorial that describes how to organize objects in Business Units and apply Security Role permissions to objects located in Business Units: http://www.adaxes.com/tutorials_ActiveD ... tively.htm.

Comments

I am currently using business units and I guess I will have to assign the permissions to the business unit and just not allow the users to view them in the web interface.

Initially I was organizing my business units in containers. Then I would assign the permissions to the container but permissions do not seem to be inherited from the containers. Also if you nest multiple containers nothing under the second level will show in the web interface. What I am trying to avoid by doing this is large business units with thousands of objects. Also when we bring on other domains I was hoping to organize by business units in containers.

The structure would look something like this but since nesting does not work I will have to figure something else out.

Business Units
-North America --> Container
--US --> Container (Does not show in web interface)
---Office --> Business Unit (Does not show in web interface)

Sorry not trying to be a pain, just trying to figure out the best easiest way to assign permissions for my situation.

---

Hello,

Permissions issue:

Currently that's not supported. You can assign a Security Role over a container with Business Units in it, however in this case the permissions will apply to the Business Unit objects themsleves, but not to their members. So, for example, this can be used to distribute rights to view different Business Units.

But if you want to grant some rights to members of Business Units, you'll need to include the Business Unit object into the Activity Scope of the Security Role, assigning the Role to the Unit members. For information on how to grant permissions for Business Unit members, see View & Manage AD Objects Collectively (the 2nd part of the tutorial).

Business Unit visibility in the Web interface:

On the Business Units pane of the Web Interface, users will see only the objects contained on the top level of the Business Units container. If they need to view some objects located deeply in the Business Unit structure, they need to browse to the necessary Business Unit. So, for example, if a user needs to access the Office Business Unit, located in the US subcontainer of the North America Container, the user will see only the North America container on the Business Units pane. To get to the Business Unit, the user will have to double-click the North America container, then open the US subcontainer.

Alternatively, if the Browse button is enabled in the Web Interface, users can browse the Business Units tree the same as they browse Active Directory.

Note that in order to be able to view and list containers with Business Units, and also view Business Unit objects, users need to be granted appropriate permissions with the help of Security Roles. If a user doesn't have permissions to view a Container or a Business Unit, he won't be able to view the Container or the Business Unit in the Web interface. By default, the permission to view all Containers and all Business Units is granted by the built-in Domain User Security Role that allows all authenticated users to view all objects. If you changed the assignments of the Domain User Role or disabled it, you will have to assign the permissions for the containers and Business Units explicitly. For example, in the scenario above, you will need to grant at least the Read permission for the North America Container and all of its children.