Adaxes

Limit AD Read access to Business Unit

0 votes

Hi,

I have a Business Unit defined based on an LDAP Query which I use to limit the accounts in AD an admin can control. I would also like to limit the scope of the search so they can not find AD users outside of the BU.

I tried removing the Read All Objects from Domain User and adding Read All Objects to my admin role with an assignment over the BU, but now only the admin's own account is visible. I can only seem to get this to work by giving read to everything which isn't what I want?

I am assuming there is a set of attributes I need to allow access to for the LDAP filter to work on the BU, but having trouble working it out?

Thanks,

by (390 points)
0

Hello,

Could you post here or send us to support[at]adaxes.com the following:

  • A screenshot of Permissions and Assignments of your admin role.
  • A screenshot of Membership Rules of the Business Unit.
by (216k points)
0

Screenshots emailed as I couldn't get them here :(

by (390 points)
0

Dazbo,

When you click Reply to Post, look right above the check boxes below the window for Options and find just to the right of it, in gray lettering, Upload Attachment

by (1.2k points)
0

This is the Domain User Role and the Membership Rule.

The rule just has %extensionattribute5% in it and the admin users has and LDAP filter in this attribute to define the users they can control - i.e. (|(depertment=HR)(department=IT))

Setup like this it works, but the Admin can search for any user in the domain which is not what I want. If I remove the domain assignment from the Role then the admin can only find themselves.

Thanks

by (390 points)

1 Answer

0 votes
by (216k points)

Hello,

The assignment of the Security Role is incorrect for the task you want to achieve. You included the Business Unit in the Assignments of the Security Role, and selected This object only as the assignment scope.

This means that you allowed authenticated users to view the Business Unit itself, but not the members of the Business unit. To allow users to also view members of the Business Unit:

  1. Double-click the assignment of the Role that includes the Business Unit.
  2. Select the Members of this Business Unit option.
  3. Click OK.
  4. Save the Security Role.
0

Now I fell dumb. I stared at this for ages and didn't spot that :(

Thanks again.

by (390 points)

Related questions

0 votes
1 answer
Is it better to grant access via multiple OU and group assignments in the security role or use a business unit?

I have 18 domains managed by Adaxes and have noticed that Admin (full access) t all objects acts normally, but for piecemeal scopes like Service Desk that scopes to individual ... role (including 16 denies) and expect it to grow as we add more domains.

asked Sep 20, 2022 by DA-symplr (100 points)
0 votes
0 answers
Security Role Limit Access to an OU

Trying to setup a security role so that members can create and administer accounts and group membership. I would like to limit this via OU as a security role and not depend on the filters in the web console. Any suggestions?

asked Apr 5, 2016 by adaxes_user (420 points)
0 votes
1 answer
Read Access to Password Manager Statistics

What rights are needed to view Password Manager Statistics? I have set Allow Read > All Object Types for a group assigned over Configuration Objects. But I get a "Data fetching Error" and "Access is denied" dialog when trying to view statistics. Thank you

asked Feb 2, 2016 by jheisley (590 points)
0 votes
1 answer
Create a business Unit to auto populate based on group owners in a specific OU

Is it possible to create a business unit and have it auto populate with group owners in a specific OU. I've tried a few scripts to get propertie adm-managedbylist but none have worked so far.

asked 4 days ago by C27 (20 points)
0 votes
0 answers
Security role is not propagating to objects within the Business Unit

I have applied a security role to a group at the top of a Business Unit Container and set it to apply to the subtree and it does, all Containers and Business Units do ... Unit. Did I apply the permissions wrong or is there some setting I need to change?

asked Aug 9 by ajmilic (100 points)
3,547 questions
3,238 answers
8,232 comments
547,809 users