0 votes

I'm looking to allow users to initiate their own account moves between company sites. Often I've seen employees relocate without notifying the Help Desk. If I can push this task off to the user, then it would put the responsibility for their end user experience (over WAN links) onto them, not IT.

Here's what I'm thinking:

User hits their Self Service portal, and hits a custom action called Change My Work Location, which will trigger an Authorization request to their Manger. Once approved, the account will move to a temporary OU called ToOfficeX (or what ever). User objects in this OU will trigger a nightly scheduled task that will move the user data and Mailbox to the new site. At the end of the task, it would move the user object to the official OfficeX OU and notify the user that the move was complete.

What I can't get to work is the initial user account to move to the destination OU. I get Access Denied, and the logs don't supply any additional info to start digging. I've messed with Self permissions, and OU permissions, but still no luck

Any help would be appreciated!

Thx!

--Joel

by (510 points)
0

The users will need the following permissions in the security role:

you can easily add these two permissions by using the dropdown list on the "add" button:
Choose "Move users between Organizational Units"

1 Answer

0 votes
by (1.8k points)
selected by
Best answer

When i rethink this, the selfservice security role is probably assigned only to give rights to their own object.

You will need to add under "Assignments" authenticated users assigned over the existing OU and the destination OU.
PS: make sure you only give access to "This object only" on the OU's, and not to all objects inside the OU's.

0

Bingo!! That worked!! Thanks a bunch! I knew I was missing a permission somewhere.... I had thrashed about trying this and that.. I had originally tried both settings from your first post to no avail.

I only needed Auth Users as an Assignment on the destination OU, not the Source. I'll have to create 10 or so individual assignments, one for each destination OU, but that's ok. If the Perms were granular to distinguish OUs vs Accounts, then 1 would do. No biggy

Thx again!

--Joel

No related questions found

3,645 questions
3,333 answers
8,432 comments
548,976 users