Adaxes

User intiated moves

0 votes

I'm looking to allow users to initiate their own account moves between company sites. Often I've seen employees relocate without notifying the Help Desk. If I can push this task off to the user, then it would put the responsibility for their end user experience (over WAN links) onto them, not IT.

Here's what I'm thinking:

User hits their Self Service portal, and hits a custom action called Change My Work Location, which will trigger an Authorization request to their Manger. Once approved, the account will move to a temporary OU called ToOfficeX (or what ever). User objects in this OU will trigger a nightly scheduled task that will move the user data and Mailbox to the new site. At the end of the task, it would move the user object to the official OfficeX OU and notify the user that the move was complete.

What I can't get to work is the initial user account to move to the destination OU. I get Access Denied, and the logs don't supply any additional info to start digging. I've messed with Self permissions, and OU permissions, but still no luck

Any help would be appreciated!

Thx!

--Joel

by (510 points)
0

The users will need the following permissions in the security role:

you can easily add these two permissions by using the dropdown list on the "add" button:
Choose "Move users between Organizational Units"

by (1.8k points)

1 Answer

0 votes
by (1.8k points)
selected by
Best answer

When i rethink this, the selfservice security role is probably assigned only to give rights to their own object.

You will need to add under "Assignments" authenticated users assigned over the existing OU and the destination OU.
PS: make sure you only give access to "This object only" on the OU's, and not to all objects inside the OU's.

0

Bingo!! That worked!! Thanks a bunch! I knew I was missing a permission somewhere.... I had thrashed about trying this and that.. I had originally tried both settings from your first post to no avail.

I only needed Auth Users as an Assignment on the destination OU, not the Source. I'll have to create 10 or so individual assignments, one for each destination OU, but that's ok. If the Perms were granular to distinguish OUs vs Accounts, then 1 would do. No biggy

Thx again!

--Joel

by (510 points)

Related questions

0 votes
1 answer
Open the user in the tree after completion of a custom command

We have a series of transforms we use for users including moving to different OU's. Is there a way to open the user's object after the command completes much in the same way a user creation does?

asked 2 days ago by msheppard (470 points)
0 votes
1 answer
Is it possible to change the name of "Rename" or hide it outright from the user page

Just wanted to know if we could: Change the name of "Rename" Hide it altogether from the user page We've created a custom rename comand would prefer to simplify the user interface.

asked 2 days ago by msheppard (470 points)
0 votes
1 answer
Populate a User Attribute with Yes/No if enrolled in Password Self-Service

I see the script for generating a report of users enrolled, but what I'd like to do is run a script that can populate a user attribute with Yes/No or True/False if they are or are not enrolled. Is there an existing script that accomplishes this? Thanks

asked 5 days ago by msheppard (470 points)
0 votes
1 answer
Exclude a single user from Password Never Expires report

I'd like the Password Never Expires to exclude certain users. Since it is script based is the only way to do so in the script? I have checked where I am aware and I do not see the possibility of doing this as it is currently configured. Thank you

asked Nov 15 by msheppard (470 points)
0 votes
1 answer
How can I get this to trigger properly when a new user is created by script?

The rule runs but since the first name and last name are passed as parameters, I only get the sequential # as a userID without the initials.

asked Oct 24 by curtisa (290 points)
3,549 questions
3,240 answers
8,232 comments
547,820 users