0 votes

I'd like to implement an architecture whereby all Domain Users can request membership in any domain security group. I'd also like to allow the OU Owners to have the ability to remove users from the security groups that fall within their respective OUs but nowhere else.

How would I grant permissions (and expose this feature to the end users) for the OU Owners to remove users from their groups without granting them the ability to remove users from all security groups?

by (480 points)
0

Hello,

To be able to request membership in a group, a user must have the permissions to add or remove members of that group. These permissions can’t be granted separately. In your case, you need to create a Business Unit that will contain all security groups except built-in groups (e.g. Administrators) and a Security Role assigned over this Business Unit, that will allow members of the Domain Users group to modify the Member property of Group objects.

Then, you will need to set up an approval step. A Business Rule that triggers Before adding a member to a group and sends the operation for approval to the Owner of the target group's OU should be used for this purpose. Also, this Business Rule should have a If the initiator is not %member% condition that will check whether a user is requesting membership for someone else, and will cancel the operation if they are. Optionally, you can make an exclusion for OU owners and allow them adding other members by their own initiative. The Business Rule should be assigned over the same Business Unit (the one which contains all security groups).

Example Business Rule

To prevent users from removing group members they are not authorized to remove, you need another Business Rule that triggers Before removing a member from a group. This rule will have a If PowerShell script returns true condition that will check whether the initiator of the Remove member operation is the owner of the OU where the group is located, and cancel the operation if they aren’t.

To expose the feature, you need to add the Add to group action to the Web Interface for end users and select Always perform for the current user in the Member Selection section, so that users will be able to request membership only for themselves.

It is highly recommended to use two separate Web Interfaces for end users and for OU owners. This way you will be able to disable all Web Interface elements that allow adding or removing group members and leave only the dedicated Add to group action for simplicity. To be specific, you can hide the Add members operation and customize forms for viewing and editing groups to hide Add and Remove buttons in the Members section.

If the same Web Interface is used, hiding the operation and the buttons for end users will also hide them for OU owners. It is not necessary to hide them though, as the logic of who can add/remove members is controlled by Business Rules.

If you need further guidance on how to implement this architecture, please, describe the desired workflow and permissions in all the possible details.

There is also an alternative approach, which is more complicated and requires an additional Scheduled Task, a Custom Command, a dynamic Business Unit and a PowerShell script. The only benefit of this approach is that it will be easier to hide elements of the Web Interface if you plan on using the same interface for end users and OU owners.

0

Hello,

Thank you for the helpful response. Do you have an example of a powershell script condition I could use to check whether the initiating user is a member of the OU owner group?

Thanks!

+1

Hello,

Do we understand you correctly, that you need a script that will check whether the initiator of the Remove member operation is the owner of the OU where the target group is located? If this is the case, you can check out this script from our repository. It should be used in the If PowerShell script returns true condition of the Business Rule triggering Before removing a member from a group.

The script will return True if the initiator is not the OU owner. Please note, that the script will also return True and cancel the operation if the OU where the group is located has no owner. It will be impossible to remove members from this group until an owner is assigned to its OU.

The Business Rule itself should look like this: business-rule.png

0

Thank you! Yes, this is exactly what I was looking for. Appreciate your help!

0

One final question. Is it possible to restrict the groups that these OU owners can see from their dashoard? I'd like to only present them with the security groups which they are the OU owners for. Ideally i'd like to implement something like the following LDAP filter string:

image.png

Is something like this possible using LDAP filters?

0

We noticed that you have asked a question about how to assign an OU owner as the owner of all groups under this OU.

If you are going to implement this, you will be able to use this LDAP filter in your Web Interface action: (managedBy=%adm-InitiatorDN%).

However, it will work only if the initiating user has direct ownership over groups, i.e. this user is explicitly specified in the managedBy attribute of a group.

0

Great thank you for clarifying. Are there any plans to add the ability for the 'managedBy' flag to work with AD Groups and their corresponding group members as well?

0

Hello,

Unfortunately, there are no such plans at the moment. As a workaround, you can create a Scheduled Task which will run this script, and assign the task over OU owners or all users. The script will periodically check which objects are managed by a user, build an LDAP filter for these objects, and save the filter in the specified attribute of a user, for example CustomAttributeText1.

You will then be able to use a value reference to retrieve the LDAP filter for group selection in your Web Interface action: image The filter will be different for each logged on user and will include all objects managed by the user (both, directly and via group membership). Please note, that you need to use %adm-CustomAttributeText1% and not (managedBy=%adm-CustomAttributeText1%), as the attribute will contain the entire filter.

Please log in or register to answer this question.

Related questions

0 votes
1 answer

I'd like to allow users to remove themselves from groups that they are already members of. Currently I have a business rule in place thats only allowing the OU Owners ... user is a member of the adm-groupname' then allow then to remove themselves.

asked Apr 30, 2020 by sirslimjim (480 points)
0 votes
1 answer

Hello, Is it possible to grant members of a business unit permission to run a custom command? I know I'm able to give permission to a user/group to run a cmd on a business ... that can run the command. I've not been successful with any of my attempts to do so.

asked Mar 23, 2017 by JoCCCsa (100 points)
0 votes
1 answer

I would like to on a monthly basis to email the group owner the members of each group they own for verification pruposes. i would need the group name and the name of the members.

asked Jun 3, 2021 by Derek.Axe (480 points)
0 votes
1 answer

We have a potentially complicated sitaution and so far I have no found a solution. Any suggestions will be greatly appreciated. We have specific security groups that ... or see any user details other than the memberships for these specific security groups.

asked Jan 2, 2023 by WannabeGuru (20 points)
0 votes
1 answer

Hey there, We allow our staff to modify membership to certain AD groups by designating a person in the 'Managed By' field. That person then changes the group' ... to modify group membership' without any object specific configuration. Is this possible? Thanks!

asked Nov 8, 2011 by Kirk (60 points)
3,326 questions
3,026 answers
7,727 comments
544,681 users