• State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Subscribers 62 subscribers
  • Views 11170 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Delegate Full Access but prevent assigning of additional Access Templates

Michiel
over 7 years ago

Hi,

In my company, I have delegated Full Access (all objects) to several Organizational Units in AD - I recently noticed this also allows admins to assign additional Access Templates to allow other users to have access to that same area. Is there any way I can prevent this from happening? I don't mind them seeing the existing config or the templates themselves, but they should not be able to assign or remove any Access Templates. I already tried blocking class "Access Templates" but that didn't seem to help (guess that only locks out modifying the templates themselves). Couldn't find the option for denying (un)assigning templates or policies etc.

Thanks!

Parents
  • 0 over 7 years ago
    Thanks Johnny - I absolutely see your point here! Rest assured that, aside from the default AR super admins, I never delegated any modify permissions on the AR Configuration node.

    This is also why I was a bit surprised/disappointed to see that by granting read-only access to the AR config area, combined with full access to the "Active Directory" node, it would allow staff to assign Access Templates. I never intended to allow anyone to make any modifications to the AR settings (which, in my opinion, also means assigning Policies and ATs) but I have now found out that this combination of permissions makes that possible anyway.

    I still want to allow staff to see (read-only) the AR policies so I guess that the only safe way out would be to specifically allow access to the object classes they need rather than using "All objects, Full Access" (at the AD level!)

    Thanks again for your input!
Reply
  • 0 over 7 years ago
    Thanks Johnny - I absolutely see your point here! Rest assured that, aside from the default AR super admins, I never delegated any modify permissions on the AR Configuration node.

    This is also why I was a bit surprised/disappointed to see that by granting read-only access to the AR config area, combined with full access to the "Active Directory" node, it would allow staff to assign Access Templates. I never intended to allow anyone to make any modifications to the AR settings (which, in my opinion, also means assigning Policies and ATs) but I have now found out that this combination of permissions makes that possible anyway.

    I still want to allow staff to see (read-only) the AR policies so I guess that the only safe way out would be to specifically allow access to the object classes they need rather than using "All objects, Full Access" (at the AD level!)

    Thanks again for your input!
Children
No Data