• State Suggested Answer
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 62 subscribers
  • Views 4705 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Access Rule - Creator Owner

Dave Ivory
over 6 years ago

Most access to objects is by MU and custom properties on the objects.

If a technician creates and object with incorrect properties, they have no rights to the object they created because its out of their MU scope by design.

I have created a security delegation on the OU with a rule that permits access to objects that have not been used yet (no lastlogontimestamp).  This works nicely.  I would like to limit it further to the user who created the object.

  • 0 over 6 years ago
    Operator created AD\new user is not stored on the AD\new user object, but separate Change History and ARS Windows Event Log.
    Staged Users (MU (lastLogonStamp -eq empty)) is a first step.
    (just an idea) VA_CREATOR - virtual attribuyte
    a. Workflow or custom policy script: set AD\newuser.VA_CREATOR = Initiator Logon (AD\jsmith)
    b. MU(VA_CREATOR -eq 'AD\jsmith') -- AT-View/Modify -- trustee AD\jsmith
    Limitation: you will need to build manually MU for each helpdesk person.