• State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 62 subscribers
  • Views 3604 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

attribute based access control

andreas.pfeil
over 6 years ago

 Hey guys,

is it possible to give a user-group permissons (eg PW-reset) on all user in another user-group? Further we need do design this delegation dynamic.

 

An example:

All members of the group "APW123" can reset the password for each user, that is member in "GRP123".

 

We have about 5k "GRP" groups. So it would be great if you can realise this with regular expressions. I did not have found out how to do this in Active Roles. Do you have any ideas?

  • 0 over 6 years ago
    the request is very standard for ARS.

    ARS 'virtualization' on top of AD provides powerful feature: MU (Managed Units) is virtual OU based on any LDAP query. Any AR Workflow (AT Permission, Policy, Workflow) can be attached to the MU.

    in you case:
    1. MU_PWD = ldap query "memberOF AD\GRP123" (the option is available OOB)
    2. Trustee (AD\APW123) - Access Mask (AT Pwd Reset) - Scope: MU_PWD
    In addition MU can be based on any ldap query including Virtual Attributes (VA).
  • 0 over 6 years ago

    Ok, I think I got this. Thank you!

    But do I have to create all MU manually and static? Because if, i have to create 5000 Managed Units? Is is possible to do this with regex or a commandline?

  • 0 over 6 years ago
    Technicality depends on exact needs + environment => workflow. ARS SDK and Powershell cmdlet library allows programaticallly both (a) create MU, (b) assign permission.