Cannot see domain tree or organisation unit

Dears,

I'm new in this great world and facing my first issue.

Situation 100

ADMINZO part of group security GS_SEC_BEI ,this group has delegation on two active directory Units Beijing and HongKong  , the problem when he connect to web console, he has access and see all the

domain OUs : No Good, he must ont have acces to wo OUs ; Beijing and HongKong

ADMINCOH  part of group security GS_SEC_NYC, the groupe has delegation on OU NewYork,  : When conneted to Web console, Not is showing ( No Oranisation UNis) ...

 bot group have Browse domain

thx for you help

Parents
  • Hello,

    This is purely a delegation issue. Active Roles has a Zero-Permissions model: a user cannot see anything unless you have delegated access to them.

    So, if one of your users sees too much, you need to take away or adjust their existing delegations.

    If one of your users does not see enough, you need to delegate more access.

    In the Active Roles Console, if you choose View  | Advanced Details Pane, this will help you to see the existing security linkages in the environment.

    You can also check the Administration tab available on any User or Group to see what delegations have been granted to that object.

    In order to browse the Domain, the User will need to be able to crawl the Active Directory tree: they will need View and List permissions at the Domain level, then View and List at the Organizational Unit and Container level, and at each sublevel, as desired.

    Even they do not see the domain, then you are missing the Domain View permission.

    Active Roles has a built-in Access Template which is useful. You can find it at Configuration/Access Templates/Active Directory/Domains - Read All Properties

Reply
  • Hello,

    This is purely a delegation issue. Active Roles has a Zero-Permissions model: a user cannot see anything unless you have delegated access to them.

    So, if one of your users sees too much, you need to take away or adjust their existing delegations.

    If one of your users does not see enough, you need to delegate more access.

    In the Active Roles Console, if you choose View  | Advanced Details Pane, this will help you to see the existing security linkages in the environment.

    You can also check the Administration tab available on any User or Group to see what delegations have been granted to that object.

    In order to browse the Domain, the User will need to be able to crawl the Active Directory tree: they will need View and List permissions at the Domain level, then View and List at the Organizational Unit and Container level, and at each sublevel, as desired.

    Even they do not see the domain, then you are missing the Domain View permission.

    Active Roles has a built-in Access Template which is useful. You can find it at Configuration/Access Templates/Active Directory/Domains - Read All Properties

Children