Active Role access template exclusion

Active Role access template exclusion : I have created Access template for access management team for managing groups like adding\removing members and I have linked that access template to entire domain so access management team can manage the groups in entire domain but I need few groups to be excluded and only Domain admin can manage those groups. 

Parents
  • Hi  

    There are a couple of different ways you could achieve what is needed here

    1. Instead of linking your AT (Access Template) against the "Active Directory" or managed domain, selectively assigned against the OU's where the group that Access Management Team should be able to manage
    2. Create a managed unit, which membership rules which include all the groups the Access Management Team should manage (you could also include an additional exclude rule if needed, but you should aim to use one membership rule). Once created, and happy with the groups listed, remove the existing ATL (Access Template Link), where you've linked you Access Management Team, and your AT against the domain, then create the link against the managed unit. This way any group in scope of the managed unit, will grant your Access Management Team permissions assigned by the AT. This is generally useful when you have the groups you do and dont want to be managed in the same OUs. Your membership rule will need to have something set (or already set) against the group to be managed, so you can seperate the two. Or explicity add the groups that should be managed.
    3. If there are only a small number of groups that don't need to be managed, you could create another AT, which deny's the permissions, then link to the group you don't want to be managed by these users. I'm personally not a fan of using Deny permissions, when you can just not grant the permissions or assign the permissions to the objects in the first place.

    Hope this helps

    Stu

  • Thank you Stu for your answer.

     

    1. Instead of linking your AT (Access Template) against the "Active Directory" or managed domain, selectively assigned against the OU's where the group that Access Management Team should be able to manage

     

    Comment : There are 100's of OUs where groups are scattered so not feasible to link the AT against each OU.

     2. Create a managed unit, which membership rules which include all the groups the Access Management Team should manage (you could also include an additional exclude rule if needed, but you should aim to use one membership rule). Once created, and happy with the groups listed, remove the existing ATL (Access Template Link), where you've linked you Access Management Team, and your AT against the domain, then create the link against the managed unit. This way any group in scope of the managed unit, will grant your Access Management Team permissions assigned by the AT. This is generally useful when you have the groups you do and dont want to be managed in the same OUs. Your membership rule will need to have something set (or already set) against the group to be managed, so you can seperate the two. Or explicity add the groups that should be managed.

     

    Comment : This is also not feasible as these team is entitle to manage all the groups in all domains. There are handful of groups less than 10 like Domain admin group or the server access groups they should be managing which we want to exclude.

     

    3. If there are only a small number of groups that don't need to be managed, you could create another AT, which deny's the permissions, then link to the group you don't want to be managed by these users. I'm personally not a fan of using Deny permissions, when you can just not grant the permissions or assign the permissions to the objects in the first place.

     

    Comment : I had thought of this and have created the AT with deny permission but these few groups are also in different OU's so not sure how to link the AT to those groups. I am thinking of creating the Managed Unit and adding those groups to the managed unit and link the AT.

     

    Also we want the domain admin group member to add\remove users from these excluded groups.

  • So: you have a small set of Active Directory groups that are not related in any way. I would suggest creating a relationship and then using Option 2 suggested by Stu.

    Create an Active Roles Virtual Attribute linked to group objects. Stored, boolean syntax. Call it something like: edsvaExcludeFromGroupManagement.

    Create a Managed Unit that populates all groups and excludes groups where edsvaExcludeFromGroupManagement is set to TRUE

    Set this flag manually on each of the desired groups.

    Delegate management permissions on the Managed Unit.

Reply
  • So: you have a small set of Active Directory groups that are not related in any way. I would suggest creating a relationship and then using Option 2 suggested by Stu.

    Create an Active Roles Virtual Attribute linked to group objects. Stored, boolean syntax. Call it something like: edsvaExcludeFromGroupManagement.

    Create a Managed Unit that populates all groups and excludes groups where edsvaExcludeFromGroupManagement is set to TRUE

    Set this flag manually on each of the desired groups.

    Delegate management permissions on the Managed Unit.

Children
No Data