• State Not Answered
  • Replies 5 replies
  • Subscribers 62 subscribers
  • Views 852 views
  • Users 0 members are here
Options
Related

List objects where I'm secondary owner

mna1
10 months ago

Hello. I'm trying to customize the Self Service web portal. When I go to "My Managed Resources", it shows a list of groups where I'm Primary owner (i.e. managedBy). Is there a way to customize this so that it would also show objects (both users and groups) where I'm the secondary owner?

If this is not possible to accomplish by customizing the self service portal, what would be an alternative way to do this?

Thanks.

Parents
  • 0 10 months ago

    I'll explain what I'm trying to do in more detail. Maybe, there is another way to do this. We have a number of users who will manage other accounts that also belong to them. These accounts are mostly set up for specific use cases and reside in many different OUs. We need the users to be able to only reset passwords on these managed accounts. Because there is no easy way to delegate permissions to each user for the accounts they manage, we thought we would make the user "Secondary Owner" of these managed accounts. What I'd like to be able to do is see all these managed accounts in one place when a user logs into the web portal (I'm using Self Service but I can change it to the Admin or Helpdesk site if necessary). So, the question is: is there a way to list all the accounts for a user who is secondary owner of these accounts?

    Hope this clarifies my goal a little better.

  • 0 10 months ago in reply to mna1
    mna1 said:
    Because there is no easy way to delegate permissions to each user for the accounts they manage, we thought we would make the user "Secondary Owner" of these managed accounts.

    There IS a way to delegate to those accounts where one is Secondary Owner.

    I would suggest setting up a Managed Unit where the membership rule consists of all objects with a secondary owner defined. - i.e. edsvaSecondaryOwnerGUIDS is present.

    Then, delegate to the AR built-in security principal "Secondary Owners":

    View access to all user objects (this will filter out objects where the logged in user is not secondary owner)
    Whatever other rights you want (in my example I have delegated "Write All Properties")
    The ability to Traverse Managed Unit

    Managed Unit Delegated Permissions

    Traverse Managed Units Access Template


    NOTE:  This assumes that you have NOT granted all users of Active Roles the ability to read all objects in AD.

Reply
  • 0 10 months ago in reply to mna1
    mna1 said:
    Because there is no easy way to delegate permissions to each user for the accounts they manage, we thought we would make the user "Secondary Owner" of these managed accounts.

    There IS a way to delegate to those accounts where one is Secondary Owner.

    I would suggest setting up a Managed Unit where the membership rule consists of all objects with a secondary owner defined. - i.e. edsvaSecondaryOwnerGUIDS is present.

    Then, delegate to the AR built-in security principal "Secondary Owners":

    View access to all user objects (this will filter out objects where the logged in user is not secondary owner)
    Whatever other rights you want (in my example I have delegated "Write All Properties")
    The ability to Traverse Managed Unit

    Managed Unit Delegated Permissions

    Traverse Managed Units Access Template


    NOTE:  This assumes that you have NOT granted all users of Active Roles the ability to read all objects in AD.

Children
No Data