Permission to change password only for accounts he is a manager

There is a built-in Active Roles security principal "Manager" that you can delegate permissions to.

Use that security principal to delegate the password change permission,

Built-in Manager

Hello Johnny

Thanks for the answer.
My problem is that I can let the user change only accounts that he is the manager, he will be able to see all the accounts in the managed unit, but he will be able to change only some accounts.
I have a similar process via the web, but in this case, I need to validate that the account that is changing the password is its manager. I would need to do an if ( $request.manager = quem_iniciou.dn ) but I don't know a way to get who initiated the request. There must be a way?

That's the whole point of my suggested delegation above - only the Manager of an account can change the password.

That is, when Active Roles sees that the Manager is delegated access as I have shown you, it checks to see if the logged in user is the Manager of the account they are trying to change.

Hello Johnny

I found the option, I had never seen it, I'm trying to make it work, in this case will the password reset option appear only when the selected object has the user who is performing the action as manager?

Yes - assuming you apply that Access Template AND that the user doesn't have any other permissions granted from any other Access Templates.

I don't know where I'm going wrong, adding this option, it releases to change the password of both the object Lurdes which is manager and also Bruno who is not manager.

Can you please post a screen capture of the delegations / applied access templates on the OU where these users reside (and the Managed Unit if you created one)

OU

MU

Is your "Manager" delegated user a member of any of the groups (? - the names are not really visible) that are delegated permissions in your larger capture?

My suggestion would be to create a test OU and block all inherited delegations on it.  Then set just the ones that you have on your Managed Unit and see how things behave.

Is your "Manager" delegated user a member of any of the groups (? - the names are not really visible) that are delegated permissions in your larger capture?

My suggestion would be to create a test OU and block all inherited delegations on it.  Then set just the ones that you have on your Managed Unit and see how things behave.

Just Domain Users,

I will do the suggested test.

OU

MU

Direct reports from le account

Not sure if you've been able to get this to work but I too am seeing an issue when using the 'All Objects - Read all properties' Access Template linked to the user. Try removing this AT that is linked higher in the hierarchy and instead link 'Users - Read all properties' to Manager directly to the Managed Unit itself, just like the other AT link between Manager and the Reset Password AT.

Hi Richard,

I ended up doing it via script and applying the policy that releases the default reset password command. It validates whether the user is the object's manager, if so, it releases it, otherwise it warns that the initiator is not the manager.