• State Not Answered
  • Replies 2 replies
  • Subscribers 64 subscribers
  • Views 49 views
  • Users 0 members are here
Options
Related

Tree view security

jraines
14 hours ago

My users are complaining that they can't see entire branches of the tree view.   We're working on weaning users off ADUC and this is a concern because ADUC users are accustomed to working from the tree view.  

Is there a security setting that exposes the tree view branch?   Or like file folders, do you have to have "list" security at the root?  

Regards,

JonR

  • 0 12 hours ago

    Hi  

    By default Active Roles (unlike AD) does not grant permissions to any users, to any objects within any managed domains. If these users are seeing some objects, this would means that they have already been granted some permissions via Access Templates.

    As I don't know how your instance of ARS has been configured, in terms of Access Template Links (the glue that describes WHO has been granted WHAT against WHERE), I can only give you generics based on some assumptions

    1) All users who used to use ADUC and are now using ARS' web interface are a member of "Ex-ADUC Users" AD Group in "Domain.com"

    2) These users need access to view all objects from Domain.com, and there is no requirement for limited read access to selected object classes.

    To apply a delegation of control

    1) Open the Active Roles Console (MMC) as an ARS Admin

    2) In the navigate pane, expand Active Directory

    3) Right click the domain that these users need permissions over, and select "Delegate Control" 

    4) Click Add

    5) If present with "Welcome to the delegation of control wizard" click next, otherwise go to the next step

    6) Click Add

    7) Enter the "Ex-ADUC Users" group into the bottom box and click check name (or whatever the AD group you're delegating permissions to), then click ok, and next

    8) When asked to select an Access Template, Expand Active Directory, and select "All Objects - Read all properties", then click next

    9) When prompted for inheritance options, in this instance leave as is, and click next

    10) When asked about Permissions propagation, do not check the box, click next

    11) Click Finish

    12) Click Ok

    If you have the "Advanced Details" pane enabled, you'll see an entry similar to the one defined against the "AccessGroup" trustee

    Please note, I don't know how your ARS instance is configured, what is currently in place, and if it is appropriate for all these users to be able to see everything. As from the sounds of it, these users have some but limited access currently, and that might be for reasons unknown. Permissions can be granted more granularly than the above (and the above is a very broad brush)..

    If in doubt, you could engage professional services for guidance more bespoke to your use case.

    Kind regards

    Stu

  • 0 8 hours ago

    Thanks Stu.   I am looking to do a more granular delegation.   If I have a tree that looks something like this:

    - Root.Domain

    -- Users

    ----Accounts

    -----Location1

    -----Location2

    -----Location3

    I'd like to I grant permissions for a group of users to see Location1 but not Location2.  But I guess what need to know is what to permissions to grant at the Users and Accounts levels without overprovisioning for the whole subtree?  I've already delegated for the Location1 OU, but the users can't see the Users and Accounts levels, so they aren't able to browse the tree correctly.

    Regards,

    Jon