Hello,
One of our clients, wants to limit CRUD operations in a Organizational Unit in AD.
Specifically, they want two types of profiles:
- OUAdmin: This will only have R/W permissions in a specific OU in AD (OU1).
- ADGlobal: This will have R/W permissions in the rest of OUs except the OU1 organizational unit.
To do this, we read in the OIM documentation that we can achieve it using the Target system managers (see Basic configuration data in AD) option inside the Manger tool.
So, first we created the target system manager for the OU1, OUAdmin then we assign it to the OU1 and finally we give the permission to an Identity and everything works as expected.
Then we tried to create the second profile, ADGlobal, and this was the trickiest one.
We realized that to create it, we needed one target system manager for each OU in AD and assign it to them. Finally we needed to add those target system manager roles to the identities.
Is there anyway to achieve the second role, ADGlobal, without creating one targert system manager for each OU?
Thanks in advance.
Kind regards,
David.