Return
-
Title
How to delegate access to a single Active Directory OU and hide all other OUs? -
Description
By default, a regular user does not have any Active Directory access in Active Roles Server.
The access has to be explicitly granted with Active Roles Access Templates.
The minimum permission required to view and browse OUs is OU - allow read all properties granted at the domain level. With that permission granted, user will be able to see all the OU´s in the domain.
However, if the read permissions are granted to just the required OU, the user is not able to navigate to it, as the domain subtree is not visible.
How to limit the access to just one particular OU?
-
Resolution
- Grant the Domain - allow read all properties at the domain level to let users see the domain.
- Grant the OU - allow read all properties to the OU the delegated users will be managing.
- If the target OU is deeper in the tree, grant the OU - allow read all properties permission to each OU in the path from the domain to the target OU.
- To hide all other OUs the users will not be managing, use the following options when applying the permissions in steps 2 - 3:
- Select "This object only"
- Unselect "Child objects of this directory object"
Note: A minor side effect of this method is that the delegated users will be able to see all the OUs in the path to the target OU from the domain level.