April 5, 2018 at 4:29 pm #21389ThunderlolParticipant
Hi so I am a pretty big noob in this sort of work.
Basically my goal is to manage my AD through IDM. So I want to create users and roles (which already works)
and want to give those roles certain permission on my fileshare server. I was looking everywhere but i couldn’t find a guide that helps me. Does anybody of you know a guide or can give me a short explanation on what to do. When I know what to do I have a colleague that can help me with those steps.
PaulApril 5, 2018 at 7:17 pm #21394[email protected]Participant
Basically, you’d create some groups in AD to control access to your fileshare (sharpoint-sites, shared mailboxes, etc.). Then you can assign those groups using OpenIDM.
I’d prefer a fine granularity with a “capability”-style and groups like “mayReadDirectory” and assigning multiple groups using OpenIDM, instead of creating a role-style like “HeadOfDepartment”, because it is hard to see, what “HeadOfDepartment” is actually entitled to do.
Compromise would be nested groups in active directory, like creating “mayReadDirectory”, “mayModifyDirectory” etc. to be used by the fileshare and “HeadOfDepartment” to be used by OpenIDM. By nesting those groups (“HeadOfDepartment” as member of “mayReadDirectory”) you get some nice transparency, answering both “who is allowed to read the directory” and “what is a HeadOfDepartment allowed to do”.
However, there are reasons not to use nested groups as well.
You must be logged in to reply to this topic.