How do I assign permissions for directories to a role with AD

This topic has 1 reply, 2 voices, and was last updated 2 years, 10 months ago by [email protected].

  • Author
  • #21389

    Hi so I am a pretty big noob in this sort of work.
    Basically my goal is to manage my AD through IDM. So I want to create users and roles (which already works)
    and want to give those roles certain permission on my fileshare server. I was looking everywhere but i couldn’t find a guide that helps me. Does anybody of you know a guide or can give me a short explanation on what to do. When I know what to do I have a colleague that can help me with those steps.



    Basically, you’d create some groups in AD to control access to your fileshare (sharpoint-sites, shared mailboxes, etc.). Then you can assign those groups using OpenIDM.

    I’d prefer a fine granularity with a “capability”-style and groups like “mayReadDirectory” and assigning multiple groups using OpenIDM, instead of creating a role-style like “HeadOfDepartment”, because it is hard to see, what “HeadOfDepartment” is actually entitled to do.

    Compromise would be nested groups in active directory, like creating “mayReadDirectory”, “mayModifyDirectory” etc. to be used by the fileshare and “HeadOfDepartment” to be used by OpenIDM. By nesting those groups (“HeadOfDepartment” as member of “mayReadDirectory”) you get some nice transparency, answering both “who is allowed to read the directory” and “what is a HeadOfDepartment allowed to do”.

    However, there are reasons not to use nested groups as well.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?