• State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 62 subscribers
  • Views 4475 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Delegating rights to edit Managed Units

lee.andrews_82510
over 6 years ago

Is this even possible.  I've tried all the access templates and none appear to allow editing of a managed unit membership rules.  I can delegate the right to create a Managed Unit Container but unless you can then create a managed unit it's pointless.

Parents
  • 0 over 6 years ago
    I generally try to dissuade customers from doing any kind delegation on the configuration of AR itself. Doing so is pretty much akin to delegating Enterprise Admins and that's just not a good idea.

    To your latter point, the few times customers have insisted that they want to delegate management of AR configuration, I break into my dissertation about how if you do this, then you must put it in all sorts of stringent auditing / controls to prevent scenarios like you describe. Most then realize the potential folly of their wishes.

    When you think about it, a big reason for putting in AR is to rein in admin rights in the first place and give people only the simple rights they need to fulfill CRUD for AD object management. The minute you step outside of that paradigm, things start to get sketchy from a control and auditing perspective.

    The challenge is certainly not insurmountable and from a purely nerdy point of view, overcoming this could be somewhat "fun". But it seems to me that this is one of those problems that perhaps shouldn't be solved and certainly not without careful consideration of the broader potential security ramifications.
Reply
  • 0 over 6 years ago
    I generally try to dissuade customers from doing any kind delegation on the configuration of AR itself. Doing so is pretty much akin to delegating Enterprise Admins and that's just not a good idea.

    To your latter point, the few times customers have insisted that they want to delegate management of AR configuration, I break into my dissertation about how if you do this, then you must put it in all sorts of stringent auditing / controls to prevent scenarios like you describe. Most then realize the potential folly of their wishes.

    When you think about it, a big reason for putting in AR is to rein in admin rights in the first place and give people only the simple rights they need to fulfill CRUD for AD object management. The minute you step outside of that paradigm, things start to get sketchy from a control and auditing perspective.

    The challenge is certainly not insurmountable and from a purely nerdy point of view, overcoming this could be somewhat "fun". But it seems to me that this is one of those problems that perhaps shouldn't be solved and certainly not without careful consideration of the broader potential security ramifications.
Children
No Data