Active Roles

Allow DL owners to add/remove members

We have thousand's of DL's and want to allow owners to change membership with the ARS web interface. (we are on ver 6.9) We are in the process of moving to o365 and once a user's mailbox is moved to the cloud he cannot manage the on-prem group through Outlook. I have some users that have the add/remove option on the web page and others that do not.

     Is there a template I can use for this? And how can I export all the ARS settings being applied to a user so I can compare a working vs non-working user?



  • The simplicity of delegating group management permissions depends on whether you have populated the ManagedBy AD attribute and/or the SecondaryOwners AR Virtual attribute on your groups. If these are in place, then you easily delegate group membership management using a built-in access template (Manage Group Membership) using the above mentioned built-in AR security principals as the Trustees.

    As far as comparing permissions between users, you need to consider two things:

    1) Examining the delegations on the OUs containing your groups
    2) Comparing the group memberships of the users in question and how they stack up against the groups delegated to manage groups

    As for an automated mechanism for performing the checks, Powershell would be your friend. For item 1, the Get-QARSAccessTemplate link cmdlet can help you audit the permissions. For the other, a simple script that can compare the group memberships between users will do the trick.

  • The Manage Group Membership template gives a user the ability to change all his groups. I just want a DL Owner to manage his DL's membership. I'm knew to ARS and am probably looking right at the answer but I can't see how to get there. Thanks for any help you can provide.
  • Delegation: Who - What - Where
    Who: ARS recognizes builtin SID: PrimaryOwner, SecodaryOwner
    What rights: Groups.Members (Write)
    Where: OU=MyGgroups
  • Remember: the rights to manage a Group are completely separate from the rights to find an object to put in that Group. In addition to the access to change the members attribute of a Group, you will need to grant access to see objects that you expect to be added to the Group.

    This may mean granting the ability to see all or most of the User objects in the Domain. It may mean allowing access to see the Domain and Organizational Unit structure, or creating a Managed Unit to abstract native Active Directory.

    The implementation options for this are extremely flexible. What do you want it to look like? What access do these managers have now? We need more information.
  • If you look at a DL in active directory on the managed by tab I want the owner to be able to add/remove members. But no one else.
    With an on-prem Outlook client an owner can change his DL members but this breaks in a hybrid environment until we move all our DLs to o365. I’d to utilize ARS in the meantime.