• State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 62 subscribers
  • Views 5468 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do I allow all users to manage all distribution groups in a specific OU through Self Service

mawt
over 5 years ago

At the moment I'm really struggling to figure out how to add functionality into self service. 

 

We have a specific OU called "Distribution lists - SITE" and what I would like is to allow X amount of users to edit/change/remove membership into those groups without having to log tickets to our engineering department. 

 

I literally have no idea where to begin and am somewhat new to Quest :( 

 

Any ideas or pointers in the right direction?

 

-Tom

  • 0 over 5 years ago
    ARS SSM | Published Groups | Add Self into the Group | was removed since 6.9.
    case1) you still can utilize the AT 'Add Self into the Group' - it still exists in ARS (supported? probably yes)
    case2) Trustee (built-in SID) "Primary Owner", Secondary Owner" -- AT Group-Membership -- OU=MyDLs --- another helpful workflow possible.
  • 0 over 5 years ago
    I assume that you have all of the Users who you want to allow access in a single trustee Group. If not, create one and add them.

    Then, follow these instructions to expose the functionality in the Web Interface:

    Title: How To: Add 'My Managed Resources' to Self-Administration Web Interface
    Solution Number: 135371
    URL: support.oneidentity.com/.../135371

    Once that is done, you can create and/or link the necessary Access Templates to the desired trustee Group. There are a number of Access Templates included out-of-the-box which should meet most of your needs. You will probably need to link this one to the target DL for that trustee Group:

    Configuration/Access Templates/Active Directory/Groups - Add\/Remove Members

    You will also need to decide how much access you want to grant to these Users so that they can find objects to add to this Group. The ability to add/remove members is necessary, but they will need to be able to find things to add. If this DL is expected to contain only User objects, and you have no issue with members of the Group seeing all Users in the Domain, you could link the following Access Template to the root of the Domain for this Group as the trustee:

    Configuration/Access Templates/Active Directory/Users - Read All Properties

    If you want to control want these trustees can see with more granularity, you may need to create a custom Access Template and link that instead, or link this Access Template to a different location. The above configuration should function as a proof-of-concept, and you can tweak it from there.