• State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 61 subscribers
  • Views 3397 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Preventing Helpdesk from manually Disabling or Enabling accounts

Michiel
over 4 years ago

Hi,

I'm trying to force our Helpdesk to always use Deprovision (or Undo Deprovision) to disable/enable accounts. Occasionally they still try to manually revert the Deprovisioning process, causing unwanted account deletions after X days.

How can I block/deny them from using Disable/Enable accounts so they can only use the Deprovision related tasks? I don't mind using explicit Deny templates but I can't seem to get the right attributes included without breaking other functionality (for example, when blocking access to userAccountControl, it has a lot of side affects).

Thanks

Parents
  • 0 over 4 years ago

    You can explicitly grant only Deprovision / Un-deprovision (these are considered object level permissions in the Access Templates) - more on this below.

    You don't necessarily have to deny "enable / disable" access.  The need for restricting disable / enable per se depends on the overall setup of the Access Templates you are using to grant the Help Desk the ability to "manage" users in the first place. 

    What Aidar was alluding to below is that you could have your Deprovision process move accounts to an OU where you have granted only very restricted permissions such as Undo-deprovsion only.

Reply
  • 0 over 4 years ago

    You can explicitly grant only Deprovision / Un-deprovision (these are considered object level permissions in the Access Templates) - more on this below.

    You don't necessarily have to deny "enable / disable" access.  The need for restricting disable / enable per se depends on the overall setup of the Access Templates you are using to grant the Help Desk the ability to "manage" users in the first place. 

    What Aidar was alluding to below is that you could have your Deprovision process move accounts to an OU where you have granted only very restricted permissions such as Undo-deprovsion only.

Children
No Data