Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 1063 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SEC 5.1 - Roles & Sub Estates - Groups of Groups

Squmph

Hello,

We have a new requirement to grant limited permissions within SEC to some users. I have therefore been reading about roles and subestates and have been trying things, but I have come across an odd limitation.

For example, I create a sub-estate called "Treetops" and I grant access to the sub estate to AD group "SEC_Treetops". I then create a child group called "Tech_Treetops" and put the user in this group, so in order

Sub-estate permission in SEC

      Sec_Treetops

            Tech_Treetops

                  User

If I run "user and group view", "SEC_Treetops" has access as expected, but "Tech_Treetops" and the user do not.

This feels like windows 2000 architecture (can't do groups as members of groups) which is somewhat archaic.... Can anyone confirm whether this is true or not?

Best practice guidelines for AD design especially in a multi-forest environment like ours specify using multiple hierarchical group levels before applying a permission (see AGUDLP)...

Thanks!

Rob

:28891


This thread was automatically locked due to age.
Parents
  • 0

    Hello Rob,

    indeed this is not explained in much detail (or almost not at all).

    Now it looks like a local Windows group (on the management server) permits one level of hierarchy (i.e. assignments apply to its user members as well as the user members of its group members), for AD groups only the user members are taken into account.

    You could call this archaic - on the other hand it is consistent with the overall simplicity of Roles and Sub-Estates - a user/group has the same rights (role[s]) across all assigned sub-estates. Step 1 in Best practice: designing sub-estates and role-based administration starts with Compile a simple list of the people ... - which is IMO an indicator that R&SE is rather a simple feature not a full-fledged management solution.  

    Christian

    :29077
Reply
  • 0

    Hello Rob,

    indeed this is not explained in much detail (or almost not at all).

    Now it looks like a local Windows group (on the management server) permits one level of hierarchy (i.e. assignments apply to its user members as well as the user members of its group members), for AD groups only the user members are taken into account.

    You could call this archaic - on the other hand it is consistent with the overall simplicity of Roles and Sub-Estates - a user/group has the same rights (role[s]) across all assigned sub-estates. Step 1 in Best practice: designing sub-estates and role-based administration starts with Compile a simple list of the people ... - which is IMO an indicator that R&SE is rather a simple feature not a full-fledged management solution.  

    Christian

    :29077
Children
No Data