1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2010
    Rep Power

    LDAP permissions on modifying group

    Hello, I need some help with best practices. Let me describe problem:
    We have application with users with different roles (LDAP groups). We have, for instance, "group1", "group2" and group "disabled". User from group "disabled" is not allowed to perform any actions. So, enabling user is deleting him or she from group "disabled". But suddenly appears that for "group1" should be very strict policy for enabling users. Administrator can create user, add him to "group1" and to group "disabled" but enabling user should perform some other person. So, how to:
    1. forbid administrator to delete user from group "disabled"
    2. create user which can perform only one action: delete users from group "disabled"
    I do not know, maybe there are some others decision for enabling|disabling users. I would be glad to get any advice.
    Thank you in advance.
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2009
    Charlotte, NC
    Rep Power
    creating the permissions to allow adminA to add people to the 'disable' group and adminB to delete them is easy enough. However, what is to prevent adminA from not adding them to the 'disable' group in the first place?

IMN logo majestic logo threadwatch logo seochat tools logo