In Build 1.0.0.3 we have started to add use permissions to the plugin. At a minimum a user (tech or engineer) must have the User Class ActiveDirectoryUI added to there user class permissions. Super Admins are automatically included and are not denied any functionality.
In order to help comply with SOC2 MSP compliance regulations this user class is intended to allow only the access a lesser administrator may need to manage users for the client. Currently in build 1.0.0.3 it retains all the same functionality as a super admin. This will start to change as next few builds are released.
User Class Permissions Required to Use Plugin.
Re: User Class Permissions Required to Use Plugin.
As of Build 1.0.0.4 User Permissions are in full swing.
There are now two (2) user classes for the ActiveDirectory UC plugin.
Setting Permissions
You must be a Super Admin to access the user permission controls of the plugin. There will be a button marked "Permissions" in the top banner of any client console that will open the permissions form and allow you to set the permissions. You can set the permissions for any client or by selecting the Set Global Permissions checkbox you can set all client consoles to use a common set of permissions. If you set any client differently from the global permissions then the client permissions will automatically override the global permissions set.
If a client is using the "Global Permissions" then the "Current Global Defaults Permissions" banner will be displayed.
User Permissions in Action
When a user is provided both ActiveDirectoryUI and ActiveDirectoryUI-Limit user classes and a super admin has set global or client permissions, this is the kind of view a limited user might see. We have only enabled the Unlock User and the reset User password functions for this user.
The normal Update User button is missing and 4 of the 6 menu items are disabled. This user can now only reset user passwords and unlock user accounts.
There are now two (2) user classes for the ActiveDirectory UC plugin.
- ActiveDirectoryUI - Required to allow non Super Admins users access to plugin. If a user is assigned this class and the optional limit class was not added then user has all access to plugin controls. This does not allow the user to access the permissions controls inside of plugin.
- ActiveDirectoryUI-Limit - is an extra optional class that will force plugin permissions for the user.
Setting Permissions
You must be a Super Admin to access the user permission controls of the plugin. There will be a button marked "Permissions" in the top banner of any client console that will open the permissions form and allow you to set the permissions. You can set the permissions for any client or by selecting the Set Global Permissions checkbox you can set all client consoles to use a common set of permissions. If you set any client differently from the global permissions then the client permissions will automatically override the global permissions set.
If a client is using the "Global Permissions" then the "Current Global Defaults Permissions" banner will be displayed.
User Permissions in Action
When a user is provided both ActiveDirectoryUI and ActiveDirectoryUI-Limit user classes and a super admin has set global or client permissions, this is the kind of view a limited user might see. We have only enabled the Unlock User and the reset User password functions for this user.
The normal Update User button is missing and 4 of the 6 menu items are disabled. This user can now only reset user passwords and unlock user accounts.