Empowering your power users
Sep 25, 2008
A common question Imanami customers ask is whether WebDir may be used as a tool for the Help Desk. Help Desk agents require a higher level of access than general users; they may do things like change passwords or modify group attributes. Not being full-blown administrators, however, they should not have direct access to Active Directory.
This functionality is native to WebDir. In determining visibility and access levels for power users, WebDir only looks for membership in the 'Helpdesk Group' and 'Administrators Group' defined in the WebDir back office (under the Security tab). If a user is a member of either of these groups, the user's authority level becomes 99 or 1, respectively.
The key here is that the Help Desk and Administrator groups, as utilized by WebDir, are ordinary groups in AD; they may correspond to the AD-delivered Help Services and Administrator groups, but do not need to. In order to restrict the rights of your power users, therefore, all you have to do is grant your WebDir power user groups the minimum level of authority your Help Desk team members require to do their job and remove direct access to AD. WebDir will manage access to the WebDir functionality, and the WebDir service account will actually perform the update to AD. The WebDir power user does not require any special system-wide access permissions.
WebDir thus provides simplified access to exactly the level of power user functionality the Help Desk requires; no more and no less.
|
Previous Post
August 2008 |
