3 Replies Latest reply on May 11, 2010 1:30 PM by abraithwaite

    LDMS 9 RBA: AD user is member of multiple AD Groups to assign different roles

    Rookie

      Hi,

       

      We have a complex organization, and therefor Role Based Administration in LDMS 9 is a feature that can solve a lot for us.

      But I need to be able to use multiple Active Directory groups (that represents multiple roles within LANDesk). So far no problem, but what if I add 1 user to several AD groups in order to obtain complementary LD rights.

      For example and AD group for Remote Control, 1 for Software Deployment, 1 for OSD, etc.

      User A needs to have RC and SD rights, user B needs to have RC, SD ánd OSD?

       

      I know I can make as many roles for as many combinations I can make, but if you're taking also scopes into account it can take me up to +500 groups I need to create and maintain.

       

      Can someone advise, please?

       

      Thanks.

        • 1. Re: LDMS 9 RBA: AD user is member of multiple AD Groups to assign different roles
          egarlepp Employee

          That is the same issue we are running into with our testing, it is has left out the orgs that are more complex.  Although it addresses some shortcomings from 8.x it leaves what your explaining out. They need to implement the same assignments that they have for 8.x. as well. I have a call into our LD rep to explore this, hopefully they address this in SP1.

          1 of 1 people found this helpful
          • 2. Re: LDMS 9 RBA: AD user is member of multiple AD Groups to assign different roles
            Rookie

            It would be a good thing if LANDesk allows us to use AD USers, AD Groups, LD Group Permissions, LD Roles and LD Scopes in a much, MUCH more flexible way.

             

            The drag and drop functionalities for deployments could possibly be applied on the Administration panel.

            Example: You grab an AD user, drop it on a Role. And drop this combination on a scope... job done. OR you first predefine a LD Group Permission (with a role and a scope attached) and then just drag and drop AD users on it. THAT would be RBA as it should be.

             

            Until now, it isn't even not possible to combine for 1 AD user multiple Group Permissions, with different roles and scopes...

             

            I wonder what the developpers were thinking about, when they created that awfull "User, Roles and Scopes" monster?

            • 3. Re: LDMS 9 RBA: AD user is member of multiple AD Groups to assign different roles
              abraithwaite Employee

              RBA will be improved in 9.0 SP2 (due for release at the end of Q3). The"Group Permissions" feature will be replaced with the ability to assign roles and scopes directly to a user or a group. This should make it so you don't have to create so many groups, group permissions and roles.