I want to create a role so that a single user can manage a single OU, currently, the settings only allow to give access to all members of all OUs
1 Like
Some role privileges are scoped globally, others can be scoped to specific OU.
Where you have mix of privileges in a role, you can only assign it globally.
An example is GWS Groups which do not have an OU context, unlike a lot of other directories. GWS User management can be scoped to an OU. S o if you a role that allows user and group management, it can only be scoped globally.
1 Like
In the “Account” section of the console, go to the “Admin Roles” section.
Then, click the “Create New Role” button. You’ll need to give this new role a name (first screen) and assign the privileges required for that role (second screen).
Once the role is created, you’ll need to access it to assign admins: click “Assign Role” and then, in “Assign Members,” enter the ID of the user you want to assign that role to (You can also configure the OU you want to manage).
Well, this makes it really hard to create jr admin roles, segregate permissions and creating test environments to train new personnel without getting an entirely different domain/workspace.
It’s just weird that they decided to do it this way when it should be entirely possible to have this level of granularity in permissions.
Well, as @RobA explained, some objects in the Workspace universe aren’t at all related to an OU, so there can be no such admin role. There are quite a few objects OU-bound, so you can definitely create an admin role for those. If a user also needs to manage groups, for example, then give them that admin role separately.
And with all admin access, of course, comes obligatory training and written policies, which all admins must adhere to. If it’s a question of trust (or lack thereof), then you have a non-technical problem, and perhaps that person shouldn’t be admin at all.