Skip to main content
Version: Axidian Privilege 3.0

Structure

This section is intended for creating Organizational Units (OU) of an organization. When creating OU, you can delimit the access of Axidian Privilege administrators to individual resources.

note

Axidian Privilege OUs are not related to Active Directory OUs/containers in any way.

Organizational Unit Types

An OU can be global (Root OU) or local. Also, Axidian Privilege objects can be global and local by belonging to an OU.

Immediately after installing Axidian Privilege, a Root OU already exists in the system. It owns all objects whose OU is not explicitly specified. Accordingly, after upgrading the Axidian Privilege version from version 2.6, all previously existing objects become global.

You can bind the Axidian Privilege administrator to the OU in the Role settings. A user can be in roles from the same OU. You cannot add a user to a role again by specifying other OUs.

The OU is specified when adding a Resource, Domain, or Resource Group.

The system recognizes whether a given object is local to a given OU through the objects' links to resources and domains. If an object is associated with a Resource and an Account, the OU is determined by the Resource.

Local Administrator

The local administrator is restricted in access and can only work with a set of objects that belong to his OU. The following objects are restricted — Accounts and Resources.

Exceptions:

  • can read global domain accounts
  • can read global policies
  • can read Domains, but not their groups and containers

All objects created by the Local administrator automatically belong to his OU.

note

Only the Global Administrator can choose OU when creating objects.

Not available to the Local administrator:

  • Objects related to other OUs
  • Sections Structure, Roles, Notifications

The Management sections are read-only:

  • Policies and their settings
  • User connections and Service connections
  • Configuration settings

Other sections are not available.

A local administrator cannot create permissions with view credentials for domain Accounts, including Application permissions.

caution

Operations with Organizational Units can be enabled or disabled in the Management Console configuration file.

Organizational Unit Enabling

Working with Organizational Units is enabled in the Management Console configuration file.

Path to configuration file:

WindowsC:\inetpub\wwwroot\mc\assets\config\
Linux/etc/axidian/axidian-pam/mc/

To enable working with organizational units in PAM, set the value true for the enableOrganizationalUnits parameter in the view section:

"view": {
    "enableOrganizationalUnits": true
  }